Red Hat Training

A Red Hat training course is available for Red Hat Fuse

1.3. Set Up an SSH Key Pair

Why do you need an SSH key pair?

After creating a compute instance on the cloud, logging in through the SSH protocol is the primary way of accessing the instance. The SSH protocol uses a key pair for authentication, where the public key is installed in the remote instance and the private key is installed on your local machine.

Creating key pairs in AWS

AWS supports the following approaches to creating SSH key pairs:
  • Download a private key—in this case, you use the AWS Management Console to generate a key pair and you download the private key to your local machine. AWS keeps a copy of the public key, which is then automatically installed into new compute instances.
  • Upload a public key—in this case, you generate the SSH key pair yourself and upload the public key to AWS (actually, the Fabric console commands will upload the public key for you).

Advantages of uploading a public key

Uploading a public key has several advantages over downloading a private key:
  • It is more secure, because the private key never gets sent across the Internet.
  • You can easily upload the same public key to instances in different provider regions and even use the same public key with different providers.
  • You have more control over the parameters of the key pair, because you generate it yourself.

Default key location

The ssh command and the Fabric console commands automatically look for the private key in the default key location. It is recommended that you install your key in the default location, because it saves you the trouble of specifying the location explicitly.
On a *NIX operating system, the default locations for an RSA key pair are:
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
On a Windows operating system, the default locations for an RSA key pair are:
C:\Documents and Settings\Username\.ssh\id_rsa
C:\Documents and Settings\Username\.ssh\id_rsa.pub
Note
AWS only supports RSA keys. DSA keys do not work.

Creating a new SSH key pair

Generate an RSA key pair using the ssh-keygen utility. Open a new command prompt and enter the following command:
ssh-keygen -t rsa -b 2048
The preceding command generates an RSA key with a key length of 2048 bits. You will then be prompted to specify the file name for the key pair:
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/Username/.ssh/id_rsa):
Type return to save the key pair in the default location. You will then be prompted for a pass phrase:
Enter passphrase (empty for no passphrase):
Type return twice to select no pass phrase. This means that the private key is not encrypted.
Important
The Fabric console commands are not compatible with an encrypted private key. Hence, you must ensure that the private key is not encrypted (to protect the private key file, you should change its permissions to ensure that it can be read only by you).

Troubleshooting

Setting up an SSH key pair can sometimes be tricky. Here are a couple of hints to help with troubleshooting:
  • If you get the following error when you try to invoke a JClouds or Fabric console command:
    IOException: Invalid DER: length field too big (186)
    It probably means you are using an encrypted private key. The Fabric console commands support only unencrypted private keys, however.
  • If you are having trouble with a particular SSH key pair and you want to try a different one, you must first unregister the cloud provider using the fabric:cloud-provider-remove console command, and then re-register the cloud provider using the fabric:cloud-provider-add console command (this forces Fabric to reread the SSH private key).
  • Make sure you are using an RSA key. DSA format is not supported.