Navigation :

SSH Keys for OpenStack Access

Due to our AFSHomeDirectory structure ssh public key authentication is not generally used for CSAIL login. Kerberos authentication, which SSH keys do not provide, is required to authenticate to the filesystem containing your home directory, so logging into a CSAIL system with public keys would result in logging in but having no access to your home directory.

However, SSH key authentication is the only way to access the administrative account on OpenStack instances. This page documents that specific use case.

Using an existing keypair

If you have an OpenStackAccount and an existing key pair it is extremely simple to upload your public key.

Log in to https://nimbus.csail.mit.edu and go to: Access & Security Keypairs Import Keypair
Enter an identifying name (perhaps your username) in the Keypair Name field and paste the contents of your public key file (likely ~/.ssh/id_rsa.pub) into the Public Key field then click Import.

Creating a new key pair

The instructions in the following sections will work on GNU/Linux systems and MacOS Terminal. For Windows, please follow the steps below:

It’s easiest to connect to OpenStack via PuTTY and by creating a new key pair from the OpenStack web view. To generate a key pair, go to “Project Compute Access and Security” on the left hand menu. In here, click on ‘Key Pairs’ in the top menu, and click the ‘Create Key Pair’ button. This will generate a .pem file that you should save somewhere easily accessible.

Now that we have a .pem file, we need to convert it to a .ppk file in order to use it in PuTTY. Download puttygen.exe from the download page of PuTTY. Near the bottom of the puttygen.exe window, you will see an option to ‘Load an existing private key file’. Click ‘Load’ and find the .pem file you just saved (you may need to change the filter to view All Files (.)). Once this is done, a popup should appear saying that the foreign key was successfully imported. Now, click ‘Save private key’ to save the private key in .ppk format.

Finally, we can use PuTTY to connect to our instance. When creating the instance, make sure that you select the key pair you just created, or else this will not work and you can’t ssh into the instance. Once the key pair has been set, click launch. Now, in PuTTY, you need to enter the following information:

In Host Name (or IP Address) under ‘Session’ on the left hand menu, enter the IP address of the instance.
Under ‘Connection Data’ on the left hand menu, enter ubuntu as the ‘Auto-login username’
Under ‘Connection SSH Auth’ on the left hand menu, click ‘Browse…’ under ‘Private key file for authentication:” and find the .ppk file you just saved.

Now, you should be able to access your instance via PuTTY. If you get an error, usually it is because the instance is not allowed to connect on port 22 by default. In this case, you need to make a new security group for your instance. Go to “Compute Access & Security” on the left hand menu of the OpenStack web view. Under the default security group, click the ‘Manage Rules’ button. In here, make a new rule with the following:

Rule: Custom TCP Rule
Direction: Ingress
Open Port: Port
Port: 22
Remote: CIDR
CIDR: 0.0.0.0/0

Try running PuTTY again with the steps from above and you should be able to SSH!

Select a location for your private key

The private portion of your keypair should be kept in a secure private location. The default location ~/.ssh is suitable on Macs or on your laptop but not in your AFSHomeDirectory. AFS permissions are per directory not per file and some things in ~/.ssh require public access.

For AFSHomeDirectory you should use ~/.ssh/private you can should run fs listacl ~/.ssh/private to verify no one other than you has access rights. This directory is created with proper access controls when your CSAIL account is created.

Generate the keypair

The ssh-keygen command creates the keys for you; all you need is the location you decided on above and a good passphrase.

$ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/afs/csail.mit.edu/u/j/jon/.ssh/id_rsa): /afs/csail.mit.edu/u/j/jon/.ssh/private/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /afs/csail.mit.edu/u/j/jon/.ssh/private/id_rsa.
Your public key has been saved in /afs/csail.mit.edu/u/j/jon/.ssh/private/id_rsa.pub.
The key fingerprint is:
c5:69:83:3e:4b:f0:98:4c:d1:ca:28:fc:6b:09:90:fc jon@kvas
The key's randomart image is:
+--[ RSA 2048]----+
|      ..         |
|       ..o .     |
|.o   oo.. *      |
|o.o .oo* o .     |
| ..o  + S        |
|  .E.  . o       |
|   . o  .        |
|    +            |
|   .             |
+-----------------+

You then take the public key (~/.ssh/private/id_rsa.pub in this case) and upload it as described above.

Note on connecting with keys

Using an SSH agent you can authorize your key once with your passphrase and then have passphraseless access to systems that authorize your public key for access.

Linux desktop systems usually start an SSH agent on login, so you can use this command:

ssh-add </path/to/private_key>

(If that command says something like “Cannot connect to your agent”, your session might not be configured to start an SSH agent for you on login.) You don’t need an SSH agent; keypair-based SSH connections will still work without one, but without one you’ll need to type your passphrase to decrypt your private key each time you issue an ssh command. Send mail to help@csail.mit.edu if you need help getting an SSH agent to start when you log in.