adjusted code accordingly

cli/internal/cmd/ssh.go

@@ -10,7 +10,6 @@ import (
 	"crypto/ed25519"
 	"crypto/rand"
 	"fmt"
-	"os"
 	"time"
 
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -28,8 +27,8 @@ import (
 func NewSSHCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "ssh",
-		Short: "Prepare your cluster for emergency ssh access",
+		Short: "Generate a certificate for emergency ssh access",
-		Long:  "Prepare your cluster for emergency ssh access and sign a given key pair for authorization.",
+		Long:  "Generate a certificate for emergency ssh access to your ssh enabled constellation cluster.",
 		Args:  cobra.ExactArgs(0),
 		RunE:  runSSH,
 	}
@@ -54,18 +53,10 @@ func runSSH(cmd *cobra.Command, _ []string) error {
 }
 
 func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler, debugLogger debugLog) error {
-	_, err := fh.Stat(constants.TerraformWorkingDir)
-	if os.IsNotExist(err) {
-		return fmt.Errorf("directory %q does not exist", constants.TerraformWorkingDir)
-	}
-	if err != nil {
-		return err
-	}
-
 	// NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly.
 	var mastersecret uri.MasterSecret
-	if err = fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil {
+	if err := fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil {
-		return fmt.Errorf("reading master secret: %s", err)
+		return fmt.Errorf("reading master secret (does %q exist?): %s", constants.MasterSecretFilename, err)
 	}
 
 	mastersecretURI := uri.MasterSecret{Key: mastersecret.Key, Salt: mastersecret.Salt}
@@ -113,10 +104,10 @@ func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler,
 	}
 
 	debugLogger.Debug("Signed certificate", "certificate", string(ssh.MarshalAuthorizedKey(&certificate)))
-	if err := fh.Write(fmt.Sprintf("%s/ca_cert.pub", constants.TerraformWorkingDir), ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil {
+	if err := fh.Write("constellation_cert.pub", ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil {
 		return fmt.Errorf("writing certificate: %s", err)
 	}
-	cmd.Printf("You can now connect to a node using 'ssh -F %s/ssh_config -i <your private key> <node ip>' in your constellation workspace.\nYou can obtain the private node IP via the web UI of your CSP.\n", constants.TerraformWorkingDir)
+	cmd.Printf("You can now connect to a node using the \"constellation_cert.pub\" certificate.\nLook at the documentation for a how to guide:\n\n\thttps://https://docs.edgeless.systems/constellation/workflows/troubleshooting#emergency-ssh-access\n")
 
 	return nil
 }

cli/internal/cmd/ssh_test.go

@@ -8,7 +8,6 @@ package cmd
 
 import (
 	"bytes"
-	"fmt"
 	"testing"
 
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -29,18 +28,6 @@ func TestSSH(t *testing.T) {
 		"salt": "MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAK"
 	}
 	`
-
-	newFsWithDirectory := func() file.Handler {
-		require := require.New(t)
-		fh := file.NewHandler(afero.NewMemMapFs())
-		require.NoError(fh.MkdirAll(constants.TerraformWorkingDir))
-		return fh
-	}
-	newFsNoDirectory := func() file.Handler {
-		fh := file.NewHandler(afero.NewMemMapFs())
-		return fh
-	}
-
 	testCases := map[string]struct {
 		fh           file.Handler
 		pubKey       string
@@ -48,38 +35,32 @@ func TestSSH(t *testing.T) {
 		wantErr      bool
 	}{
 		"everything exists": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			pubKey:       someSSHPubKey,
 			masterSecret: someMasterSecret,
 		},
 		"no public key": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			masterSecret: someMasterSecret,
 			wantErr:      true,
 		},
 		"no master secret": {
-			fh:      newFsWithDirectory(),
+			fh:      file.NewHandler(afero.NewMemMapFs()),
 			pubKey:  someSSHPubKey,
 			wantErr: true,
 		},
 		"malformed public key": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			pubKey:       "asdf",
 			masterSecret: someMasterSecret,
 			wantErr:      true,
 		},
 		"malformed master secret": {
-			fh:           newFsWithDirectory(),
+			fh:           file.NewHandler(afero.NewMemMapFs()),
 			masterSecret: "asdf",
 			pubKey:       someSSHPubKey,
 			wantErr:      true,
 		},
-		"directory does not exist": {
-			fh:           newFsNoDirectory(),
-			pubKey:       someSSHPubKey,
-			masterSecret: someMasterSecret,
-			wantErr:      true,
-		},
 	}
 
 	for name, tc := range testCases {
@@ -104,7 +85,7 @@ func TestSSH(t *testing.T) {
 				assert.Error(err)
 			} else {
 				assert.NoError(err)
-				cert, err := tc.fh.Read(fmt.Sprintf("%s/ca_cert.pub", constants.TerraformWorkingDir))
+				cert, err := tc.fh.Read("constellation_cert.pub")
 				require.NoError(err)
 				_, _, _, _, err = ssh.ParseAuthorizedKey(cert)
 				require.NoError(err)

terraform/infrastructure/azure/main.tf

@@ -296,19 +296,3 @@ data "azurerm_user_assigned_identity" "uaid" {
   name                = local.uai_name
   resource_group_name = local.uai_resource_group
 }
-
-# emergency ssh configuration files
-resource "local_file" "ssh_config" {
-  filename        = "./ssh_config"
-  file_permission = "0600"
-  content         = <<EOF
-Host ${azurerm_public_ip.loadbalancer_ip[0].fqdn}
-  ProxyJump none
-
-Host *
-  PreferredAuthentications publickey
-  CertificateFile=constellation-terraform/ca_cert.pub
-  User root
-  ProxyJump ${azurerm_public_ip.loadbalancer_ip[0].fqdn}
-EOF
-}