OpenStack Key Pairs cjc73
The best way to provide secure and easy access to your Red Cloud instances is through the use of key pairs for SSH authentication. Key pairs are made up of a private key that only you know, and a public key that is distributed to people and systems with which you would like to have secure communications. Red Cloud allows you to easily generate or upload such key pairs to use with your instances.
When you create a new instance, you should specify a key pair to be used for logging in to that instance. You can only add a key pair to an instance at the time of its creation, not afterwards, so it is important not to overlook this step. It is possible to generate a new key pair during the process of creating an instance.
In Linux instances, the pair's public key is installed into the root (or ubuntu user) account at the time of its creation, allowing you to login simply by providing the private key. For Windows instances, you will need to provide the private key to the Red Cloud web interface in order to fetch a valid password for logging in to the instance's administrator account.
Key pairs are created per user within an account, so other account members will not be able to use the key pairs you create. You will also not be able to use a given key pair in multiple accounts unless you import it into each account.
Identify Your Scenario
The procedure to create an instance associated with a key pair depends on 1) the intended instance operating system and 2) whether you need to create a key pair or have an existing key pair you would like to use. While passphrase-protected keys are more secure and are recommended for Linux instances, Windows instances are not compatible with these keys and different steps are required.
Your situation should match one of the following scenarios:
- I want to create a Windows instance and I do not already have an RSA key pair.
- First, Create a Key Pair Without a Passphrase (with OpenStack).
- Next, follow the steps to Select a Key Pair When Creating an Instance.
- Finally, Use Your Key Pair to Connect to a Windows Instance.
- I want to create a Windows intance and I have an RSA key pair I want to use.
- If your key is passphrase protected, follow the steps to Change the Passphrase on a Key Pair to remove the passphrase.
- Next, Import the Key Pair.
- Then, Select a Key Pair When Creating an Instance.
- Finally, Use Your Key Pair to Connect to a Windows Instance.
- I want to create a Linux instance and I do not already have an RSA key pair.
- I want to create a Linux instance and I have an RSA key pair I want to use.
Create or Select a Key Pair
Only one of the following subsections will apply to you.
Option 1: Create a Passphrase-Protected Key Pair
The recommended way (for security reasons) to use key pairs is through a passphrase-protected key pair. Windows instances cannot use passphrase-protected key pairs, so if you are following these directions to create a key pair that you intend to use with Windows instances, leave the passphrase empty.
A passphrase-protected key pair is generally used if you want to have open security group access. If, for example, all of your collaborators are from Cornell University, you can lock down the security group to only Cornell-associated IP addresses. If some collaborators are not from Cornell, then it may be better to have open access to your security group, while using passphrase-protected SSH keys.
The command line tool ssh-keygen is preinstalled on Windows 10, macOS and Linux operating systems. To enter the commands below, open the terminal application on your operating system (for example, Terminal or Command Prompt). To create a passphrase-protected key pair, open a terminal (or Command Prompt) on your operating system.
Create the .ssh folder if needed
Navigate to a directory where you wish to store the key pair, using cd on a Mac or Linux (more information can be found here: Linux Tutorial) or chdir in Windows Command Prompt. Traditionally, SSH key pairs are stored in the user's home directory, in a folder called .ssh. You may need to create this directory.
Issue the command to change directory to the .ssh directory (cd ~/.ssh
on macOS or Linux, chdir %USERPROFILE%\.ssh
on Windows). If you see ``path not found`` or ``no such file or directory`` error, the .ssh folder does not yet exist. If you ```do not``` have an .ssh folder in your user folder, you can create one by running the ssh-keygen command in Command Prompt or Terminal and accepting all the defaults. Do not run this command if the .ssh folder already exists; you might overwrite existing keys. If you do not already have a .ssh folder, this command will create the .ssh folder with the side effect of creating default keys:
ssh-keygen
Create a key pair for RedCloud
You will then be able to use the change directory command to open .ssh (cd ~/.ssh
on macOS or Linux, chdir %USERPROFILE%\.ssh
on Windows).
