Securely Access Your Incus Instances with SSH: A Complete Guide
Managing virtual machines and containers efficiently is crucial for any modern development or operations workflow. Incus provides a powerful platform for this, but when you first launch a new instance, you might notice something missing: a pre-configured SSH server. By default, Incus instances are clean, minimal environments, which means you need to set up remote access yourself.
While incus exec is perfect for direct command execution from the host machine, SSH is the industry standard for secure, network-based remote administration. Setting it up correctly from the start ensures your instances are both accessible and secure. This guide will walk you through the best practices for enabling SSH access in your Incus instances.
The Recommended Method: cloud-init and SSH Keys
The most secure and efficient way to configure SSH is by using cloud-init during instance creation. This method injects your configuration, including your public SSH key, into the instance as it boots for the first time. This completely automates the setup and avoids the need for less-secure password authentication.
Here’s how to do it in three simple steps:
1. Create a cloud-init Configuration File
First, create a YAML file named cloud-init.yaml. This file will tell the instance to create a default user and authorize your SSH key for access.
#cloud-config
users:
- name: ubuntu
ssh_authorized_keys:
- YOUR_SSH_PUBLIC_KEY_HERE
sudo: ALL=(ALL) NOPASSWD:ALL
groups: users, admin
Make sure to replace YOUR_SSH_PUBLIC_KEY_HERE with your actual public SSH key (typically found in ~/.ssh/id_rsa.pub or a similar file). This configuration creates a user named ubuntu with sudo privileges and adds your key to its authorized list.
2. Launch the Incus Instance with the Configuration
Next, launch your new Incus instance, pointing to the cloud-init.yaml file you just created. This is done using the --config flag.
incus launch images:ubuntu/22.04 my-ssh-instance --config [email protected]
Incus will now create the instance my-ssh-instance and apply your cloud-init settings during the initial boot process. The OpenSSH server package will be installed automatically as part of this standard cloud image setup.
3. Connect via SSH
Once the instance is running, find its IP address and connect.
# Find the instance's IP address
incus list my-ssh-instance
# Connect using your SSH key
ssh ubuntu@INSTANCE_IP_ADDRESS
You will be connected securely to your instance without ever needing a password. This key-based authentication method is the gold standard for server security.
Manual Setup with Password Authentication
In some development or testing scenarios, you might prefer to set up SSH manually using password authentication. While this method is less secure than using SSH keys and not recommended for production environments, it can be useful for temporary instances.
1. Launch and Access the Instance
First, launch a standard instance and access its shell using incus exec.
incus launch images:ubuntu/22.04 my-manual-instance
incus exec my-manual-instance -- bash
2. Install and Enable the SSH Server
Once inside the instance’s shell, install the OpenSSH server package.
apt update
apt install openssh-server
By default, the SSH server is configured to disallow password authentication. You must edit its configuration file to enable it.
nano /etc/ssh/sshd_config
Find the line PasswordAuthentication no and change it to PasswordAuthentication yes. Save the file and exit the editor.
3. Set a Password and Restart the Service
Finally, set a password for the user and restart the SSH service for the changes to take effect.
# Set a strong password for the 'ubuntu' user
passwd ubuntu
# Restart the SSH service
systemctl restart ssh
You can now exit the instance’s shell and connect from your host machine using the password you just set.
Security Tip: Checking Firewall and Network Rules
For an SSH connection to succeed, network traffic on port 22 must be allowed to reach the instance. In most default Incus setups, the incusbr0 bridge and the default profile are already configured to permit this.
However, if you are using custom network configurations or profiles, you may need to ensure SSH access is explicitly allowed. You can check the default profile’s devices with:
incus profile show default
If you need to explicitly open the port, it’s best practice to create a dedicated profile or add a proxy device rule. For example, to add a rule to the default profile allowing SSH access:
incus profile device add default ssh proxy listen=tcp:0.0.0.0:22 connect=tcp:127.0.0.1:22
Always verify your network and firewall rules to ensure your instances are accessible when they need to be, but remain secure from unauthorized access. By prioritizing cloud-init and key-based authentication, you can build a secure and scalable foundation for managing all your Incus instances.
Source: https://www.linuxlinks.com/ssh2incus-ssh-server-incus-instances/
