Command StackScripts to Customize an Advanced Deployment
It’s not uncommon for us at Linode to receive a number of feature requests when we develop many of our products. Over the past 13 years, for example, as our API, manager, or LISH has moved from idea, to beta, to release, we’ve frequently considered — and sometimes adopted — recommendations from our users. As a result, our cloud remains one of the best.
And while we are grateful for that keen insight to help us better build our cloud, I would be remiss to not mention that some cool tools are always available to you so that you can better build and deploy your Linode exactly the way you want to.
One of the coolest tools is our StackScript, a snippet of modifiable code that can help streamline, automate and tailor your Linode and its performance. Following is my explanation of how a StackScript can be written to deploy a Linode with SSH keys, an often-requested feature of Linode — which is already possible!
StackScripts Deployment with SSH Keys
As I mentioned in a previous blog, it’s possible to write a custom StackScript that can achieve deployment with SSH keys. In this blog I’m going explain such a StackScript, which I have already created and you can find here on Linode.com.
Referring to the StackScript found on the link above, I’m going to take each section of the script and illustrate how it works. With this knowledge you’ll be able to start writing StackScripts tailored to your own deployment choices.
#!/bin/bash
#
#<UDF name=”ssh” label=”SSH Public Key:”>
# SSH=
#
At the start of script and by using comments (#), you declare this a bash script (line 1) that sets up the input fields in the Linode Manager. Lines 3 and 4 together prompt for your SSH Public Key from the Linode Manager (when you choose to deploy this script), and then you want to assign the response to the variable “SSH” in this script.
#This updates the packages on the system from the distribution repositories.
apt-get update
apt-get upgrade -y
Here at lines 7–9, I comment first and then run two commands to update and upgrade the server. While these commands aren’t mandatory, I would recommend them for any new server deployment, so you can pull in all new packages since the selected distribution was created.
# This sets your public key on your Linode
mkdir ~/.ssh
echo “${SSH}” >> ~/.ssh/authorized_keys
In the next section, comment in line 11 is followed by the command in line 12, which creates the .ssh folder in the root user’s home folder. Line 13 then takes the SSH variable that was declared by the user earlier, and outputs it to the authorized_keys file. This will permit the computer with the matching key to log in automatically as the root user.
# This disables password authentication
sed -i ‘s/#*PasswordAuthentication [a-zA-Z]*/PasswordAuthentication no/’ /etc/ssh/sshd_config
Now that you can log in as the root user via an SSH key, you can disable password authentication on the Linode, which is what line 16 does. For many users, this is standard practice because disabling password authentication will help keep a Linode extra secure.
(Don’t worry: In case the wrong key was provided or you wish to access your Linode from another computer before applying the key, you can still access the server with the LISH console.)
The sed command that begins line 16 is going to search through the sshd_config file for all parts matching the regular expression, “#*PasswordAuthentication [a-zA-Z]*”. Each found instance will be replaced with “PasswordAuthentication no.” This find-and-replace command will locate all instances of the PasswordAuthentication line, indicating either yes or no, commented or not, and ensure that password authentication has been disabled..
# This restarts the SSH service, with two commands to cover more distributions
systemctl restart sshd
service ssh restart
In this last section of the StackScript, SSH is restarted to save the changes made. After the line 18 comment, lines 19 and 20 are two different commands that will increase compatibility with more distributions. Running one of the commands that wouldn’t work on a particular distribution won’t cause any system harm.
I’ve currently tested this on several distros. It worked fine with CentOS 7, Debian 7, Debian 8, Ubuntu 16.04 LTS, Ubuntu 16.10, Ubuntu 12.04 LTS, and Ubuntu 14.04 LTS.
Possible StackScript Changes
Perhaps users want take further security measures and remove root login altogether? They could then prompt for a new username at deployment and create an account with that username. In doing so, they could then disable root login in the SSH config. You should consider challenging yourself to make your own StackScript with your own preferred method of deployment. Then, share it with everyone!
Take your own recipe for deployment and implement it into a script. Then, see how you can utilize that script with our Manager, API, LISH and more.
