SSH Targets
SSH targets enable command execution on remote servers through secure shell connections. Xec provides advanced SSH features including connection pooling, tunneling, and automatic retry mechanisms.
Basic Configurationβ
Define SSH hosts in the targets.hosts section:
targets:
hosts:
web-server:
host: web.example.com
username: deploy
privateKey: ~/.ssh/id_rsa
Connection Propertiesβ
Essential Propertiesβ
targets:
hosts:
server:
# Required
host: server.example.com # Hostname or IP address
# Authentication (at least one required)
username: deploy # SSH username
privateKey: ~/.ssh/id_rsa # Path to private key
password: ${secrets.password} # Password (use secrets!)
# Optional
port: 22 # SSH port (default: 22)
passphrase: ${secrets.phrase} # Key passphrase
Advanced Propertiesβ
targets:
hosts:
advanced:
host: server.example.com
username: admin
# Connection settings
keepAlive: true # Keep connection alive
keepAliveInterval: 30000 # Keep-alive interval (ms)
timeout: 60000 # Connection timeout (ms)
# Execution settings
shell: /bin/bash # Shell to use
encoding: utf8 # Output encoding
maxBuffer: 10485760 # Max output buffer (bytes)
throwOnNonZeroExit: true # Throw on non-zero exit
# Working directory
workdir: /var/www/app # Default directory
cwd: /var/www/app # Alias for workdir
# Environment
env:
NODE_ENV: production
PATH: /usr/local/bin:$PATH
Authentication Methodsβ
Private Key Authenticationβ
Most secure and recommended method:
targets:
hosts:
secure:
host: secure.example.com
username: deploy
privateKey: ~/.ssh/deploy_key
passphrase: ${secrets.key_passphrase} # If key is encrypted
Multiple Key Attemptsβ
targets:
hosts:
multi-key:
host: server.example.com
username: admin
privateKey: |
~/.ssh/id_rsa
~/.ssh/id_ed25519
~/.ssh/deploy_key
Password Authenticationβ
Less secure, use only when necessary:
targets:
hosts:
legacy:
host: old-server.example.com
username: admin
password: ${secrets.legacy_password} # Never hardcode!
SSH Agentβ
Use SSH agent for key management:
targets:
hosts:
agent:
host: server.example.com
username: deploy
# No privateKey specified - uses SSH agent
Connection Poolingβ
Optimize performance with connection reuse:
targets:
hosts:
pooled:
host: busy-server.example.com
connectionPool:
enabled: true # Enable pooling
min: 2 # Minimum connections
max: 10 # Maximum connections
idleTimeout: 300000 # Idle timeout (5 min)
acquireTimeout: 30000 # Acquire timeout
Pool Configuration Examplesβ
# High-traffic server
targets:
hosts:
api:
host: api.example.com
connectionPool:
min: 5
max: 20
idleTimeout: 600000 # 10 minutes
# Low-traffic server
targets:
hosts:
backup:
host: backup.example.com
connectionPool:
min: 0
max: 2
idleTimeout: 60000 # 1 minute
Proxy Connectionsβ
Connect through jump hosts:
targets:
hosts:
# Simple proxy
behind-firewall:
host: internal.example.com
proxy: bastion.example.com
username: deploy
# Proxy with authentication
secured:
host: secure-internal.example.com
proxy: user@jump.example.com:2222
privateKey: ~/.ssh/internal_key
Multi-Hop Proxyβ
targets:
hosts:
deep-internal:
host: deep.internal.example.com
proxy: bastion1.example.com,bastion2.example.com
username: deploy
Sudo Executionβ
Execute commands with elevated privileges:
targets:
hosts:
admin-server:
host: server.example.com
username: admin
sudo:
enabled: true
method: sudo # or 'su'
password: ${secrets.sudo_password}
Sudo Patternsβ
# Passwordless sudo
targets:
hosts:
trusted:
host: trusted.example.com
sudo:
enabled: true
# No password needed
# Custom sudo command
targets:
hosts:
custom:
host: custom.example.com
sudo:
enabled: true
method: "doas" # BSD systems
SFTP Configurationβ
Configure secure file transfer:
targets:
hosts:
file-server:
host: files.example.com
sftp:
enabled: true
concurrency: 5 # Parallel transfers
chunkSize: 32768 # Transfer chunk size
fastGet: true # Enable fast download
fastPut: true # Enable fast upload
Environment Variablesβ
Set environment for all commands:
targets:
hosts:
app-server:
host: app.example.com
env:
# Application settings
NODE_ENV: production
API_URL: https://api.example.com
# Path modifications
PATH: /opt/app/bin:$PATH
LD_LIBRARY_PATH: /opt/app/lib
# Locale settings
LANG: en_US.UTF-8
LC_ALL: en_US.UTF-8
