OpenStack Key Pairs cjc73
The best way to provide secure and easy access to your Red Cloud instances is through the use of key pairs for SSH authentication. Key pairs are made up of a private key that only you know, and a public key that is distributed to people and systems with which you would like to have secure communications. Red Cloud allows you to easily generate or upload such key pairs to use with your instances.
When you create a new instance, you should specify a key pair to be used for logging in to that instance. You can only add a key pair to an instance at the time of its creation, not afterwards, so it is important not to overlook this step. It is possible to generate a new key pair during the process of creating an instance.
In Linux instances, the pair's public key is installed into the root (or ubuntu user) account at the time of its creation, allowing you to login simply by providing the private key. For Windows instances, you will need to provide the private key to the Red Cloud web interface in order to fetch a valid password for logging in to the instance's administrator account.
Key pairs are created per user within an account, so other account members will not be able to use the key pairs you create. You will also not be able to use a given key pair in multiple accounts unless you import it into each account.
Identify Your Scenario
The procedure to create an instance associated with a key pair depends on 1) the intended instance operating system and 2) whether you need to create a key pair or have an existing key pair you would like to use. While passphrase-protected keys are more secure and are recommended for Linux instances, Windows instances are not compatible with these keys and different steps are required.
Your situation should match one of the following scenarios:
- I want to create a Windows instance and I do not already have an RSA key pair.
- First, Create a Key Pair Without a Passphrase (with OpenStack).
- Next, follow the steps to Select a Key Pair When Creating an Instance.
- Finally, Use Your Key Pair to Connect to a Windows Instance.
- I want to create a Windows intance and I have an RSA key pair I want to use.
- If your key is passphrase protected, follow the steps to Change the Passphrase on a Key Pair to remove the passphrase.
- Next, Import the Key Pair.
- Then, Select a Key Pair When Creating an Instance.
- Finally, Use Your Key Pair to Connect to a Windows Instance.
- I want to create a Linux instance and I do not already have an RSA key pair.
- I want to create a Linux instance and I have an RSA key pair I want to use.
Create or Select a Key Pair
Only one of the following subsections will apply to you. If you are following a have an existing key, skip to
Create a Passphrase-Protected Key Pair
The recommended way (for security reasons) to use key pairs is through a passphrase-protected key pair. Windows instances cannot use passphrase-protected key pairs, so if you are following these directions to create a key pair that you intend to use with Windows instances, leave the passphrase empty.
The command line tool ssh-keygen is preinstalled on Windows 10, macOS and Linux operating systems. To enter the commands below, open the terminal application on your operating system (for example, Terminal or Command Prompt). To create a passphrase-protected key pair, enter a terminal on your operating system. Navigate to a directory where you wish to store the key pair, using cd on a Mac or Linux (more information can be found here: Linux Tutorial) or chdir in Windows Command Prompt. Traditionally, SSH key pairs are stored in the users home directory, in a folder called .ssh. Enter the command below to create an 4096 byte RSA key pair named cloud.key and cloud.key.pub. You may choose a more meaningful name for your key that incorporates your netID and other information about why the key was created:
ssh-keygen -t rsa -b 4096 -f cloud.key
The terminal will prompt you to enter a passphrase. If this key pair is for Windows instances, just press enter for no passphrase. Otherwise type a secure passphrase and hit enter. This generates a passphrase-protected private key (cloud.key) and a public key (cloud.key.pub). Alternatively, you can give the key-pair a name that links it back to the person who created it, so others can easily tell who was the initial administrator of the instance. This is especially useful if one ends up adding other users.
Your key pairs can be managed through the Red Cloud web interface by selecting the "Compute" tab  and then selecting the "Key Pairs" sub-tab . This will display a list of your current key pairs as well as buttons for creating, importing or deleting key pairs. Click the "Import Key Pair" button on that page.
Enter a key pair name and paste your SSH public key into the corresponding fields.
To paste your SSH public key (cloud.key.pub), first enter a terminal, and make sure you are in the directory that contains your public key. Then enter one of the following commands. Be sure to change the cloud.key part of the command to match the name you used when you created the key. The .pub should be included, because this indicates the public part of the key pair.
- Linux, macOS:
Copy the output from that command and paste it into the corresponding field on OpenStack. Next, click "Import Key Pair" to close the dialogue.
Now when you are launching your instance, in the Key-Pair section, select your imported key-pair for use in your instance.
After you have launched your instance and are trying to access it, you will login using the following command, which uses the private key. Make sure you are in the directory where the private key is stored when using this command.
ssh -i cloud.key <username>@<instance_ip>
The username may differ based on the image used to launch your instance (e.g., ubuntu on an Ubuntu instance) and the instance_ip is your instance's IP address, which can be found on the Instances page in OpenStack. You will then be prompted to enter in your passphrase to use your private key for this command.
Also, it's possible to add more key-pairs after using this one to log in, for your account or others, because you can always just add more public keys to ~/.ssh/authorized_keys. Instructions for adding a public key to the authorized_keys file is covered in the Linux Tutorial.
A passphrase-protected key pair is generally used if you want to have open security group access. If, for example, all of your collaborators are from Cornell University, you can lock down the security group to only Cornell-associated IP addresses. If some collaborators are not from Cornell, then it may be better to have open access to your security group, while using passphrase-protected SSH keys.
Create a Key Pair Without a Passphrase (with OpenStack)
This section is only useful if you plan to use key pairs without a passphrase, which should only be used when you have sufficient security measures in your security group that limit IP addresses that can access the instance.
