Skip to content
Nebula Docs Nebula Docs Nebula

sshd

sshd enables nebula’s built-in debugging console, which can be accessed via ssh. It can expose informational and administrative functions, and allows manual tweaking of various network settings when debugging or testing.

Hint: To generate the host key run ssh-keygen -t ed25519 -f ssh_host_ed25519_key. Be sure to set the ownership appropriately, e.g. chown root:root ssh_host_ed25519_key

sshd:
  enabled: true
  listen: 127.0.0.1:2222
  host_key: /path/to/ssh_host_ed25519_key
  authorized_users:
    - user: steeeeve
      keys:
        - '[ssh public key string]'
  trusted_cas:
    - '[ssh ca public key string]'

See also the Debugging with Nebula SSH commands guide.

sshd.enabled

Section titled “sshd.enabled”
Default: False Reloadable

enabled toggles this feature globally.

sshd.listen

Section titled “sshd.listen”
Reloadable

listen is used to specify the host ip and port number for the nebula debug console to listen on, port 22 is not allowed for your safety.

sshd.host_key

Section titled “sshd.host_key”
Reloadable

host_key points to a file containing the ssh host private key to use for the ssh server side of the console. In the above example, /path/to/ssh_host_ed25519_key contains a PEM-encoded SSH host key. The following example shows a host key inlined as a YAML multiline string.

sshd:
  host_key: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
    QyNTUxOQAAACCAvcPQI9IPXWXmsCFBi+IGoqxjKcCZjivS2ev7wVLWjAAAAKCzhBSYs4QU
    mAAAAAtzc2gtZWQyNTUxOQAAACCAvcPQI9IPXWXmsCFBi+IGoqxjKcCZjivS2ev7wVLWjA
    AAAECkLDZ1uXRNpvWTG+tff7MSoy6WCDkNhlwB+I5BpI0zfYC9w9Aj0g9dZeawIUGL4gai
    rGMpwJmOK9LZ6/vBUtaMAAAAGmptYWd1aXJlQGpvaG5zLW1icC0zLmxvY2FsAQID
    -----END OPENSSH PRIVATE KEY-----

You can generate a host key using the ssh-keygen command line utility.

ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null

sshd.authorized_users, user, keys

Section titled “sshd.authorized_users, user, keys”
Reloadable

These options are how you create users for the debug ssh daemon. Password authentication for the ssh debug console is NOT supported.

sshd.trusted_cas

Section titled “sshd.trusted_cas”

As an alternative to (or in addition to) authorized_users, you may define a list of trusted SSH CA public keys. Any SSH certificate signed by a trusted CA will be granted access to the SSH debug server.

If an SSH certificate contains at least one principal, the connecting username must match a principal in the certificate. If no principals are specified in the certificate, any username can be used.