Enter the command below to create a 4096-byte RSA key pair named cloud.key and cloud.key.pub. You may choose a more meaningful name for your key that incorporates your netID and other information about why the key was created:
ssh-keygen -t rsa -b 4096 -f cloud.key
The terminal will prompt you to enter a passphrase. If this key pair is for Windows instances, just press enter for no passphrase. Otherwise type a secure passphrase and hit enter. This generates a passphrase-protected private key (cloud.key) and a public key (cloud.key.pub). Use the
You will need to copy the text of your public key into RedCloud. To display your SSH public key (cloud.key.pub) first enter a terminal, and make sure you are in the directory that contains your public key. Then enter the commands that match your operating systemjump. If applicable, change the cloud.key.pub part of the command to match the name you used when you created the key. The .pub suffix is critcal, because this indicates the public part of the key pair.
- Linux or macOS terminal:
cd ~/.ssh cat cloud.key.pub
- Windows:
chdir %USERPROFILE%\.ssh type cloud.key.pub
Select the key text and copy to the system clipboard. Proceed to the Import a Key Pair section.
Option 2: Create a Key Pair Without a Passphrase (with OpenStack)
This section is only useful if you plan to use key pairs without a passphrase, which should only be used when you have sufficient security measures in your security group that limit IP addresses that can access the instance.
Your key pairs can be managed through the Red Cloud web interface (shown below) by selecting the "Compute" tab [1] and then selecting the "Key Pairs" sub-tab [2]. This will display a list of your current key pairs as well as buttons for creating, importing or deleting key pairs. Begin by clicking "Create Key Pair" [3], which raises a simple wizard dialog.
Figure: The Red Cloud web interface.
In the Create Key Pair dialog, enter a unique and meaningful name for the key pair [1] and then click "Create Keypair" [2]. Note that if the name you entered is invalid, the error message will be displayed in the underlying "Key Pairs" web page. The text for your private key is then displayed in the wizard. It is critical that you copy this text, either by selecting all of the text in the display and using a hot key or context menu item to copy it to the clipboard, or by clicking the "Copy Private Key to Clipboard" button [3]. This will be your only chance to copy the text, so do not forget to do so. When you have copied it, click "Done" [4] to close the wizard. The newly created key pair will now be shown in the list. It can be deleted using the button on the right of its entry, and clicking on the key pair's name will show more information about it, including its public key.
Figure: The Create Key Pair dialog.
You now must save the private key that you copied to your computer's clipboard into a file having the ".pem" extension. If you save the file with any other extension, you may not get the correct formatting. The file you saved the private key to must also be in plain text format.
After copying the private key, open any simple text editor, but not a word processing app like Word. On Windows that could be Notepad, on Mac it could be TextEdit, and on Linux that could be any text editor you have installed, like gedit.
If you use TextEdit, the default format is RTF (Rich Text Format), not plain text. You need to change the format to plain text first (under the "Format" menu) in order to have it saved correctly.
Next, open a new text file, and paste the private key text into the new file. Make sure to paste all the text you copied from the private key dialogue from Red Cloud. The text you paste should include BEGIN RSA PRIVATE KEY
and END RSA PRIVATE KEY
, and the accompanying dashes.
Next, save the file as <key name>.pem
, where <key name>
is your key name, in an easily accessible directory. Make sure to have only a .pem extension on the saved file, without any extra .txt or such extensions.
Lastly, if you are on Mac or Linux, make sure to set the file to the appropriate permissions. Open a terminal to access the directory with your saved key file, and enter chmod 600 <key name>.pem
to change the permissions.
The once the key is saved you can connect to a Linux instance or retrieve the administrator account password for a Windows instance.
Import a Key Pair
Your Red Cloud key pairs can be managed through the Red Cloud web interface by selecting the "Compute" tab [1] and then selecting the "Key Pairs" sub-tab [2]. This will display a list of your current key pairs as well as buttons for creating, importing or deleting key pairs. If you already have an SSH key pair that you would like to use with Red Cloud, you can import it rather than creating a new one. To do so, click the "Import Key Pair" button [1] on the Key Pairs page.
