How Do You SSH to a GCP server?

Problem scenario
You cannot SSH into a Linux Google Cloud Platform server.  How do you create new GCP servers that you can SSH into?

Solution
Summary
Use the "Startup script" in Google Cloud Platform.  This script comes with precautions.  Be careful when pasting it.  The lines can potentially not wrap properly.  Carriage returns could be introduced to make this script fail.  Be very careful because this script creates a user with sudoer privileges.  It also has a plaintext password in it for this user!  This script is for informational purposes.

If you use Puppet for example, the facter tool will be able to retrieve the entire script below after the script below runs.  This is a potential security concern!

This will create two "ChallengeResponseAuthentication yes" stanzas in most Red Hat family servers.  You can manually comment one out.  It will not prevent you from logging on.

Procedures

1.  This solution only works for servers that have not yet been created.  When you create the server, place this script in the "Startup Script" but replace "cooluser" and "coolpassword" with the credentials you want a sudo user to have:

#!/bin/bash
# Written by www.continualintegration.com.  We recommend you modify it in Notepad++.

usr="cooluser"   # change cooluser to the username you want to add
pswd="coolpassword"  # change coolpassword to the password of your choice.
#mkdir /home/$usr   # probably can remove this stanza

distro=$(cat /etc/*-release | grep NAME)

debflag=$(echo $distro | grep -i "ubuntu")
if [ -z "$debflag" ]
then   # If it is not Ubuntu, test if it is Debian.
  debflag=$(echo $distro | grep -i "debian")
  echo "determining Linux distribution..."
else
   echo "You have Ubuntu Linux!"
fi

rhflag=$(echo $distro | grep -i "red*hat")
if [ -z "$rhflag" ]
then   #If it is not RedHat, see if it is CentOS or Fedora.
  rhflag=$(echo $distro | grep -i "centos")
  if [ -z "$rhflag" ]
    then    #If it is neither RedHat nor CentOS, see if it is Fedora.
    echo "It does not appear to be CentOS or RHEL..."
    rhflag=$(echo $distro | grep -i "fedora")
    fi
fi

if [ -z "$rhflag" ]
  then
  echo "...still determining Linux distribution..."
else
  echo "You have a RedHat distribution (e.g., CentOS, RHEL, or Fedora)"
  useradd -m $usr -g wheel
  chown $usr:$usr /home/$usr
  #usermod -aG wheel $usr
fi

if [ -z "$debflag" ]
then
  echo "...still determining Linux distribution..."
else
   echo "You are using either Ubuntu Linux or Debian Linux."
   apt-get -y upgrade gawk
   useradd -m $usr -g sudo
   chown $usr:$usr /home/$usr
   #usermod -aG sudo $usr  # this won't work on a Red Hat family server
fi


suseflag=$(echo $distro | grep -i "suse")
if [ -z "$suseflag" ]
then
  if [ -z "$debflag" ]
  then
    if [ -z "$rhflag" ]
      then
      echo "*******************************************"
      echo "Could not determine the Linux distribution!"
      echo "Installation aborted. Nothing was done."
      echo "******************************************"
      exit
    fi
  fi
else  # This else clause evaluates if you have Linux SUSE.
   echo "Processing steps for Linux SUSE"
   sudo useradd $usr -m -g google-sudoers
   chown $usr:users /home/$usr   
fi

echo $usr:$pswd | chpasswd   

# obtain line numbers f the sshd_config file that need to be changed
pa=$(cat /etc/ssh/sshd_config | grep -n "PasswordAuthentication no" | awk --field-separator=":" '{print $1}')

if [ -z "$pa" ]
  then
      pa=$(cat /etc/ssh/sshd_config | grep -n "PasswordAuthentication yes" | grep "\#" | awk --field-separator=":" '{print $1}')
  fi

