Create and host an SSH key on a cloud server
SSH keys can be used to securely connect to server via the encrypted SSH protocol. This is a key pair: the private key is stored on the local computer and the public key is hosted on the server.
We recommend using SSH keys instead of login and password to authenticate to the cloud server.
SSH keys of types ed25519, rsa, ecdsa, and dsa can be used.
-
Optional: add public SSH key to cloud platform.
The way a key is added to the cloud platform affects its availability in projects, pools, and to users, as well as the way it is placed on the server when created. See the SSH-keys-for-project-and-service-user table for more information on key differences.
-
Place a public SSH key on a cloud server: when creating a server or on an existing server.
Create SSH keys
- Linux/macOS
- Windows
- OpenStack CLI
-
Open the CLI.
-
Generate a pair of SSH keys:
ssh-keygen -t <key_type>
Specify
<key_type>
— SSH key type:ed25519
,rsa
,ecdsa
ordsa
. -
A message will appear asking you to select a directory to store the key pair — example for rsa key:
Enter file in which to save the key (~/.ssh/id_rsa):
To leave the default directory for storing keys, press Enter. If you want to select a different directory, enter it in the format
/path/to/id_rsa
and press Enter. -
Optional: enter a passphrase for additional security, repeat the passphrase and press Enter:
Enter passphrase (empty for no passphrase):
Enter the same passphrase again: -
Wait for a message that the keys have been generated. Two files will be created:
id_rsa
(private key) andid_rsa.pub
(public key). The key fingerprint and its image will appear in the terminal:Your identification has been saved in ~/.ssh/id_rsa
Your public key has been saved in ~/.ssh/id_rsa.pub
The key fingerprint is:
The key's randomart image is: -
Output the public SSH key:
cat <~/.ssh/id_rsa.pub>
Specify
<~/.ssh/id_rsa.pub>
, which is the full path to the public key that you specified in step 3. -
Optional: add a public SSH key to the cloud platform, place a public SSH key when creating a server, or on an existing server.
- Install PuTTY.
- Open the PuTTYgen application.
- In the Parameters → Type of key to generate field, select the RSA key type.
- Press Generate.
- Move the cursor in the PuTTYgen window until a key pair is created.
- After creating the keys, click Save public key and Save private key.
- Specify a path to store the keys.
- Optional: in the Key passphrase field, enter a passphrase for additional security.
- Copy the public SSH key.
- Optional: add a public SSH key to the cloud platform, place a public SSH key when creating a server, or on an existing server.
When generating SSH keys through the OpenStack CLI, the public key will automatically be added to the cloud platform.
Such an SSH key will only be available to the pool and service user that are specified in the rc.sh
access file, as well as that user's projects.
Learn more about SSH keys-for-project-and-service-user.
-
Make sure that the correct pool and service user are specified in the
rc.sh
file. -
Generate a pair of SSH keys:
openstack keypair create <key_name> --private-key <file_for_key>
Specify:
<key_name>
is the key name;<file_for_key>
— the file that will store the private SSH key on the local computer.
-
Optional: place a public SSH key when creating a server or on an existing server.
Add a public SSH key to the cloud platform
A public SSH key can be added to the cloud platform and then placed when creating a server.
The way a key is added to the cloud platform affects its availability in projects, pools, and to users, as well as the way it is placed on the server when created. See table for more information on key differences.
- For the project
- For the service user
The key will only be available in one project, for all users.
- In Control Panel, go to Cloud Platform → Access.
- Open the SSH keys tab.
- Click Add SSH Key.
- Enter the name of the key.
- Insert a public SSH key in OpenSSH format.
- Click Add Key.
The key will be available in all projects to which a service user with the Project Administrator or Project Viewer roles has been added.
- In control panel, in the upper right corner, open the menu (account number) and select Profile & Settings.
- Go to User Management.
- Open the Service Users tab → user page.
- In the SSH Keys field, click Add Key.
- Enter the name of the key.
- Insert a public SSH key in OpenSSH format.
- Press Add.
Place a public SSH key on a cloud server when creating a server
- Control panel
- OpenStack CLI
Only SSH keys for project are available.
-
In Control Panel, go to Cloud Platform → Servers.
