Skip to content

Instantly share code, notes, and snippets.

@displague

displague/README.md Secret

Last active November 29, 2023 04:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save displague/92584509f2fe8a78881ff29524d0941e to your computer and use it in GitHub Desktop.
Save displague/92584509f2fe8a78881ff29524d0941e to your computer and use it in GitHub Desktop.
Download ZIP
Equinix Metal PowerShell Userdata to configure SSH Keys
Raw
README.md

What this is and what this isn't

This mini-guide is in response to https://feedback.equinixmetal.com/instances/p/support-ssh-for-windows

The idea is based on my understanding of the Equinix Metal platform, backed by supporting documentation. The PowerShell script and guided steps in windows-ssh-keys.md were initially ChatGPT 3.5 generated using this understanding as the prompt. This should be considered a starting point. I've not run this, but it does look to line up with my understanding.

Additional context

OpenSSH Server support is now available in Windows:

Powershell scripts can be provided as Equinix Metal userdata when provisioning: https://deploy.equinix.com/developers/docs/metal/operating-systems/licensed/#using-user-data-with-windows.

It is possible to create a startup script that fetches the SSH Keys assigned to the instance from the available project collaborator and project SSH keys (https://deploy.equinix.com/developers/docs/metal/accounts/ssh-keys/). These keys are stored as metadata: https://deploy.equinix.com/developers/docs/metal/server-metadata/metadata/.

Assuming the instance has Layer3 connectivity enabled (default), the following PowerShell userdata script could fetch and authorize the Equinix Metal configured SSH Keys.

This script is an example only and may need to be modified to place the keys in a specific user's SSH directory.

Next steps would be to use the PowerShell userdata to enable SSH by default (potentially installing OpenSSH first for older Windows versions) and ensure that the instance userdata is executed on each boot, or periodically. Doing so would ensure the SSH keys are refreshed to eventually match what is configure in the Equinix Metal console and API.

Potential gotchas

  • Equinix Metal SSH Keys may already be preconfigured for Windows (or may be in the future)
  • Cloud-Init executions of Powershell userdata may run with additional gotchas
    • which user is it run as
    • at what stage of provisioning
    • is it executed on subsequent boots
Raw
windows-ssh-keys.md

Windows SSH Keys Provisioning

Generated by ChatGPT 3.5

Scenario

The scenario involves provisioning a Windows instance with SSH keys, allowing SSH access out of the box. The goal is to automate the addition of project and collaborator public keys to the authorized_keys file on the Windows server.

Proposed Solution

To achieve this, we will create a PowerShell script that fetches public keys from a specified URL and appends them to the OpenSSH authorized_keys equivalent file. The script will be registered to run at boot using the Task Scheduler.

Steps

1. Create PowerShell Script

Create a PowerShell script with the following content. Replace the URL and file paths as needed.

# Specify the URL of the public keys
$url = "https://metadata.platformequinix.com/2009-04-04/meta-data/public-keys"

# Specify the path to the .ssh directory
$sshDirectory = "$env:USERPROFILE\.ssh"

# Specify the path to the OpenSSH authorized_keys equivalent file
$authorizedKeysFile = Join-Path -Path $sshDirectory -ChildPath "authorized_keys"

# Fetch the public keys from the URL
try {
    $publicKeys = Invoke-RestMethod -Uri $url
} catch {
    Write-Host "Error fetching public keys from $url: $_"
    exit 1
}

# Check if the .ssh directory exists, create it if not
if (-not (Test-Path -Path $sshDirectory -PathType Container)) {
    try {
        New-Item -ItemType Directory -Path $sshDirectory -ErrorAction Stop | Out-Null
    } catch {
        Write-Host "Error creating directory $sshDirectory: $_"
        exit 1
    }
}

# Append the public keys to the authorized_keys file
try {
    $publicKeys | Out-File -Append -FilePath $authorizedKeysFile
    Write-Host "Public keys successfully added to $authorizedKeysFile"
} catch {
    Write-Host "Error writing public keys to $authorizedKeysFile: $_"
    exit 1
}

2. Register Script to Run at Boot

  1. Open Task Scheduler (Win + X and select "Task Scheduler").

  2. Create a new task:

    • Name and describe the task.
    • Choose a trigger, e.g., "At startup."

  3. Set the action:

    • Choose "Start a program."
    • In "Program/script," enter powershell.exe.
    • In "Add arguments," enter -ExecutionPolicy Bypass -File "C:\Path\To\Your\Script.ps1".

  4. Optionally, set the starting directory in "Start in (optional)."

  5. Review and finish the task.

  6. If needed, provide credentials for elevated permissions.

3. Test

Test the task by right-clicking on it in Task Scheduler and selecting "Run."

Intention

With these steps, you've automated the addition of SSH keys to the authorized_keys file on a Windows server, providing SSH access out of the box. This solution is especially useful for instances provisioned with SSH keys, streamlining the setup process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment