I want to do the following:
- Create digital ocean drops from my development machine (to distribute my tests that take too long).
- Reliably issue a drop command.
- Destroy the drops.
I'm stuck on # 2. I can successfully create drops through the Digital Ocean API, and I can set my SSH key in the authorized_keys , but if I let Digital Ocean create the key, then I have no way to verify the serverโs public key.
Now, if it was in one data center, that would not be a problem, since I could rely on Digital Ocean without implementing the MITM attack, because they have a root anyway, but since I connect to my development machine I need a way to trust the public key.
I tried following various cloud init tutorials, but always get the error:
ssh root@178.62.69.133 Connection closed by 178.62.69.133
I tried to eliminate any possibility of error, I even resorted to private64 encoding for base64, believing that there might be some kind of escaping problem.
This is the command I use to create the keys:
e = "ssh-keygen -t ecdsa-sha2-nistp256 -f #{loc} -q -N #{password} -C \"\"" system(e)
What expands to this:
ssh-keygen -t ecdsa-sha2-nistp256 -f /tmp/testing-60f42fcf -q -N 77924d8f4fa12a365c8c003ca091f5ad6a2c4c22 -C ""
Then I base64 encoded it,
private_key = `base64 --wrap=0 #{loc}`.chomp public_key = `base64 --wrap=0 #{loc}.pub`.chomp
and put it in the cloud-init yaml file (didnโt want to use | because it is a special character in Yaml, and I wanted to avoid it if possible):
#cloud-config --- runcmd: - echo test > /root/test - rm /etc/ssh/ssh_host* - echo LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0xMjgtQ0JDLEY3MDNDNzM1QTAxQzgyNEVBRjhCODA4NkVDREIyMjAwCgpiYlpCa3A2Ujcyd1RRNUsyL2w4QW9YU3FQNllRVjV0aVJETytmU1FqZTlEUjY4MG9wY3RCRGhKRWdPQ0prSkw1CmhOUGxydzUveHFwTHM5UXc3cWJaWlUvRHR0YnlxZTFWUDcyVHBRS1pFL2FDcTdGTWFpbFJrcUpFa3JobVdCcFEKbWtQTW15M3BwVFZZKzJvRDZTdmMzdzZyTW1JTlpKUkltRUxiUk81S2M4bz0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= > /tmp/base64_pri && base64 --decode /tmp/base64_pri > /etc/ssh/ssh_host_ecdsa_key - echo ZWNkc2Etc2hhMi1uaXN0cDI1NiBBQUFBRTJWalpITmhMWE5vWVRJdGJtbHpkSEF5TlRZQUFBQUlibWx6ZEhBeU5UWUFBQUJCQkVHSDJBS3BVcVE0NVZQWGNFK3h5NXV6elVnajhKelBxODJNaERLV0szaGltUVBReWRPQ0RlRVdyRVJzeCtUTEtPSjBlRElJWU9jT2RWT0FteHZycG1nPSAK > /tmp/base64_pub && base64 --decode /tmp/base64_pub > /etc/ssh/ssh_host_ecdsa_key.pub - sleep 1 && service ssh restart
(Do not worry that the ssh key / dropple has been destroyed, this is for demonstration only)
I can verify that if I leave the rest of the commands successfully executed by echo test > /root/test . I also tested this on my local machine, and the md5sums match is:
028760a9374f9abd9c2c66eceb20f245 /tmp/pub_key_check 028760a9374f9abd9c2c66eceb20f245 /tmp/testing-60f42fcf.pub 2bf65516aaef01c731d061fa4ba788c5 /tmp/pri_key_check 2bf65516aaef01c731d061fa4ba788c5 /tmp/testing-60f42fcf
So, I know that I decode them correctly.
I tried other types of keys, but I would like to use ecdsa keys if possible, because this is the default for my other boxes. What am I doing wrong here? Also, am I the only one who does this? I have Google, and it seems like the general answer is that people just trust the generated public key, which, in my opinion, is insane if you do this cross-data center, as any random internet provider (or, in my case, cafe) can passively mit you.