How to Enable and Disable SSH for an Edge Device

This article describes how to enable an edge node for SSH access.

Note: SSH access to edge nodes was originally intended for EVE developers to access devices for debugging purposes. If you don't allow SSH in your production environment, ZEDEDA recommends using Edge View to access your devices, since it offers the following benefits not offered by SSH:
- policy control and visibility at the device-, project- and enterprise-levels
- session time limits and audit logs

Prerequisites

Docker must be running on your machine.

Enable SSH for an edge device

  1. Check if you have an SSH key.
    Linux:
    cat ~/.ssh/id_rsa.pub
    Windows:
    type C:\Users\USER-NAME\.ssh\id_rsa.pub
    SSH key example:
    If you have an SSH key, it looks similar to the following:
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDflVAtUnN/K5tYcXLoEtMAACTNn2UtEV18kL0vyrr7EMfS29xL/Bzq0UcF2H2fV9yUn+0gA5F2xN/gT0YhH3F9b4z4j8T9fH2G6b8c9a3Z5s4x4c6f7e8g9h0k3b5c7a8f9g2d4e6h8k0j1m3n5p7r9s0t2v4w6x8y0z+A1B3C5D7F9G1H3J5K7L9M1N3P5R7T9V1X3Z5a7b9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5z7A9B3D5F7H9J1L3N5P7R9T1V3X5Z7a9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5zFAKEKEYEXAMPLEQWERTYUIOPASDFGHJKLZXCVBNM=
    If you don't have an SSH key:
    Create a key, specify the type, and follow the prompts.
    ssh-keygen -t rsa
  2. Copy the output of the "cat" (or "type") command.
  3. Run the ZCLI container.
    Linux:
    docker run -it -v $PWD:/root zededa/zcli:latest
    Windows:
    docker run -it -v "%cd%":/root zededa/zcli:latest
  4. Log in to the ZCLI
  5. Enable SSH access by pushing the SSH key to the device.
    zcli edge-node update EDGE_NODE --config=debug.enable.ssh:"YOUR_PUBLIC_KEY"
    Example:
    zcli edge-node update My_Node --config=debug.enable.ssh:"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDflVAtUnN/K5tYcXLoEtMAACTNn2UtEV18kL0vyrr7EMfS29xL/Bzq0UcF2H2fV9yUn+0gA5F2xN/gT0YhH3F9b4z4j8T9fH2G6b8c9a3Z5s4x4c6f7e8g9h0k3b5c7a8f9g2d4e6h8k0j1m3n5p7r9s0t2v4w6x8y0z+A1B3C5D7F9G1H3J5K7L9M1N3P5R7T9V1X3Z5a7b9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5z7A9B3D5F7H9J1L3N5P7R9T1V3X5Z7a9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5zFAKEKEYEXAMPLEQWERTYUIOPASDFGHJKLZXCVBNM="
  6. Find the IP address of your edge node and save it for later use. Note that if the IP address for the edge node is on a private network, you might need VPN access for this step.
    zcli edge-node show EDGE_NODE --detail
  7. Exit the ZCLI to your machine's standard command line.
    exit
  8. Connect to the device via SSH using the corresponding private key.
    ssh -i YOUR_PRIVATE_KEY_PATH root@DEVICE_IP
    Example
    ssh -i ~/.ssh/id_rsa root@192.0.2.119
    Example response:
    The authenticity of host '192.0.2.119 (192.0.2.119)' can't be established.
    ED25519 key fingerprint is SHA256:fK8pL3xQ9zR7vW2yJn4bM5gH1cE0sT6uX9vA2rZpLmY.
    This key is not known by any other names.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '192.0.2.119' (ED25519) to the list of known hosts.
    EVE is Edge Virtualization Engine
    
    Take a look around and don't forget to use eve(1).
    862bab0f-a567-4fc2-98b1-c82c77cf74c9:~# 
    

Disable SSH for an edge device

  1. Log in to the ZCLI
  2. Disable SSH for your edge device by removing all the public keys from the device.
    zcli edge-node update EDGE_NODE --config=debug.enable.ssh:""
  3. Verify that your public key is gone.
    zcli edge-node show EDGE_NODE --detail
    Example config
    Before disabling SSH, the config looks similar to the following:
    Edge Node Config:
    debug.enable.ssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDflVAtUnN/K5tYcXLoEtMAACTNn2UtEV18kL0vyrr7EMfS29xL/Bzq0UcF2H2fV9yUn+0gA5F2xN/gT0YhH3F9b4z4j8T9fH2G6b8c9a3Z5s4x4c6f7e8g9h0k3b5c7a8f9g2d4e6h8k0j1m3n5p7r9s0t2v4w6x8y0z+A1B3C5D7F9G1H3J5K7L9M1N3P5R7T9V1X3Z5a7b9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5z7A9B3D5F7H9J1L3N5P7R9T1V3X5Z7a9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5zFAKEKEYEXAMPLEQWERTYUIOPASDFGHJKLZXCVBNM=
    After disabling SSH, the config looks similar to the following:
    Edge Node Config:
    debug.enable.ssh
Was this article helpful?
4 out of 4 found this helpful