Menu Close

4.3.3. Generating an SSH private key and adding it to the agent

If you want to perform installation debugging or disaster recovery on your cluster, you must provide an SSH key to both your ssh-agent and the installation program. You can use this key to access the bootstrap machine in a public cluster to troubleshoot installation issues.


In a production environment, you require disaster recovery and debugging.

You can use this key to SSH into the master nodes as the user core. When you deploy the cluster, the key is added to the core user’s ~/.ssh/authorized_keys list.


You must use a local key, not one that you configured with platform-specific approaches such as AWS key pairs.


  1. If you do not have an SSH key that is configured for password-less authentication on your computer, create one. For example, on a computer that uses a Linux operating system, run the following command:

    $ ssh-keygen -t ed25519 -N '' \
        -f <path>/<file_name> 1
    Specify the path and file name, such as ~/.ssh/id_rsa, of the new SSH key. If you have an existing key pair, ensure your public key is in the your ~/.ssh directory.

    Running this command generates an SSH key that does not require a password in the location that you specified.


    If you plan to install an OpenShift Container Platform cluster that uses FIPS Validated / Modules in Process cryptographic libraries on the x86_64 architecture, do not create a key that uses the ed25519 algorithm. Instead, create a key that uses the rsa or ecdsa algorithm.

  2. Start the ssh-agent process as a background task:

    $ eval "$(ssh-agent -s)"

    Example output

    Agent pid 31874

If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA.

  1. Add your SSH private key to the ssh-agent:

    $ ssh-add <path>/<file_name> 1

    Example output

    Identity added: /home/<you>/<path>/<file_name> (<computer_name>)

    Specify the path and file name for your SSH private key, such as ~/.ssh/id_rsa
  2. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the full path to your service account private key file.

    $ export GOOGLE_APPLICATION_CREDENTIALS="<your_service_account_file>"
  3. Verify that the credentials were applied.

    $ gcloud auth list

Next steps

  • When you install OpenShift Container Platform, provide the SSH public key to the installation program.