SSH keypairs are a way to authenticate to your Linux virtual machine without using a password with the added security of SSH Public-Key authentication.

Public-Key authentication is both:

  • Secure: breaking an SSH key requires so much time and computational power that these sorts of attacks are not practical in the real world. SSH keys are much, much secure than even very strong passwords.

  • Convenient: instead of managing per-machine passwords or sharing them across your company, every physical person who needs access to your servers give you their public key. You can then setup granular access control by adding those keys only to the relevant machines. If you need to revoke someone’s access, simply revoking their key prevents them from logging in without altering other people’s workflow.

Exoscale allows you to automatically provision Linux machines with SSH public keys to use for Public-Key authentication with SSHv2.

Note that while you can have multiple keypairs in your account, the instance creation dialog only allows you to select one keypair. Once the instance is created, you may allow additional public keys and set up more detailed access control using traditional means.

Keypairs can be imported both by using the CLI or through the web portal.

Note

The supported SSH keys formats are ssh-rsa and ssh-ed25519

Creating a New SSH Keypair

If you don’t have an SSH Keypair you can create a new SSH keypair on your machine with the following command:

ssh-keygen -t rsa -b 4096 -C 'a-comment-to-identify-your-key'

You will be asked for a name and location to save your new keypair (keypairs are usually stored in ~/.ssh, and the main keypair for a user is usually called id_rsa) and for a password to protect it.

You can then import the content of your freshly created public key to Exoscale.

Provisioning an Instance With a Keypair

When creating a new virtual machine, simply select the keypair you want to be associated to that instance and the person holding the corresponding private key will be able to log in via password-less SSH.

Please be aware that deleting a public key in the Exoscale console does not automatically remove the authorized public key from an already created instance. If you want to completely revoke a key, you need to do so manually by deleting the key on every instance holding it.

Connecting to Your Newly Created Instance

Once your new instance has started and is running, you can connect to it via SSH. How to use SSH is out of the scope of this documentation, but assuming the following conditions:

  • You have SSH installed on your machine
  • Your private key is stored in ~/.ssh/id_rsa
  • Permissions of the ~/.ssh folder (700) and of your private key (600) are correct
  • You opened TCP port 22 in your machine’s security groups

you should then be able to connect to your machine simply with:

ssh root@ip-address-of-your-instance

You may be asked the password of your private key if set (not the password of your instance).

You may also see a warning about the remote host identification: this is to be expected on a first connection and you can trust the remote.