Join Log in
Score:0
avatar Server

gcloud compute ssh — avoid having to 2FA every time?

ng flag
Kannan Goundan

I use gcloud compute ssh to SSH into my instance, e.g.:

$ gcloud compute ssh shell-server --project=XXXXXXXXXXXXXXXX
No zone specified. Using zone [us-central1-f] for instance: [shell-server].
External IP address was not found; defaulting to using IAP tunneling.
Please choose from the available authentication methods:
1: Security code from Google Authenticator application
2: Voice or text message verification code

Enter the number for the authentication method to use: 1
Enter your one-time password: XXXXXX
username@shell-server ~ $

Unfortunately, I have to 2FA every time. I like 2FA, but maybe there's a way to set things up so that I only have to provided it every few hours?

Update: I ran gcloud compute ssh --dry-run, which tells you exactly what command it's running:

/usr/bin/ssh \
    -t \
    -i /Users/kannan/.ssh/google_compute_engine \
    -o CheckHostIP=no \
    -o HostKeyAlias=compute.123123123123123123 \
    -o IdentitiesOnly=yes \
    -o StrictHostKeyChecking=no \
    -o UserKnownHostsFile=/Users/kannan/.ssh/google_compute_known_hosts \
    -o ProxyCommand='/usr/local/bin/python3 -S /Users/kannan/Software/google-cloud-sdk/lib/gcloud.py compute start-iap-tunnel shell-server %p --listen-on-stdin --project=XXXXXXXXXX --zone=us-central1-f --verbosity=warning' \
    -o ProxyUseFdpass=no \
    kannan_example_org@compute.123123123123123123

Update 2: I could keep gcloud compute start-iap-tunnel running in the background and configure my SSH to use that tunnel, but I'm hoping for something more automatic, similar to the convenience of SSH's ControlMaster=auto.

417
2 + 3
ssh
John Hanley avatar
cn flag
John Hanley
Which service is providing MFA/2FA/2-Step-Verfication?
0
Reply
ng flag
Kannan Goundan
@JohnHanley: Good question. I think it's GCP's "IAP Tunnel" feature that asks for 2FA. I updated my question with more details.
0
Reply
ng flag
Kannan Goundan
@JohnHanley: Actually, I was wrong. It's actually the target instance itself ("shell-server") that asks for 2FA.
0
Reply
Score:1
avatar Server
ng flag
Kannan Goundan

I figured it out. Put this in ~/.ssh/config:

Host shell-server
    User kannan_example_org
    IdentityFile ~/.ssh/google_compute_engine
    UserKnownHostsFile ~/.ssh/google_compute_known_hosts
    CheckHostIP no
    StrictHostKeyChecking no
    ProxyCommand gcloud compute start-iap-tunnel %n %p --project="..." --zone="..." --listen-on-stdin --verbosity=warning
    ProxyUseFdpass no
    ControlMaster auto
    ControlPersist 30m
  • ControlMaster auto: On every ssh/scp invocation, first check if there's an existing connection to shell-server. If so, just share that connection, so there's no re-auth and therefore no re-2FA.
  • ControlPersist 30m tells SSH that even after all ssh/scp invocations are done, keep the sharable connection open for 30m.

I can now just use plain ssh and scp commands with the hostname shell-server.

Note: I actually ended up setting ProxyCommand to a custom wrapper script that automatically determines --project=... and --zone=... from the hostname.

0 + 0
Score:0
avatar Server
de flag
John Malloc

The 2FA is a part of the OS Login service. Could you verify by the command below whether you have the flag set up for a project?

gcloud compute project-info describe | grep os

If it's enabled you may disable it for the entire project or during the creation of a VM.

More info here:

https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin

I hope it will help.

0 + 2
ng flag
Kannan Goundan
Oh sorry -- to be clear I don't want to disable 2FA. I just don't want to have to type it in on every new `ssh` (or `scp`) invocation. For example, maybe it could only ask for 2FA every 24 hours.
0
Reply
de flag
John Malloc
In my opinion, it is not feasible to do in the OS Login service. There is no switch in the command line to set up a timeout.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.