2 Enabling Secure Access to Instances Using SSH
This section provides information about generating and using SSH keys to enable secure access to your instances.
Note:
You can’t use SSH keys to log in to a Windows instance. To log in to your Windows instance using RDP, see Accessing a Windows Instance Using RDP.
For information about using an SSH key to log in to your Oracle Linux instance, see Accessing an Oracle Linux Instance Using SSH.
For information about using an SSH key to log in to your Oracle Solaris instance, see Accessing an Oracle Solaris Instance Using SSH. (Not available on Oracle Cloud at Customer)
About SSH Keys
You can log in securely to your Compute Classic instances from a remote host by using a secure shell (SSH) connection.
Note:
You can’t use SSH keys to log in to a Windows instance. To log in to your Windows instance using RDP, see Accessing a Windows Instance Using RDP.
SSH is a cryptographic network protocol that uses two keys, a public key and a private key, to provide secure communication between two computers. SSH uses port 22 by default.
Before creating instances, generate at least one SSH key pair and ensure that the private key is available on each host that you’ll use to access instances. You can use any SSH utility to generate SSH keys and log in to your instances. For example, if you’re logging in from a Windows host, you can use PuTTY. If you’re using a Linux host, you can use OpenSSH.
You can associate a single SSH public key with multiple instances. Also, if you’ve already created and uploaded SSH public keys to Compute Classic, then you can associate multiple SSH keys with an instance when you create the instance. If you’ve created your instance using an Oracle-provided image, then you can use SSH to log in to your instance as the opc
user. You can then inject additional SSH public keys by editing the /home/opc/.ssh/authorized_keys
file on your instance.
Caution:
If you need to edit the ~/.ssh/authorized_keys
file of the opc
user on an instance, then before you make any changes to the file, start a second ssh
session and ensure that it remains connected while you edit the authorized_keys
file. This second ssh
session serves as a backup. If the authorized_keys
file gets corrupted or you inadvertently make changes that result in the opc
user getting locked out of the instance, then you can use the backup ssh
session to fix or revert the changes. Before closing the backup session, test the changes you made in the ~/.ssh/authorized_keys
file by logging in with the new or updated SSH key. Remember, if you don’t have any other user set up on your instance, and if any changes to the ~/.ssh/ authorized_keys
file result in the opc
user getting locked out, then you might not be left with any way to access your instance.
Note:
When an instance that’s set up to boot from a nonpersistent boot disk is deleted and re-created, any SSH public keys that you added or edited manually (that is, not during instance creation) must be added or edited again. To do this, you must log in to the instance by using the original SSH private key. So retain and safeguard your original SSH private key.
To log in to an instance by using SSH, you must provide the private key that matches a public key associated with the instance.
Generating an SSH Key Pair
To access your instances using SSH, generate an SSH key pair, associate the public key with your instances, and use the private key to log in to the instances using SSH.
Note:
You can’t use SSH keys to log in to a Windows instance. To log in to your Windows instance using RDP, see Accessing a Windows Instance Using RDP.
Caution:
Keep your SSH keys secure. Lay down policies to ensure that the keys aren’t lost or compromised when employees leave the organization or move to other departments. If you lose your private key, then you can’t access your instances. For business continuity, ensure that the SSH keys of at least two IT system administrators are added to your instances.
Topics
Generating an SSH Key Pair on UNIX and UNIX-Like Systems
Use the following procedure to generate an SSH key pair on UNIX and UNIX-like systems:
-
Run the
ssh-keygen
command.You can use the
-t
option to specify the type of key to create.For example, to create an RSA key, run:
ssh-keygen -t rsa
You can use the
-t
option to specify the length (bit size) of the key, as shown in the following example:ssh-keygen -b 2048 -t rsa
-
The command prompts you to enter the path to the file in which you want to save the key.
A default path and file name are suggested in parentheses. For example:
/home/
user_name
/.ssh/id_rsa
. To accept the default path and file name, press Enter. Otherwise, enter the required path and file name, and then press Enter. -
The command prompts you to enter a passphrase.
The passphrase is not mandatory if you want to log in to an instance created using an Oracle-provided image. However, it is recommended that you specify a passphrase to protect your private key against unauthorized use.
Note:
With some images provided on Oracle Marketplace, the use of a passphrase might be mandatory.
- When prompted, enter the passphrase again to confirm it.
The command generates an SSH key pair consisting of a public key and a private key, and saves them in the specified path. The file name of the public key is created automatically by appending .pub
to the name of the private key file. For example, if the file name of the SSH private key is id_rsa
, the file name of the public key would be id_rsa.pub
.
Make a note of the path and file names of the private and public keys. When you create an instance, you must specify the SSH public key value. When you log in to an instance, you must provide the path to the corresponding SSH private key and you must enter the passphrase when prompted.
