Description
It is recommended to use instance-specific SSH keys instead of common or shared project-wide SSH keys to access instances.
Rationale
Project-wide SSH keys are stored in Compute project metadata. Project-wide SSH keys can be used to log in to all instances within a project. Using project-wide SSH keys eases SSH key management, but if compromised, it poses a security risk that can impact all instances within the project. It is recommended to use instance-specific SSH keys to limit the attack surface if SSH keys are compromised.
Impact
Users who already have project-wide SSH key pairs and use third-party SSH clients will lose access to affected instances. For project users using gcloud or the GCP Console-based SSH option, no manual key creation and distribution is required and will be handled by GCE (Google Compute Engine). To access instances using third-party SSH clients, instance-specific SSH key pairs need to be created and distributed to the required users.
Audit
From Google Cloud Console
- Go to the
VM instancespage by visiting https://console.cloud.google.com/compute/instances. It will list all the instances in your project. - For each instance, click the instance name.
- Under
SSH Keys, ensureBlock project-wide SSH keysis selected.
From Google Cloud CLI
-
List the instances in your project and get details on each instance:
gcloud compute instances list \
--format=json -
Ensure
key: block-project-ssh-keysis set tovalue: 'true'.
Default Value
By default, Block Project-wide SSH keys is not enabled.
References
- https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
- https://cloud.google.com/sdk/gcloud/reference/topic/formats
Additional Information
If OS Login is enabled, SSH keys in instance metadata are ignored, and therefore blocking project-wide SSH keys is not necessary.