This article describes how to enable an edge node for SSH access.
Note: SSH access to edge nodes was originally intended for EVE developers to access devices for debugging purposes. If you don't allow SSH in your production environment, ZEDEDA recommends using Edge View to access your devices, since it offers the following benefits not offered by SSH:
- policy control and visibility at the device-, project- and enterprise-levels
- session time limits and audit logs
Prerequisites
Docker must be running on your machine.
Enable SSH for an edge device
- Check if you have an SSH key.
Linux:
Windows:cat ~/.ssh/id_rsa.pub
type C:\Users\USER-NAME\.ssh\id_rsa.pubSSH key example:If you have an SSH key, it looks similar to the following:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDflVAtUnN/K5tYcXLoEtMAACTNn2UtEV18kL0vyrr7EMfS29xL/Bzq0UcF2H2fV9yUn+0gA5F2xN/gT0YhH3F9b4z4j8T9fH2G6b8c9a3Z5s4x4c6f7e8g9h0k3b5c7a8f9g2d4e6h8k0j1m3n5p7r9s0t2v4w6x8y0z+A1B3C5D7F9G1H3J5K7L9M1N3P5R7T9V1X3Z5a7b9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5z7A9B3D5F7H9J1L3N5P7R9T1V3X5Z7a9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5zFAKEKEYEXAMPLEQWERTYUIOPASDFGHJKLZXCVBNM=If you don't have an SSH key:Create a key, specify the type, and follow the prompts.ssh-keygen -t rsa - Copy the output of the "cat" (or "type") command.
- Run the ZCLI container.
Linux:
Windows:docker run -it -v $PWD:/root zededa/zcli:latest
docker run -it -v "%cd%":/root zededa/zcli:latest - Log in to the ZCLI
- Enable SSH access by pushing the SSH key to the device.
zcli edge-node update EDGE_NODE --config=debug.enable.ssh:"YOUR_PUBLIC_KEY"Example:zcli edge-node update My_Node --config=debug.enable.ssh:"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDflVAtUnN/K5tYcXLoEtMAACTNn2UtEV18kL0vyrr7EMfS29xL/Bzq0UcF2H2fV9yUn+0gA5F2xN/gT0YhH3F9b4z4j8T9fH2G6b8c9a3Z5s4x4c6f7e8g9h0k3b5c7a8f9g2d4e6h8k0j1m3n5p7r9s0t2v4w6x8y0z+A1B3C5D7F9G1H3J5K7L9M1N3P5R7T9V1X3Z5a7b9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5z7A9B3D5F7H9J1L3N5P7R9T1V3X5Z7a9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5zFAKEKEYEXAMPLEQWERTYUIOPASDFGHJKLZXCVBNM=" - Find the IP address of your edge node and save it for later use. Note that if the IP address for the edge node is on a private network, you might need VPN access for this step.
zcli edge-node show EDGE_NODE --detail - Exit the ZCLI to your machine's standard command line.
exit - Connect to the device via SSH using the corresponding private key.
ssh -i YOUR_PRIVATE_KEY_PATH root@DEVICE_IPExample
Example response:ssh -i ~/.ssh/id_rsa root@192.0.2.119The authenticity of host '192.0.2.119 (192.0.2.119)' can't be established. ED25519 key fingerprint is SHA256:fK8pL3xQ9zR7vW2yJn4bM5gH1cE0sT6uX9vA2rZpLmY. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.0.2.119' (ED25519) to the list of known hosts. EVE is Edge Virtualization Engine Take a look around and don't forget to use eve(1). 862bab0f-a567-4fc2-98b1-c82c77cf74c9:~#
Disable SSH for an edge device
- Log in to the ZCLI
- Disable SSH for your edge device by removing all the public keys from the device.
zcli edge-node update EDGE_NODE --config=debug.enable.ssh:"" - Verify that your public key is gone.
zcli edge-node show EDGE_NODE --detailExample configBefore disabling SSH, the config looks similar to the following:
After disabling SSH, the config looks similar to the following:Edge Node Config: debug.enable.ssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDflVAtUnN/K5tYcXLoEtMAACTNn2UtEV18kL0vyrr7EMfS29xL/Bzq0UcF2H2fV9yUn+0gA5F2xN/gT0YhH3F9b4z4j8T9fH2G6b8c9a3Z5s4x4c6f7e8g9h0k3b5c7a8f9g2d4e6h8k0j1m3n5p7r9s0t2v4w6x8y0z+A1B3C5D7F9G1H3J5K7L9M1N3P5R7T9V1X3Z5a7b9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5z7A9B3D5F7H9J1L3N5P7R9T1V3X5Z7a9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5zFAKEKEYEXAMPLEQWERTYUIOPASDFGHJKLZXCVBNM=Edge Node Config: debug.enable.ssh