This article describes how to enable an edge node for SSH access.
Note: SSH access to edge nodes was originally intended for EVE developers to access nodes for debugging purposes. If you don't allow SSH in your production environment, ZEDEDA recommends using Edge View to access your nodes, since Edge View offers the following benefits which are not offered by SSH:
- policy control and visibility at the node-, project- and enterprise-levels
- session time limits
- audit logs
Prerequisites
- Docker must be running on your machine.
- ZCLI is running.
- Your target edge node needs to be online.
- You have already Onboarded an edge node to ZEDEDA Cloud.
Enable SSH for an Edge Node
- Check if you have an SSH key.
Linux:
Windows:cat ~/.ssh/id_rsa.pub
type C:\Users\USER-NAME\.ssh\id_rsa.pubSSH key example:If you have an SSH key, it looks similar to the following:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDflVAtUnN/K5tYcXLoEtMAACTNn2UtEV18kL0vyrr7EMfS29xL/Bzq0UcF2H2fV9yUn+0gA5F2xN/gT0YhH3F9b4z4j8T9fH2G6b8c9a3Z5s4x4c6f7e8g9h0k3b5c7a8f9g2d4e6h8k0j1m3n5p7r9s0t2v4w6x8y0z+A1B3C5D7F9G1H3J5K7L9M1N3P5R7T9V1X3Z5a7b9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5z7A9B3D5F7H9J1L3N5P7R9T1V3X5Z7a9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5zFAKEKEYEXAMPLEQWERTYUIOPASDFGHJKLZXCVBNM=If you don't have an SSH key:Create a key, specify the type, and follow the prompts.ssh-keygen -t rsa - Copy the output of the "cat" (or "type") command.
- Run the ZCLI container.
Linux:
Windows:docker run -it -v $PWD:/root zededa/zcli:latest
docker run -it -v "%cd%":/root zededa/zcli:latest - Log in to the ZCLI
- Enable SSH access by pushing the SSH key to your node.
zcli edge-node update EDGE_NODE --config=debug.enable.ssh:"YOUR_PUBLIC_KEY"Example:zcli edge-node update My_Node --config=debug.enable.ssh:"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDflVAtUnN/K5tYcXLoEtMAACTNn2UtEV18kL0vyrr7EMfS29xL/Bzq0UcF2H2fV9yUn+0gA5F2xN/gT0YhH3F9b4z4j8T9fH2G6b8c9a3Z5s4x4c6f7e8g9h0k3b5c7a8f9g2d4e6h8k0j1m3n5p7r9s0t2v4w6x8y0z+A1B3C5D7F9G1H3J5K7L9M1N3P5R7T9V1X3Z5a7b9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5z7A9B3D5F7H9J1L3N5P7R9T1V3X5Z7a9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5zFAKEKEYEXAMPLEQWERTYUIOPASDFGHJKLZXCVBNM=" - Find the IP address of your edge node and save it for later use. Note that if the IP address for the edge node is on a private network, you might need VPN access for this step.
zcli edge-node show EDGE_NODE --detail - Exit the ZCLI to your machine's standard command line.
exit - Connect to the node via SSH using the corresponding private key.
ssh -i YOUR_PRIVATE_KEY_PATH root@DEVICE_IPExample
Example response:ssh -i ~/.ssh/id_rsa root@192.0.2.119The authenticity of host '192.0.2.119 (192.0.2.119)' can't be established. ED25519 key fingerprint is SHA256:fK8pL3xQ9zR7vW2yJn4bM5gH1cE0sT6uX9vA2rZpLmY. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.0.2.119' (ED25519) to the list of known hosts. EVE is Edge Virtualization Engine Take a look around and don't forget to use eve(1). 862bab0f-a567-4fc2-98b1-c82c77cf74c9:~#
Disable SSH for an Edge Node
- Log in to the ZCLI
- Disable SSH for your edge node by removing all the public keys from the node.
zcli edge-node update EDGE_NODE --config=debug.enable.ssh:"" - Verify that your public key is gone.
zcli edge-node show EDGE_NODE --detailExample configBefore disabling SSH, the config looks similar to the following:
After disabling SSH, the config looks similar to the following:Edge Node Config: debug.enable.ssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDflVAtUnN/K5tYcXLoEtMAACTNn2UtEV18kL0vyrr7EMfS29xL/Bzq0UcF2H2fV9yUn+0gA5F2xN/gT0YhH3F9b4z4j8T9fH2G6b8c9a3Z5s4x4c6f7e8g9h0k3b5c7a8f9g2d4e6h8k0j1m3n5p7r9s0t2v4w6x8y0z+A1B3C5D7F9G1H3J5K7L9M1N3P5R7T9V1X3Z5a7b9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5z7A9B3D5F7H9J1L3N5P7R9T1V3X5Z7a9c1d3f5g7h9j1k3l5m7n9p1r3s5t7v9w1x3y5zFAKEKEYEXAMPLEQWERTYUIOPASDFGHJKLZXCVBNM=Edge Node Config: debug.enable.ssh