Problem scenario
You cannot SSH into a Linux Google Cloud Platform server. How do you create new GCP servers that you can SSH into?
Solution
Summary
Use the "Startup script" in Google Cloud Platform. This script comes with precautions. Be careful when pasting it. The lines can potentially not wrap properly. Carriage returns could be introduced to make this script fail. Be very careful because this script creates a user with sudoer privileges. It also has a plaintext password in it for this user! This script is for informational purposes.
If you use Puppet for example, the facter tool will be able to retrieve the entire script below after the script below runs. This is a potential security concern!
This will create two "ChallengeResponseAuthentication yes" stanzas in most Red Hat family servers. You can manually comment one out. It will not prevent you from logging on.
Procedures
1. This solution only works for servers that have not yet been created. When you create the server, place this script in the "Startup Script" but replace "cooluser" and "coolpassword" with the credentials you want a sudo user to have:
#!/bin/bash
# Written by www.continualintegration.com. We recommend you modify it in Notepad++.
usr="cooluser" # change cooluser to the username you want to add
pswd="coolpassword" # change coolpassword to the password of your choice.
#mkdir /home/$usr # probably can remove this stanza
distro=$(cat /etc/*-release | grep NAME)
debflag=$(echo $distro | grep -i "ubuntu")
if [ -z "$debflag" ]
then # If it is not Ubuntu, test if it is Debian.
debflag=$(echo $distro | grep -i "debian")
echo "determining Linux distribution..."
else
echo "You have Ubuntu Linux!"
fi
rhflag=$(echo $distro | grep -i "red*hat")
if [ -z "$rhflag" ]
then #If it is not RedHat, see if it is CentOS or Fedora.
rhflag=$(echo $distro | grep -i "centos")
if [ -z "$rhflag" ]
then #If it is neither RedHat nor CentOS, see if it is Fedora.
echo "It does not appear to be CentOS or RHEL..."
rhflag=$(echo $distro | grep -i "fedora")
fi
fi
if [ -z "$rhflag" ]
then
echo "...still determining Linux distribution..."
else
echo "You have a RedHat distribution (e.g., CentOS, RHEL, or Fedora)"
useradd -m $usr -g wheel
chown $usr:$usr /home/$usr
#usermod -aG wheel $usr
fi
if [ -z "$debflag" ]
then
echo "...still determining Linux distribution..."
else
echo "You are using either Ubuntu Linux or Debian Linux."
apt-get -y upgrade gawk
useradd -m $usr -g sudo
chown $usr:$usr /home/$usr
#usermod -aG sudo $usr # this won't work on a Red Hat family server
fi
suseflag=$(echo $distro | grep -i "suse")
if [ -z "$suseflag" ]
then
if [ -z "$debflag" ]
then
if [ -z "$rhflag" ]
then
echo "*******************************************"
echo "Could not determine the Linux distribution!"
echo "Installation aborted. Nothing was done."
echo "******************************************"
exit
fi
fi
else # This else clause evaluates if you have Linux SUSE.
echo "Processing steps for Linux SUSE"
sudo useradd $usr -m -g google-sudoers
chown $usr:users /home/$usr
fi
echo $usr:$pswd | chpasswd
# obtain line numbers f the sshd_config file that need to be changed
pa=$(cat /etc/ssh/sshd_config | grep -n "PasswordAuthentication no" | awk --field-separator=":" '{print $1}')
if [ -z "$pa" ]
then
pa=$(cat /etc/ssh/sshd_config | grep -n "PasswordAuthentication yes" | grep "\#" | awk --field-separator=":" '{print $1}')
fi
cra=$(cat /etc/ssh/sshd_config | grep -n "ChallengeResponseAuthentication no" | awk --field-separator=":" '{print $1}')
if [ -z "$cra" ]
then
cra=$(cat /etc/ssh/sshd_config | grep -n "ChallengeResponseAuthentication yes" | grep "\#" | awk --field-separator=":" '{print $1}')
fi
pa=$(echo $pa | awk '{print $1}') # get the top line number of the one that matched
cra=$(echo $cra | awk '{print $1}') # get the top line number of the one that matched
bv=$(date)
bva=${bv//[[:blank:]]/}
bvar=$bva.bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$bvar #back up the file
part1="sed -i \""$pa"s/PasswordAuthentication no/PasswordAuthentication yes/\" /etc/ssh/sshd_config"
echo $part1 >> /tmp/cool.sh
part2="sed -i \""$pa"s/# PasswordAuthentication no/PasswordAuthentication yes/\" /etc/ssh/sshd_config"
echo $part2 >> /tmp/cool.sh
part3="sed -i \""$pa"s/#PasswordAuthentication no/PasswordAuthentication yes/\" /etc/ssh/sshd_config"
echo $part3 >> /tmp/cool.sh
part4="sed -i \""$pa"s/#PasswordAuthentication yes/PasswordAuthentication yes/\" /etc/ssh/sshd_config"
echo $part4 >> /tmp/cool.sh
part5="sed -i \""$pa"s/# PasswordAuthentication yes/PasswordAuthentication yes/\" /etc/ssh/sshd_config"
echo $part5 >> /tmp/cool.sh
part6="sed -i \""$cra"s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config"
echo $part6 >> /tmp/cool.sh
part7="sed -i \""$cra"s/#ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config"
echo $part7 >> /tmp/cool.sh
part8="sed -i \""$cra"s/# ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config"
echo $part8 >> /tmp/cool.sh
part9="sed -i \""$cra"s/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config"
echo $part9 >> /tmp/cool.sh
part10="sed -i \""$cra"s/# ChallengeResponseAuthentication yes/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config"
echo $part10 >> /tmp/cool.sh
# Modify the /etc/passwd so the new user can use the up arrow to see history of commands entered
thefile="/etc/passwd"
bv=$(date)
bva=${bv//[[:blank:]]/}
bvar=$bva.bak
cp /etc/passwd /etc/bak.passwd.$bvar.bak
ln=$(cat $thefile | grep -n $usr | awk --field-separator=":" '{print $1}')
var2=$var1"/bin/bash/"
ifexists=$usr":/"
flag=$(cat $thefile | grep -n $ifexists)
if [ -z "$flag" ]
then
sethome="sed -i \""$ln"s/home\/$usr:/home\/$usr:\/bin\/bash/\" $thefile"
echo $sethome
echo $sethome >> /tmp/cool.sh
fi
bash /tmp/cool.sh
rm /tmp/cool.sh
echo '
usr="cooluser"
oldfile=$(cat /etc/passwd)
echo "${oldfile//\/home\/$usr:\/bin\/sh/\/home\/$usr:\/bin\/bash}" > /etc/passwd
' >> /home/result.sh
/bin/bash /home/result.sh
rm /home/result.sh
# For reference only.
#perl -i -pe 's/.*/PasswordAuthentication yes/ if $.==$pa' /etc/ssh/sshd_config file
#perl -i -pe 's/.*/ChallengeResponseAuthentication yes/ if $.==$cra' /etc/ssh/sshd_config file
echo ":set mouse=" >> /home/$usr/.vimrc
echo ":set mouse=" >> /root/.vimrc
systemctl restart sshd # for Red Hat derivatives b/c the command below will do nothing.
/etc/init.d/ssh restart
2. After the server is up, in the GCP web console click on the server's name. This way you can view the details. Scroll down to the "Custom Metadata" and click on the "X" to eliminate the script as this picture shows:
Scroll down and click "Save".
3. You are done.