How does google compute engine create users and how to disable them?

Question

I've got a CoreOS cluster running on GCE and one issue that I've noticed with all GCE instances is that as long as you're auth'd with the project on Google Cloud platform, you can login in as pretty much anything on the servers. This is an issue for me because anyone on the team, or anyone who gets into the project, can ssh right in as anyone to the server. I would like to disable this and just use users I've created in my cloud-config file that have specified ssh keys and passwords that expire. In doing this, I'm curious how google creates the users on GCE? And has anyone found a way to disable this?

Greg Dubicki · Answer 1 · 2017-09-26T19:22:45.760

7

As of March 2017 you can prevent the accounts from being created by disabling the Accounts daemon, that is deployed on all images in GCE.

To do that:

Create /etc/default/instance_configs.cfg.template file with the following content:
```
[Daemons]
accounts_daemon = false
```
Run /usr/bin/google_instance_setup

This should stop and disable the daemon permanently, even in case of daemon's package update.

You can read more about daemons and other things deployed by Google on GCE systems images in the GoogleCloudPlatform/compute-image-packages project README and code.

edited Sep 26 '17 at 19:22

answered Mar 22 '17 at 17:55

Greg Dubicki

1,239
1
17
33

1

`/usr/bin/google_instance_setup` doesn't exist – theonlygusti Mar 15 '21 at 21:50

score 6 · Accepted Answer · answered Sep 16 '15 at 19:41

6

You can prevent a GCE instance from adding accounts by ensuring the google-account-manager service does not run. On CoreOS you can stop this service with sudo systemctl stop google-accounts-manager.service and then disable it permanantly with sudo systemctl disable google-accounts-manager.service.

You may want to make an image with the service pre-disabled (or even delete the unit file) so that when you create instances it doesn't create accounts before you disable the service.

answered Sep 16 '15 at 19:41

David

348
1
6

And there's no "google magic" that'll break ssh from doing this? – Christian Grabowski Sep 16 '15 at 19:47
2

Well you'll need to provide your SSH keys some other way (e.g. with a startup script), but nothing should break. You can look at the code at https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/google-daemon/usr/share/google/google_daemon; all it does is watch for new metadata and then create users with the SSH keys from the metadata server. – David Sep 16 '15 at 19:51
hmm thanks! I wonder how they run that on coreos though. – Christian Grabowski Sep 16 '15 at 19:56

score 1 · Answer 3 · answered Aug 28 '15 at 19:07

If users have "edit" access to a project, they are able to SSH to any VM (and have passwordless sudo access) because they can edit the metadata for any given VM or the project itself to add their public SSH key to it, which is what gcloud does for you automatically when you use gcloud compute ssh or if you click on the [SSH] button in the UI.

You cannot disable this feature, because then you wouldn't be able to SSH to your own newly-created instances either: GCE VM instances boot without any user accounts or SSH keys on them, and inherit them from the project, or from changes to the metadata once they're running, so you can add a user dynamically to a running VM by changing the metadata, and a daemon on the VM will create a user account for you automatically.

If you want to control who can SSH to what instance, give the users View access, not Edit, and manually add their SSH keys only to those instances that you want them to access. Or enable password-based SSH and add their user accounts.

As of this writing (28 Aug 2015), there is an alpha of programmatic user account access available which you can use to create new user accounts on your VMs. You can request to be whitelisted for this API since it's by-invitation only at this time.

Kamran · Answer 4 · 2015-08-25T19:11:23.540

-1

This is not possible right now. If your project members have edit or ownership permissions then they can ssh to VM instances.

However you may create a different project for the VM instances that you don't want to share with the other members(editors/owners). Another workaround is using allowusers in your /etc/ssh/sshd_config file to allow specific users/IP address to SSH to the VMs.

I suggest file a feature request on the GCE public issue tracker for adding the feature.

edited Aug 25 '15 at 19:11

answered Aug 25 '15 at 18:37

Kamran

1,425
7
17

What was the appeal of creating any user from any auth'd account? – Christian Grabowski Aug 25 '15 at 19:19
The first links points to 404 now. – Greg Dubicki Mar 22 '17 at 17:40

How does google compute engine create users and how to disable them?

4 Answers4