Hacker News new | ask | show | jobs
by CaliforniaKarl 1753 days ago
I make use of IAP and OS Login today, to log in to a Compute Engine Linux VM. The VM has Internet access via NAT, and has no public IP.

Logging in is via `gcloud compute ssh`. Authenticating `gcloud` involves a corporate login which uses a client certificate and two-step.

For all the components involved, it works pretty well!
2 comments
sillystuff 1753 days ago
You can also add it to your ~/.ssh/config, so you can just ssh hostname, scp hostname, etc. without a public IP on the VM.

  Host myhost
       ProxyCommand gcloud compute ssh user@myhost --zone=myzone --tunnel-through-iap --command="nc 0.0.0.0 22" -- -o "UserKnownHostsFile /dev/null" -o "StrictHostKeyChecking no"
link
pritambaral 1753 days ago
> ... which uses a client certificate ...

Can you encrypt the client private key on disk and use sth like ssh-agent?

link
0xEFF 1753 days ago
Yes, simply add the key gcloud generates as normal using ssh-add ~/.ssh/google_compute_engine
link
pritambaral 1751 days ago
No, I meant the client private key that gcloud uses to authenticate itself (on your behalf) to Google's servers, not you to your servers. That wouldn't be an SSH key, probably TLS or hand-rolled crypto.

----

Also, now that you mention it, even if I encrypted the generated SSH key, wouldn't running a `gcloud ...` command again just ... re-generate the key, in unencrypted form?

link
CaliforniaKarl 1750 days ago
Sorry, I should clarify: The client key is used in our corporate login.

When I log in to `gcloud`, that goes through our corporate login. Corporate login uses a client certificate and two-step.

link