OpenStack Security Tip: Create a key pair for accessing VMs

One way to bolster security on your OpenStack cloud is to set up security options that go beyond password-based authentication when you create a new instance. The most common way is to use the OpenStack Dashboard, Horizon, to set up public/private key pairs to properly protect the instance at launch time.

Public/private key pairs work by keeping the public key on the server, and the private key on your local workstation. Once the server has verified that the two keys match, a secure connection can be made.

OpenStack can inject a public ssh key into an instance on launch, so that it’s ready for you the access using the private key. If you then set up ssh to deny password authentication and instead require the key, you give your instance a much stronger layer of security.

Now let’s look at how to set up key pairs in OpenStack. Basically, there are three steps: create a key pair, add it to an instance, and modify it for increased security.

Create a key pair in Horizon

The first step is to create the actual key pair, if you don’t already have one:

  1. Click “Compute” under the “Project” option in the Horizon left-hand menu.
  2. Select “Access & Security”.
  3. Click the “Key Pairs” tab.

openstack-horizon-access-security

  1. Click “+Create Key Pair”.
  2. Name your new key pair and click “Create Key Pair”.

openstack-create-key-pair

  1. The new key pair will automatically download to your local machine; make sure you don’t lose it, or you won’t be able to access the new instance.

openstack-download-key-pair

  1. Click Access & Security again to see your new key pair.

openstack-key-pairs

You can also create a key pair manually and import it, or import an existing public key, by click the “Import Key Pair” button and adding it to the form.
importkey

Add a key pair to an instance

To add a key pair to an instance, you need to specify it when you’re launching the instance.

  1. Under Instances click “Launch Instance”.
  2. Click the “Access & Security” tab.
  3. Choose the appropriate key pair from the pulldown (or click the “+” sign to import one).

openstack-add-key-pair-to-instance

  1. After completing the rest of the required information on the other tabs, click “Launch”.

Securing and using your new key pair

To use your new key pair, you need to make it available to your ssh client.  On Linux, follow these instructions:

  1. Copy the downloaded key pair into your ~/.ssh/ directory
  2. Change permissions to 600:
    # cd ~/.ssh
    # chmod 600 KEY_NAME.pem
  3. Now you can use the key pair to connect to the instances created using this key pair:
    # ssh -i ~/.ssh/KEY_NAME.pem USER@SERVER_IP

On Windows, how you use your new key will depend on your client.  The PuTTY client is an open source SSH client that also handles SFTP and SCP, and enables you to specify the private key to use. The downside of PuTTY is that it doesn’t like the *.pem format OpenStack gives you, in which the public and private key are together; instead you must separate them using the PuTTYgen client:

  1. Download PuTTYgen from the main downloads page.
  2. Run puttygen.exe.
  3. Click the Load button and specify “All files *.*” as the file format so it can find the *.pem file.
  4. Load the key pair you downloaded from OpenStack earlier.  You’ll see the information in the puttygen window.

puttygen-load-key

  1. Optionally add a passphrase.
  2. Click “Save Private Key” and save the file where you’ll be able to find it.

Now you can add the private key to a connection in PuTTY:

  1. Download PuTTY from the main downloads page.
  2. Run putty.exe.
  3. Specify the hostname or IP for the instance (you can find this information on the instances page once it’s launched).
  4. In the left-hand panel, expand “Connection->SSH” and click “Auth”.

ssh

  1. Click “Browse” and find the *.ppk file you saved from puttygen.exe.
  2. Click “Open” to connect to the instance.

Enhanced security without the hassle

Not all OpenStack instances will be booted from Horizon, of course; it’s very common to boot an instance from the command line, and the OpenStack Compute (Nova) CLI does provide the –key-name parameter to enable you to add an existing key pair to an instance as it boots.  (Note that you must add the key to the cluster first.)

Still, for users who prefer to use the OpenStack Dashboard instead, it’s convenient to be able to create and add a key pair directly through Horizon.

Looking for an easier way to deploy OpenStack?  OpenStack Fuel lets you deploy OpenStack with a few clicks of your mouse. Download it now with Mirantis OpenStack.

Latest Tweets

WEBINAR
Mirantis and Ericsson on Edge Computing