Skip to main content

sshd

sshd enables nebula's built-in debugging console, which can be accessed via ssh. It can expose informational and administrative functions, and allows manual tweaking of various network settings when debugging or testing.

Hint: To generate the host key run ssh-keygen -t ed25519 -f ssh_host_ed25519_key. Be sure to set the ownership appropriately, e.g. chown root:root ssh_host_ed25519_key

sshd:
enabled: true
listen: 127.0.0.1:2222
host_key: /path/to/ssh_host_ed25519_key
authorized_users:
- user: steeeeve
keys:
- '[ssh public key string]'
trusted_cas:
- '[ssh ca public key string]'

See also the Debugging with Nebula SSH commands guide.

sshd.enabled

Default: False Reloadable

enabled toggles this feature globally.

sshd.listen

Reloadable

listen is used to specify the host ip and port number for the nebula debug console to listen on, port 22 is not allowed for your safety.

sshd.host_key

Reloadable

host_key points to a file containing the ssh host private key to use for the ssh server side of the console. In the above example, /path/to/ssh_host_ed25519_key contains a PEM-encoded SSH host key. The following example shows a host key inlined as a YAML multiline string.

sshd:
host_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCAvcPQI9IPXWXmsCFBi+IGoqxjKcCZjivS2ev7wVLWjAAAAKCzhBSYs4QU
mAAAAAtzc2gtZWQyNTUxOQAAACCAvcPQI9IPXWXmsCFBi+IGoqxjKcCZjivS2ev7wVLWjA
AAAECkLDZ1uXRNpvWTG+tff7MSoy6WCDkNhlwB+I5BpI0zfYC9w9Aj0g9dZeawIUGL4gai
rGMpwJmOK9LZ6/vBUtaMAAAAGmptYWd1aXJlQGpvaG5zLW1icC0zLmxvY2FsAQID
-----END OPENSSH PRIVATE KEY-----
warning

Do not use the above private key in your own config file. SSH host keys should be unique per host, and provide authenticity that you are connecting to the correct server.

You can generate a host key using the ssh-keygen command line utility.

ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null

sshd.authorized_users, user, keys

Reloadable

These options are how you create users for the debug ssh daemon. Password authentication for the ssh debug console is NOT supported.

sshd.trusted_cas

As an alternative to (or in addition to) authorized_users, you may define a list of trusted SSH CA public keys. Any SSH certificate signed by a trusted CA will be granted access to the SSH debug server.

If an SSH certificate contains at least one principal, the connecting username must match a principal in the certificate. If no principals are specified in the certificate, any username can be used.