Google Compute Engine

Project Wide SSH Enabled

Ensures that instances are not configured to allow project-wide SSH keys.

Risk Level: Medium

Description

This plugin ensures that Virtual Machine instances are not configured to allow project-wide public SSH keys. To adhere to the principle of least privilege, PingSafe strongly advises using instance-level keys rather than allowing access to project-wide SSH keys via instance metadata.

About the Service

Google Cloud Compute Engine:

Google Cloud Compute Engine is a service that allows you to create Virtual Machines based on your preferences and run them on Google’s infrastructure. You can either use their predefined machines with certain default configurations or create your own custom Virtual Machine to meet your exact requirements. To know more, read here

Impact

If you enable the project-wide SSH keys functionality, you risk allowing users who aren't part of your project to access your instance. This also puts your project members' ability to connect to instances at risk. To know more, read here

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can use this link (https://console.cloud.google.com/compute) to navigate directly if you’re already logged in.
  4. Select the VM instance you want to investigate from the list of instances and go to the Details tab to examine the details of the VM instance selected.
  5. Scroll down to the SSH Keys section and check the Block project-wide SSH keys status. If it is unchecked, then this selected Virtual Machine (VM) instance uses project-wide SSH keys.
  6. Repeat steps 4 and 5 for all the VM instances you want to investigate in the selected project.
  7. If you have multiple projects that you want to investigate, repeat steps 2-6 for each project in your GCP console.

Steps for Remediation

Determine whether or not you truly require project-wide SSH to be enabled. If not, make the necessary changes to disable it.

The steps to disable project-wide SSH keys are-
Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can use this link (https://console.cloud.google.com/compute) to navigate directly if you’re already logged in.
  4. From the list of instances, choose the VM instance you want to reconfigure. (In case you aren’t sure which instance needs to be configured, follow the steps to reproduce listed above to determine which instance to choose.)
  5. Select the Edit option from the top navigation bar of the VM instance details page.
  6. Scroll down to the SSH Keys section and click the Block project-wide SSH keys checkbox to enable this feature.
  7. Click on show and edit under the same section to view all the instance-level SSH keys that are available for the particular VM instance. If it shows that there are no SSH keys, click on Add item and add all your public SSH keys that you want for this selected instance. Finally, click save to apply all changes.
    Note: If you don’t know where to find the data of your public SSH keys, you can refer to the guide here.
  8. Repeat steps 4 to 7 for all the VM instances you want to reconfigure in the selected project.
  9. If you have multiple projects, repeat steps 2 to 8 for each project in your GCP console.