cra=$(cat /etc/ssh/sshd_config | grep -n "ChallengeResponseAuthentication no" | awk --field-separator=":" '{print $1}')
if [ -z "$cra" ]
  then
    cra=$(cat /etc/ssh/sshd_config | grep -n "ChallengeResponseAuthentication yes" | grep "\#" | awk --field-separator=":" '{print $1}')
  fi

pa=$(echo $pa | awk '{print $1}')    # get the top line number of the one that matched
cra=$(echo $cra | awk '{print $1}')  # get the top line number of the one that matched

bv=$(date)
bva=${bv//[[:blank:]]/}
bvar=$bva.bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$bvar  #back up the file

part1="sed -i \""$pa"s/PasswordAuthentication no/PasswordAuthentication yes/\" /etc/ssh/sshd_config"
echo $part1 >> /tmp/cool.sh
part2="sed -i \""$pa"s/# PasswordAuthentication no/PasswordAuthentication yes/\" /etc/ssh/sshd_config"
echo $part2 >> /tmp/cool.sh
part3="sed -i \""$pa"s/#PasswordAuthentication no/PasswordAuthentication yes/\" /etc/ssh/sshd_config"
echo $part3 >> /tmp/cool.sh
part4="sed -i \""$pa"s/#PasswordAuthentication yes/PasswordAuthentication yes/\" /etc/ssh/sshd_config"
echo $part4 >> /tmp/cool.sh
part5="sed -i \""$pa"s/# PasswordAuthentication yes/PasswordAuthentication yes/\" /etc/ssh/sshd_config"
echo $part5 >> /tmp/cool.sh
part6="sed -i \""$cra"s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config"
echo $part6 >> /tmp/cool.sh
part7="sed -i \""$cra"s/#ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config"
echo $part7 >> /tmp/cool.sh
part8="sed -i \""$cra"s/# ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config"
echo $part8 >> /tmp/cool.sh
part9="sed -i \""$cra"s/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config"
echo $part9 >> /tmp/cool.sh
part10="sed -i \""$cra"s/# ChallengeResponseAuthentication yes/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config"
echo $part10 >> /tmp/cool.sh

# Modify the /etc/passwd so the new user can use the up arrow to see history of commands entered
thefile="/etc/passwd"
bv=$(date)
bva=${bv//[[:blank:]]/}
bvar=$bva.bak
cp /etc/passwd /etc/bak.passwd.$bvar.bak
ln=$(cat $thefile | grep -n $usr | awk --field-separator=":" '{print $1}')
var2=$var1"/bin/bash/"

ifexists=$usr":/"
flag=$(cat $thefile | grep -n $ifexists)
if [ -z "$flag" ]
then
  sethome="sed -i \""$ln"s/home\/$usr:/home\/$usr:\/bin\/bash/\" $thefile"
  echo $sethome
  echo $sethome >> /tmp/cool.sh
fi

bash /tmp/cool.sh
rm /tmp/cool.sh

echo '
usr="cooluser"
oldfile=$(cat /etc/passwd)
echo "${oldfile//\/home\/$usr:\/bin\/sh/\/home\/$usr:\/bin\/bash}" > /etc/passwd 
' >> /home/result.sh
/bin/bash /home/result.sh
rm /home/result.sh

# For reference only.
#perl -i -pe 's/.*/PasswordAuthentication yes/ if $.==$pa' /etc/ssh/sshd_config file
#perl -i -pe 's/.*/ChallengeResponseAuthentication yes/ if $.==$cra' /etc/ssh/sshd_config file

echo ":set mouse=" >> /home/$usr/.vimrc
echo ":set mouse=" >> /root/.vimrc

systemctl restart sshd   # for Red Hat derivatives b/c the command below will do nothing.

/etc/init.d/ssh restart

2.  After the server is up, in the GCP web console click on the server's name.  This way you can view the details.  Scroll down to the "Custom Metadata" and click on the "X" to eliminate the script as this picture shows:

Scroll down and click "Save".

3.  You are done.

Leave a comment

Your email address will not be published. Required fields are marked *