Ssh

gcloud compute ssh — 避免每次都進行 2FA?

  • June 26, 2021

我使用gcloud compute sshSSH 連接到我的實例,例如:

$ gcloud compute ssh shell-server --project=XXXXXXXXXXXXXXXX
No zone specified. Using zone [us-central1-f] for instance: [shell-server].
External IP address was not found; defaulting to using IAP tunneling.
Please choose from the available authentication methods:
1: Security code from Google Authenticator application
2: Voice or text message verification code

Enter the number for the authentication method to use: 1
Enter your one-time password: XXXXXX
username@shell-server ~ $

不幸的是,我每次都要2FA。我喜歡 2FA,但也許有一種方法可以讓我每隔幾個小時就提供一次?

**更新:**我跑了gcloud compute ssh --dry-run,它告訴你它正在執行什麼命令:

/usr/bin/ssh \
   -t \
   -i /Users/kannan/.ssh/google_compute_engine \
   -o CheckHostIP=no \
   -o HostKeyAlias=compute.123123123123123123 \
   -o IdentitiesOnly=yes \
   -o StrictHostKeyChecking=no \
   -o UserKnownHostsFile=/Users/kannan/.ssh/google_compute_known_hosts \
   -o ProxyCommand='/usr/local/bin/python3 -S /Users/kannan/Software/google-cloud-sdk/lib/gcloud.py compute start-iap-tunnel shell-server %p --listen-on-stdin --project=XXXXXXXXXX --zone=us-central1-f --verbosity=warning' \
   -o ProxyUseFdpass=no \
   kannan_example_org@compute.123123123123123123

更新 2:我可以繼續gcloud compute start-iap-tunnel在後台執行並將我的 SSH 配置為使用該隧道,但我希望有更自動化的東西,類似於 SSH 的便利性ControlMaster=auto

我想到了。把它放在 ~/.ssh/config 中:

Host shell-server
   User kannan_example_org
   IdentityFile ~/.ssh/google_compute_engine
   UserKnownHostsFile ~/.ssh/google_compute_known_hosts
   CheckHostIP no
   StrictHostKeyChecking no
   ProxyCommand gcloud compute start-iap-tunnel %n %p --project="..." --zone="..." --listen-on-stdin --verbosity=warning
   ProxyUseFdpass no
   ControlMaster auto
   ControlPersist 30m
  • ControlMaster auto: 在每次ssh/scp呼叫時,首先檢查是否存在與shell-server. 如果是這樣,只需共享該連接,因此沒有重新認證,因此沒有重新 2FA。
  • ControlPersist 30m告訴 SSH 即使在所有ssh/scp呼叫完成後,也要保持可共享連接打開 30m。

我現在可以使用帶有 hostname 的普通命令ssh和命令。scp``shell-server

注意:我實際上最終設置ProxyCommand了一個自定義包裝腳本,該腳本自動確定--project=...--zone=...來自主機名。

引用自:https://serverfault.com/questions/1067389