authorized_keys getting deleted from Google Cloud VM

2.6k views Asked by At

I am trying to set up Jenkins for software hosted in Google Cloud VM. I have a VM with user account A and user account B. Jenkins is hosted in user account A. All the other softwares are hosted in user account B. In order to authorize Jenkins to ssh into userB@VM_ADDRESS, I am placing user A's .ssh/id_rsa.pub into user B's .ssh/authorized_keys. This allows for Jenkins to ssh into userB@VM_ADDRESS to update my software whenever I push changes to Github. However, after awhile, for some reason the .ssh/authorized_keys in user account B is replaced/refreshed and my key is gone, and the ssh from Jenkins would fail with permission denied. How should I solve this? Or am I doing Jenkins wrong?

I saw this thread at https://groups.google.com/g/gce-discussion/c/iHqRb2KlMZg/m/x59xV4pYAQAJ?pli=1 that seems to be a similar problem but after reading through I still do not know what I need to do.

1

There are 1 answers

8
guillaume blaquiere On

The SSH keys in the metadata are redeployed regularly. To solve the issue, instead of performing manually the copy/paste in the system, copy the key and (add it to the compute engine metadata](https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys)


However, I'm not sure that is the good way to follow. Why you don't log in with the account A, because it's the "reality" and perform action on software? You can put the account A and the account B in the same Linux group, or performing a chown to change the owner of the fresh files at the end.

What's the requirements behind this tricky question?


Update 1:

The fact to use the key of the account A to log into the user B, is like an impersonation. At the end, you don't know if it's the user account A or B which have performed stuff on your file.

Anyway, in linux you have 3 level of permission UGA (User, Group, All), that's why you have something like this when you perform a ls -la: rwxr-xr-- which mean U (User) can do RWX (Read Write eXecute), group can only Read and eXecute and all can only read.

Therefore, if the user account A and user account B are in the same Group, you can set common group permissions and avoid all (others) to access to the files.