Your key pairs can be managed through the Red Cloud web interface (shown below) by selecting the "Compute" tab  and then selecting the "Key Pairs" sub-tab . This will display a list of your current key pairs as well as buttons for creating, importing or deleting key pairs. Begin by clicking "Create Key Pair" , which raises a simple wizard dialog.
In the Create Key Pair dialog, enter a unique and meaningful name for the key pair  and then click "Create Keypair" . Note that if the name you entered is invalid, the error message will be displayed in the underlying "Key Pairs" web page. The text for your private key is then displayed in the wizard. It is critical that you copy this text, either by selecting all of the text in the display and using a hot key or context menu item to copy it to the clipboard, or by clicking the "Copy Private Key to Clipboard" button . This will be your only chance to copy the text, so do not forget to do so. When you have copied it, click "Done"  to close the wizard. The newly created key pair will now be shown in the list. It can be deleted using the button on the right of its entry, and clicking on the key pair's name will show more information about it, including its public key.
You now must save the private key that you copied to your computer's clipboard into a file having the ".pem" extension. If you save the file with any other extension, you may not get the correct formatting. The file you saved the private key to must also be in plain text format.
After copying the private key, open any simple text editor, but not a word processing app like Word. On Windows that could be Notepad, on Mac it could be TextEdit, and on Linux that could be any text editor you have installed, like gedit.
If you use TextEdit, the default format is RTF (Rich Text Format), not plain text. You need to change the format to plain text first (under the "Format" menu) in order to have it saved correctly.
Next, open a new text file, and paste the private key text into the new file. Make sure to paste all the text you copied from the private key dialogue from Red Cloud. The text you paste should include
BEGIN RSA PRIVATE KEY and
END RSA PRIVATE KEY, and the accompanying dashes.
Next, save the file as
<key name>.pem, where
<key name> is your key name, in an easily accessible directory. Make sure to have only a .pem extension on the saved file, without any extra .txt or such extensions.
Lastly, if you are on Mac or Linux, make sure to set the file to the appropriate permissions. Open a terminal to access the directory with your saved key file, and enter
chmod 600 <key name>.pem to change the permissions.
The once the key is saved you can connect to a Linux instance or retrieve the administrator account password for a Windows instance.
Change the Passphrase on a Key Pair
If needed, you can use ssh-keygen in a terminal program for your operating system (for example: Terminal, Command Prompt, or Powershell). Windows 10 and above includes ssh-keygen preinstalled.
Enter the following command at the prompt, replacing path/to/private.key with the correct path to the private key on your computer. Follow the prompts. To remove the passphrase, leave the new passphrase empty when prompted.
ssh-keygen -p -f path/to/private.key
Repeat this process after you have connected to the Windows instance to set a new passphrase to protect your keypair.
Import a Key Pair
If you already have an SSH key pair that you would like to use with Red Cloud, you can import it rather than creating a new one. To do so, click the "Import Key Pair" button  on the Key Pairs page. This brings up a dialog for creating a key pair.
The Import Key Pair dialog contains some detailed instruction for generating key pairs on your computer. Using either an existing key or one that you generate by following those instructions, enter a unique and meaningful name for the key pair  and paste the entire text from its public key into the provided space . This public key text should begin with "ssh-rsa" and end with a name, with a long string of letters and numbers in between. When you have entered those two values, click "Import Key Pair" . They key pair will be imported and will appear in the Key Pairs list.
Select a Key Pair When Creating an Instance
During the process of creating an instance you have the opportunity to assign a key pair to the new instances. This happens in the Key Pair tab  of the Launch Instance dialog. If you have not previously created or imported a key pair into your project, you can do so here . If you would like to use one of the existing key pairs in the project, click the up arrow button in the list of existing key pairs .
Use Your Key Pair to Connect to a Windows Instance
To log on to a Windows instance for the first time you will need to use the "admin" account and a password that you can retrieve through the web interface by providing your private key. Under the "Compute" tab and the "Instances" sub-tab, find your Windows instance in the list. With the instance running, open the menu on the right side of its list entry and select the "Retrieve Password" option. This will display a dialog box where you can enter your private key.
The dialog displays the name of the key pair that was assigned when the instance was created, along with the public part of the key pair. You need to provide the private key (in "pem" format) by either choosing a file that contains it  or by pasting the text of the private key (including the header and footer) into the space provided . Once the private key is entered, click the "Decrypt Password" button . If the key does not match, an error message will be displayed in the background web page. If the key matches, a password for the "admin" user will be displayed . Copy this password into your computer's clipboard and supply it when logging into your Windows instance using the Remote Desktop application.
For more information, see the section on Accessing Instances.
Use Your Key Pair to Connect to a Linux Instance
If you specified a key pair when creating a Linux instance, the key pair's public key was installed into the initial user account on the instance. When connecting to the instance using the SSH command, you can pass the corresponding private key to establish a secure connection without need for a password.
You must log in to your instance using the correct initial username:
- For CentOS 7, the username is centos,
- For CentOS 8, the username is cloud-user
- For Ubuntu, the username is ubuntu.
The following example of the SSH command syntax is for a private key stored in the file "my_key_rsa" and a CentOS system where the initial account is named "centos".
ssh -i my_key_rsa firstname.lastname@example.org
For more information, see the section on Accessing Instances including some troubleshooting tips. If you would like to connect to a Linux instance using the [PuTTY] application, you will first need to convert your private key from the "pem" format to PuTTY's "ppk" format using the puttygen tool that is installed with PuTTY.
For more information, see the section on Accessing Instances.