Working Directoryβ
Control command execution location:
targets:
hosts:
project:
host: dev.example.com
workdir: /home/deploy/project
# All commands run in workdir
# xec in hosts.project "ls" β runs in /home/deploy/project
Shell Configurationβ
Customize shell behavior:
targets:
hosts:
# Use specific shell
zsh-server:
host: modern.example.com
shell: /bin/zsh
# No shell (direct execution)
direct:
host: minimal.example.com
shell: false
# Custom shell command
custom-shell:
host: special.example.com
shell: "/bin/bash --noprofile"
Timeout Configurationβ
Prevent hanging connections:
targets:
hosts:
slow-server:
host: slow.example.com
timeout: 300000 # 5 minute timeout
fast-server:
host: fast.example.com
timeout: 5000 # 5 second timeout
Error Handlingβ
Configure error behavior:
targets:
hosts:
strict:
host: critical.example.com
throwOnNonZeroExit: true # Fail on any error
lenient:
host: test.example.com
throwOnNonZeroExit: false # Continue on error
Host Groupsβ
Organize related hosts:
targets:
hosts:
# Web servers
web-1:
host: web1.example.com
username: deploy
web-2:
host: web2.example.com
username: deploy
web-3:
host: web3.example.com
username: deploy
# Database servers
db-primary:
host: db1.example.com
username: dba
db-replica:
host: db2.example.com
username: dba
Dynamic Host Discoveryβ
Discover hosts at runtime:
targets:
hosts:
# From environment variable
$env: SSH_HOSTS
# From command output
$command: "terraform output -json servers | jq -r '.[]'"
# From file
$file: ./hosts.txt
Real-World Examplesβ
Production Web Serverβ
targets:
hosts:
production-web:
host: prod-web.example.com
username: deploy
privateKey: ~/.ssh/prod_deploy_key
port: 22
# Performance optimization
keepAlive: true
keepAliveInterval: 30000
connectionPool:
min: 2
max: 10
idleTimeout: 300000
# Environment
workdir: /var/www/app
env:
NODE_ENV: production
PORT: 3000
# Reliability
timeout: 60000
throwOnNonZeroExit: true
Development Serverβ
targets:
hosts:
dev-server:
host: dev.example.com
username: developer
privateKey: ~/.ssh/id_rsa
# Convenience settings
workdir: ~/projects
env:
NODE_ENV: development
DEBUG: "*"
# Lenient error handling
throwOnNonZeroExit: false
Bastion Accessβ
targets:
hosts:
internal-api:
host: 10.0.1.50
username: api-user
privateKey: ~/.ssh/internal_key
proxy: bastion.example.com
# Security
sudo:
enabled: false
# Restricted environment
env:
PATH: /usr/local/bin:/usr/bin:/bin
Troubleshootingβ
Connection Debuggingβ
# Test connection
xec test hosts.production
# Verbose SSH output
xec --verbose in hosts.production "echo test"
# Check SSH configuration
xec config show --target hosts.production
Common Issuesβ
Permission Deniedβ
# Check authentication
targets:
hosts:
fixed:
host: server.example.com
username: correct_username # Verify username
privateKey: ~/.ssh/correct_key # Verify key path
# Check key permissions: chmod 600 ~/.ssh/correct_key
Connection Timeoutβ
# Increase timeout
targets:
hosts:
slow:
host: slow.example.com
timeout: 120000 # 2 minutes
keepAlive: true
keepAliveInterval: 10000
Proxy Issuesβ
# Debug proxy connection
targets:
hosts:
debug-proxy:
host: internal.example.com
proxy: -v bastion.example.com # Add -v for verbose
Security Best Practicesβ
1. Use Key Authenticationβ
# Good - key authentication
targets:
hosts:
secure:
privateKey: ~/.ssh/deploy_key
# Avoid - password authentication
targets:
hosts:
insecure:
password: "plaintext" # Never do this!
2. Secure Key Storageβ
# Set proper permissions
chmod 600 ~/.ssh/deploy_key
chmod 700 ~/.ssh
3. Use Secrets Managementβ
targets:
hosts:
managed:
host: server.example.com
passphrase: ${secrets.ssh_passphrase}
sudo:
password: ${secrets.sudo_password}
4. Limit Environment Exposureβ
targets:
hosts:
limited:
host: server.example.com
env:
# Only necessary variables
APP_ENV: production
# Avoid sensitive data in env
5. Use Connection Poolingβ
# Reuse connections securely
targets:
hosts:
pooled:
connectionPool:
max: 5 # Limit concurrent connections
idleTimeout: 300000 # Close idle connections
Next Stepsβ
- Docker Targets - Container configuration
- Kubernetes Targets - Pod configuration
See Alsoβ
- SSH Command - SSH-specific commands
- File Transfer - Copying files via SSH
- Port Forwarding - SSH tunneling