-
Click Create Server.
-
In the Access block, add an SSH key to the server:
- select the SSH key that you added to the cloud platform — you can select only SSH keys for the project;
- or add a new SSH key that you created earlier. The key will be added to the cloud platform and will only be available for the project.
-
Select the rest of the server settings — see the Create Cloud Server instructions for details.
-
Press Create.
Only SSH keys-for-project-and-service-user are available.
The SSH key and the server must be in the same pool.
-
Create a cloud server:
openstack server create \
[--image <image> | --volume <volume> | --snapshot <snapshot>] \
--flavor <flavor> \
--availability-zone <pool_segment> \
--nic net-id=<net_uuid> \
--key-name <key_name> \
<server_name>Specify:
- source type:
--image <image>
— to create a server from ready-made or own-image. The<image>
parameter is the name or ID of the image, the list can be viewed withopenstack image list
;--volume <volume>
— to create a server from disk. The<volume>
parameter is the name or ID of the disk, the list can be viewed withopenstack volume list
;--snapshot <snapshot>
— to create a server from snapshot. The<snapshot>
parameter is the name or ID of the snapshot, the list can be viewed withopenstack snapshot list
;
<flavor>
— server flavor (configuration) name or ID, the list can be viewed withopenstack flavor list
— see the View Configuration List instructions for details;<pool_segment>
— pool segment where the server will be created, the list can be viewed withopenstack availability zone list
;<net_uuid>
— ID of the private or public network to which the server will connect, the list can be viewed withopenstack network list
;<key_name>
is the name of the SSH key for the service user, the list can be viewed withopenstack keypair list
;- optional:
--block-device-mapping vdb=<extra_volume_name>
— name of additional disk, the list can be viewed withopenstack volume list
; - Optional:
--tag <tag_name> --os-compute-api-version 2.52
— tag to add more information about the server; - Optional:
--tag preemptible --os-compute-api-version 2.72
— tag to create preemptible server; - optional:
--user-data <user_data.file>
— path to the script with Base64 encoded data. Scripts and tasks from the script will be executed at the first boot of the operating system. You can see sample scripts in the User data instructions; <server_name>
is the server name.
- source type:
Host a public SSH key on an existing cloud server
To access the cloud server via SSH, you need to add a public SSH key to the ~/.ssh/authorized_keys
file on the server. You can add multiple keys, for example, if you need access for multiple users.
Public SSH keys can be placed in two ways:
Copy a public SSH key from a local computer using ssh-copy-id
The ssh-copy-id
command adds the public SSH key to the end of the ~/.ssh/authorized_keys
file. The command creates a directory and a file if they have not already been created.
- From Linux/macOS
- From Windows
-
Open the CLI on the local computer.
-
Copy the public SSH key to the cloud server:
ssh-copy-id -i <~/.ssh/id_rsa.pub> <username>@<ip_address>
Specify:
<~/.ssh/id_rsa.pub>
is the full path to the public key on the local computer;<username>
is the username;<ip_address>
is the public IP address of the server.
-
Enter the user's password.
-
Open cmd on the local computer.
-
Copy the public SSH key to the cloud server:
scp </path/to/file> <username>@<ip_address>:C:\Users\<username>\.ssh\authorized_keys
Specify:
</path/to/file>
is the full path to the public key on the local computer;<username>
is the username;<ip_address>
is the public IP address of the server.
Place a public SSH key on the server manually
-
Open the public SSH key file on the local computer:
- Linux/macOS
- Windows
cat ~/.ssh/id_rsa.pub
type C:\Users\<username>\.ssh\id_rsa.pub
-
Copy the value of the public SSH key.
-
Navigate to the
.ssh
directory:cd .ssh
-
Create an
authorized_keys
file in the.ssh
folder:touch authorized_keys
-
Add a public SSH key to the
authorized_keys
file:echo <public_ssh_key> >> ~/.ssh/authorized_keys
Specify
<public_ssh_key>
, which is the public SSH key you copied in step 2. It starts withssh-rsa
. -
Configure access rights:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
SSH keys for project and service user
A public SSH key can be added to the cloud platform:
- for cloud platform project;
- or for service user with role Project Administrator or Project Supervisor.