SSH connectivity on Google Compute

0

I've noticed on Google Compute Engine that adding a ssh key allows me to connect and creates a new server account.

However, I've noticed in the sshd_conf that the line in sshd_config

#AuthorizedKeysFile %h/.ssh/authorized_keys

is commented out.

Yet the server is indeed checking ~/.ssh/authorized_keys to allow me to log in. How is ssh allowing me to log in when my key is placed in this file if the option is commented out in sshd_config?

On an unrelated note, I am also curious as to why the instance does not show the public IP as active on any interfaces, even though it is connectible via it. Is this some crazy Google routing obfuscating something?

Peter

Posted 2014-12-09T13:01:59.893

Reputation: 566

Answers

1

In sshd_config, every commented out line is in fact the default value, so that line without comment or no line at all means the same.

Note that it only applies for the original sshd_config file.

As for the public IP, do you mean if you do a netstat -na or ifconfig -a it does not show up the public IP? I am not sure about Google compute, but in most cases, servers do not have the public IP directly assigned to them. Instead, NAT is employed, so there is a "translation" between the public IP and the private IP at some point (router, balancer, etc).

NuTTyX

Posted 2014-12-09T13:01:59.893

Reputation: 2 448

I don't understand that at all. Just say I wanted to disable the parsing of ~/.ssh/authorized_keys, how would I do that? Implying that whether or not the setting is actually active in sshd_config, the parsing still takes place. – Peter – 2014-12-09T13:51:36.033

Yes, the address is absent from ifconfig. I find most cloud providers do actually bring it up as an interface. So you could be right in that there is one to one NAT in place... just seems unexpected. – Peter – 2014-12-09T13:55:23.183

1I will rephrase it: If a parameter is missing inside sshd_config, it will default for a fixed value (hardcoded). The comments in the original file are there to show you what the default value is, but they are simple comments, they will not be parsed. If you want to disable public key authentication, you must configure PubkeyAuthentication no – NuTTyX – 2014-12-09T14:01:04.817

You are talking about a different setting. I'm not talking about pubkey auth as a whole, I'm talking about whether or not ssh permits pubkey auth to allow via keys placed in ~/.ssh/authorized_keys. Now, as for why it parses that location when it is commented, I would speculate that it's a default. AKA. if you want to specify an alternate path, then uncomment it and change it to something else. Otherwise whether commented or not, it will be that path. Just guessing. – Peter – 2014-12-09T14:09:56.243

2An empty sshd_config will have public key authentication active and will search for the pubkeys on ~/.ssh/authorized_keys. The comments are there to remaind you of that path but they are not parsed. If you want to change the file to another one, you must uncomment the line and update the path. Note that I would not recommend that since SSHD is particulary sensitive of folder/file permissions and SELinux is even worse. Renaming the file is ok, but do not change the path to a shared file between users. – NuTTyX – 2014-12-09T14:19:39.910

Asked: 2014-12-09T13:01:59.893

Viewed: 158 times

Active: 2014-12-09T13:52:48.010