SSH keys and how to share access¶
You need a valid SSH keypair to access virtual machines.
Basics on SSH keys¶
A keypair consists of a public key and a private key. A public key encrypts data, and a private key decrypts data.
You should usually not share a private key because someone else can decrypt the data you encrypt.
You can imagine a public key encryption as a padlock, which you close once you encrypt data with it. A private key would be the key, which unlocks the padlock. If you place a public key on a virtual machine, the virtual machine sends you the data encrypted by the public key. One needs the private key to decrypt the data the virtual machine sends.
This happens automatically when using a secure shell or SSH for short. The virtual machine encrypts the data with the public key placed on it, and it gets decrypted with the private key you use to establish an SSH connection, e.g., by using
ssh ubuntu@<IP> -i /path/to/your/private/key -p <PORT>
This means the following things:
When you use a private key, which doesn't correspond to a public key placed on your virtual machine, you can't decrypt the data and can't access any data on the virtual machine.
You may get a note that reads, for example,
Permission denied (publickey). Then you used the wrong private key.
Only a private key corresponding to the public key on the machine can decrypt the data.
Only someone with access to the machine can change the public keys, which the virtual machine recognizes and uses.
The staff of the de.NBI Cloud doesn't belong to the people, who can access your virtual machine and change its public keys. Your virtual machine, once active, only recognizes the public key you have set on your profile page when you started the virtual machine. This excludes some special options, like starting virtual machines for a workshop, or granting access to selected project members when starting your vm.
Therefore, once you started your virtual machine, no one but the people you granted access can change the public keys on your virtual machine.
On key pair security
Every padlock design has an opening mechanism. Therefore, no padlock in existence can guarantee you 100% security, good padlocks can only guarantee you sufficiently good enough security. This applies to key pairs too. Modern key pairs, like the ones you can create on the profile page, guarantee you good enough security with the state of the current collective knowledge. They don't and can't guarantee you good enough security for every future to come.
You have to set a public key on your profile page when you want to start a virtual machine.
After launching a vm, only the private key corresponding to the public key set on your profile page when
you initially started the virtual machine can access it and decrypt the data the vm sends you.
You lose the private key, you lose access.
When trying to connect to your machine via SSH, you might encounter the following error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0777 for '<KEYFILE_NAME>' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "<KEYFILE_NAME>": bad permissions email@example.com: Permission denied (publickey).
sudo chmod 600 /PATH/TO/MY/PRIVATE/KEY.pem ### e.g ./my_private_key.pem
More information on profile page and key generation¶
Find more information about the profile page, and how to generate a key pair on the profile page, at SSH-KEY.
For Windows users: Using PuTTY generated keys
You can use existing .ppk key pairs generated by PuTTYgen to connect to your SimpleVM instance. Please refer to this tutorial.
In addition, the private key should be exported in OpenSSH format by performing the following steps:
- Open PuTTYgen
- Click File -> Load private key
- Go to Conversions -> Export OpenSSH and export your private key
If you want to know more about the technical details of key pairs, start with the wikipedia page on keys and cryptography.
You need a valid public key from the person you want to share access with.
Where to find public keys of your project members
If set, you can find the public key of another project member by using the member list on the project overview. Click the button to see their public key.
If they don't have an SSH key pair yet, they need to generate it.
They can use ssh-keygen, or they can generate a public key on
their profile page.
Add the key to your virtual machine after getting their public key.
On a Linux distribution, you can do it with the following command:
ssh-copy-id -i /PATH/TO/THE/OTHERS/PUBLIC/KEY -p PORT_OF_YOUR_VM -o "IdentityFile /PATH/TO/YOUR/PRIVATE/KEY" ubuntu@USUAL_IP_ADDRESS
You can find the port and ip address on the virtual machine overview, or the detail page of your vm.
Otherwise, use the following steps to add a user to a virtual machine:
- Connect to your machine as usual.
- Use the command:
This opens the file that stores all the public keys that grant access to your virtual machine. Your key is already in that file, don't change it.
- Copy the public key of the other person and add it in a new line after the other lines.
Use Ctrl+X to close the file.
Confirm when it asks whether you want to save your changes.
Now the other user can access your virtual machine. If you experience any troubles, contact the helpdesk at firstname.lastname@example.org.
Reminder on responsibility
Only add the ssh key of people you trust.
You have the responsibility for your virtual machine and all actions on it, even if you share access with other people.