Figure: The Key Pairs section of the web interface.
Copy your public key to the system clipboard
If you haven't already, you will need to copy the text of your public key onto the system clipboard so you can paste it into the dialog box. To display your SSH public key (cloud.key.pub) first enter a terminal, and make sure you are in the directory that contains your public key. Then enter the commands that match your operating systemjump. If applicable, change the cloud.key.pub part of the command to match the name you used when you created the key. The .pub suffix is critcal, because this indicates the public part of the key pair.
- Linux or macOS terminal:
cd ~/.ssh cat cloud.key.pub
- Windows:
type cloud.key.pub
Copy the output from the command above and paste it into the Public Key field on the OpenStack Import Key Pair Dialog.
Import Key Pair Dialog
Enter a unique and meaningful name for the key pair [1] and paste the entire text from its public key into the provided space [2]. This public key text should begin with "ssh-rsa" and end with a name, with a long string of letters and numbers in between. When you have entered those two values, click "Import Key Pair" [3]. The key pair will be imported and will appear in the Key Pairs list.
Figure: The Import Key Pair dialog.
Copy the output from that command and paste it into the corresponding field on OpenStack. Next, click "Import Key Pair" to close the dialogue.
When you are configuring your instance, select your imported key-pair in the Key-Pair section.
Select a Key Pair When Creating an Instance
During the process of creating an instance you have the opportunity to assign a key pair to the new instances. This happens in the Key Pair tab [1] of the Launch Instance dialog. If you have not previously created or imported a key pair into your project, you can do so here [2]. If you would like to use one of the existing key pairs in the project, click the up arrow button in the list of existing key pairs [3].
Use Your Key Pair to Connect to a Windows Instance
To log on to a Windows instance for the first time you will need to use the "admin" account and a password that you can retrieve through the web interface by providing your private key. Under the "Compute" tab and the "Instances" sub-tab, find your Windows instance in the list. With the instance running, open the menu on the right side of its list entry and select the "Retrieve Password" option. This will display a dialog box where you can enter your private key.
The dialog displays the name of the key pair that was assigned when the instance was created, along with the public part of the key pair. You need to provide the private key (in "pem" format) by either choosing a file that contains it [1] or by pasting the text of the private key (including the header and footer) into the space provided [2]. Once the private key is entered, click the "Decrypt Password" button [3]. If the key does not match, an error message will be displayed in the background web page. If the key matches, a password for the "admin" user will be displayed [4]. Copy this password into your computer's clipboard and supply it when logging into your Windows instance using the Remote Desktop application.
For more information, see the section on Accessing Instances.
Use Your Key Pair to Connect to a Linux Instance
If you specified a key pair when creating a Linux instance, the key pair's public key was installed into the initial user account on the instance. When connecting to the instance using the SSH command, you can pass the corresponding private key to establish a secure connection without need for a password.
You must log in to your instance using the correct initial username:
- For CentOS 7, the username is centos,
- For CentOS 8, the username is cloud-user
- For Ubuntu, the username is ubuntu.
The following example of the SSH command syntax is for a private key stored in the file "my_key_rsa" and a CentOS system where the initial account is named "centos".
ssh -i my_key_rsa centos@128.84.8.1
For more information, see the section on Accessing Instances including some troubleshooting tips. If you would like to connect to a Linux instance using the [PuTTY] application, you will first need to convert your private key from the "pem" format to PuTTY's "ppk" format using the puttygen tool that is installed with PuTTY.
For more information, see the section on Accessing Instances.
Change the Passphrase on a Key Pair
If needed, you can use ssh-keygen in a terminal program for your operating system (for example: Terminal, Command Prompt, or Powershell). Windows 10 and above includes ssh-keygen preinstalled.
Enter the following command at the prompt, replacing path/to/private.key with the correct path to the private key on your computer. Follow the prompts. To remove the passphrase, leave the new passphrase empty when prompted.
ssh-keygen -p -f path/to/private.key
Repeat this process after you have connected to the Windows instance to set a new passphrase to protect your keypair.