SSH keypairs provide means to have secure connection to your remote servers. It gives a convenient way to access and your server without the need for user password. SSH keypair is a set of cryptographic keys used by Secure Shell (SSH) protocol to provide that secure connection. A keypair is comprised of;
It consists of two parts:
- Private Key: It is a confidential key used to “decrypt” the message received on your remote machine. It sits on the source machine
- Public Key: You can distribute the public key freely. Anyone can use it to unlock encrypted message you send over SSH protocol.
In this article we will see how you can generate private and public keys on OpenStack, and also to import an existing key.
Generate new SSH keypair in OpenStack
Login to your OpenStack server or use workstation with OpenStack Client configured. Then generate keypair. The syntax used is:
openstack keypair create
[--public-key <file> | --private-key <file>]
[--type <type>]
[--user <user>]
[--user-domain <user-domain>]
<name>
Explanation of the command options:
--public-key <file>
Filename for public key to add. If not used, creates a private key.--private-key <file>
Filename for private key to save. If not used, print private key in console--type <type>
Keypair type. Can be ssh or x509. (Supported by API versions ‘2.2’ – ‘2.latest’)--user <user>
The owner of the keypair. (admin only) (name or ID). Requires--os-compute-api-version
2.10 or greater--user-domain <user-domain>
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.name
New public or private key name
The simplest to generate everything is:
openstack keypair create --user admin \
--user-domain default \
--private-key cloudspinx.priv \
cloudspinx
In the command the private key we generate will be saved as cloudspinx.priv. Keypair on openstack is named cloudspinx. It’s created under admin user account and user domain is Default.
+-------------+-------------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------------+
| created_at | None |
| fingerprint | 8e:4c:c7:51:65:e0:2f:74:e7:ee:e7:4e:0b:29:d1:be |
| id | cloudspinx |
| is_deleted | None |
| name | cloudspinx |
| type | ssh |
| user_id | a381926a111e43d288f927baf92e78c8 |
+-------------+-------------------------------------------------+
Give private key correct permissions to use it.
chmod 0600 cloudspinx.priv
To get a list of all users and domains run:
openstack user list
openstack domain list
If you want to get public key contents printed out, run:
openstack keypair show \
--public-key \
--user admin \
--user-domain default \
cloudspinx
Sample output:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJY+4BiMa1PEnFQdFf5+vur0QMMG1UhC/iIBkNW40g8O
These are the contents that will be added to /home/$USER/.authorized_keys
when a VM instance is created on OpenStack.
An example on how to create a VM instance using the keypair run:
openstack server create --flavor linux-basic-vps \
--net public \
--key-name cloudspinx \
--security-group allow_all \
--image "Cirros" \
mycirros
Sample output
+--------------------------------------+-----------------------------------------------+
| Field | Value |
+--------------------------------------+-----------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | QpBhh7x5vHdh |
| config_drive | |
| created | 2024-06-18T10:32:04Z |
| flavor | m1.small (1) |
| hostId | |
| id | b830cd60-f8fa-4dcc-a882-5c297eab2a5f |
| image | Cirros (5f639da2-51f9-4f2f-8727-83b2877b574a) |
| key_name | cloudspinx |
| name | mycirros |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| project_id | 3dfc8a0aec3d409696daa2c825b85a3f |
| properties | |
| security_groups | name='7abe316b-ad8b-4dc0-9b18-d4bbe6781a96' |
| status | BUILD |
| updated | 2024-06-18T10:32:04Z |
| user_id | a381926a111e43d288f927baf92e78c8 |
+--------------------------------------+-----------------------------------------------+
Wait for the instance to come online
$ openstack server list --name mycirros
+--------------------------------------+----------+--------+-----------------------+--------+----------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+----------+--------+-----------------------+--------+----------+
| b830cd60-f8fa-4dcc-a882-5c297eab2a5f | mycirros | ACTIVE | public=192.168.1.20 | Cirros | m1.small |
+--------------------------------------+----------+--------+-----------------------+--------+----------+
Then test ssh into the instance.
ssh -i cloudspinx.priv user@ServerIP
Import existing Key Pair to OpenStack
Another scenario is where you have pre-created public and private ssh. Here we pass a path to the public key file --public-key
.
openstack keypair create
--public-key <file>
--user <user>
--user-domain <user-domain>
<name>
Other arguments are optional depending on your current OpenStack setup. A simple example will be;
openstack keypair create --public-key ~/.ssh/id_rsa.pub cloudspinx2
Where ~/.ssh/id_rsa.pub is the filename for public key to add. It can be absolute or relative path.
To list key fingerprints use:
openstack keypair list
All options and command arguments are as follows:
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--user <user>]
[--user-domain <user-domain>]
[--project <project>]
[--project-domain <project-domain>]
[--marker MARKER]
[--limit LIMIT]
Display key details / contents by running:
openstack keypair show
[--public-key]
[--user <user>]
[--user-domain <user-domain>]
<key>
Deleting keypair
To delete public or private key(s) use:
openstack keypair delete
[--user <user>]
[--user-domain <user-domain>]
<key>
[<key> ...]
Example.
openstack keypair delete cloudspinx2
That’s all you can can now spin VM instances on OpenStack and authenticate with added keypair.
In this article, our Engineers have demonstrated how you can add and use SSH keypair in an OpenStack cloud.