Generating an SSH Key Pair on Windows
You can generate an SSH key pair on a Microsoft Windows machine by using an application such as PuTTY. See the tutorial, Creating SSH Keys for Use with Oracle Cloud Services.
Adding an SSH Public Key
To access an instance using SSH, generate at least one SSH key pair and upload the SSH public key that should be associated with the instance to Compute Classic. You’ll use this SSH key to access your instance later on, when your instance is running.
Note:
You can’t use SSH keys to log in to a Windows instance. To log in to your Windows instance using RDP, see Accessing a Windows Instance Using RDP.
Prerequisites
-
To complete this task, you must have the
Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud. -
You must have generated an SSH key pair. See Generating an SSH Key Pair.
Procedure
After adding an SSH public key, you can attach it to an instance when you create the instance.
To add an SSH public key using the CLI, use the opc compute ssh-key add
command. For help with that command, run the command with the -h
option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.
To add an SSH public key using the API, use the POST /sshkey/
method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.
Attaching an SSH Public Key to an Instance
You must attach an SSH key to an instance when you create the instance. You’ll use this SSH key to access your instance later on, when your instance is running.
Note:
You can’t use SSH keys to log in to a Windows instance. To log in to your Windows instance using RDP, see Accessing a Windows Instance Using RDP.
For more information about creating an instance, see Creating Instances.
Viewing an SSH Public Key
After you’ve generated an SSH key pair and added a public SSH key, you can view the SSH key name and value.
Note:
You don’t need to do this if you’re creating a Windows instance, because you can’t log in to a Windows instance using SSH.
To complete this task, you must have the Compute_Monitor
or Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
To view an SSH public key using the CLI, use the opc compute ssh-key get
command. For help with that command, run the command with the -h
option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.
To view an SSH public key using the API, use the GET /sshkey/name
method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.
Updating an SSH Public Key
After adding an SSH public key to Compute Classic, you can change the key value. The updated key value takes effect when the associated instances are re-created. You can also disable and re-enable the key.
Caution:
When you disable a key that’s associated with an instance, the instance continues to be accessible using ssh
. But before re-creating the instance, you must either remove the disabled key from the orchestration of that instance or enable the key. Otherwise, the orchestration won’t start.
Prerequisites
-
To complete this task, you must have the
Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Note:
You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to update an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state. See Workflows for Updating Orchestrations v2.
To change the value of the SSH public key using the CLI, use the
command. For help with that command, run the command with the opc compute ssh-key update
-h
option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.
To update an SSH key using the API, use the PUT /sshkey/name
method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.
Tip:
If you update the value of an SSH public key, remember to make the corresponding private key available on each of your local hosts that’ll be used to access instances. The updated public key value takes effect when the instances that the key is associated with are re-created.
Note:
You can also update SSH public keys associated with an instance by logging in to the instance and editing the ~/.ssh/authorized_keys
file.
If you need to edit the ~/.ssh/authorized_keys
file of a user on your instance, then before you make any changes to the file, start a second ssh
session and ensure that it remains connected while you edit the authorized_keys
file. This second ssh
session serves as a backup. If the authorized_keys
file gets corrupted or you inadvertently make changes that result in your getting locked out of the instance, then you can use the backup ssh
session to fix or revert the changes. Before closing the backup ssh
session, test the changes you made in the authorized_keys
file by logging in with the new or updated SSH key.
When an instance that’s set up to boot from a nonpersistent boot disk is deleted and re-created, any SSH public keys that you added or edited manually (that is, not during instance creation) must be added or edited again. To do this, you must log in to the instance by using the original SSH private key. So retain and safeguard your original SSH private key.
Disabling an SSH Public Key
When you add an SSH public key, by default the key is enabled. At any time, you can disable the key, and enable it again.
Caution:
When you disable a key that’s associated with an instance, the instance continues to be accessible using ssh
. But before re-creating the instance, you must either remove the disabled key from the orchestration of that instance or enable the key. Otherwise, the orchestration won’t start.
To complete this task, you must have the Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
To disable an SSH key using the CLI, use the opc compute ssh-key update
command. For help with that command, run the command with the -h
option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.
Note:
When you use the opc compute ssh-keys update
command, you must provide the path to the SSH public key file as an argument to this command. If you no longer have the public key file on your local host, you can download the public key by using the opc compute ssh-keys get
command, as described in Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.
To disable an SSH public key using the API, use the PUT /sshkey/name
method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.
Enabling an SSH Public Key
When you add an SSH public key, by default the key is enabled. If you’ve disabled a key, you can enable it at any time.
Note:
You don’t need to do this if you’re creating a Windows instance, because you can’t log in to a Windows instance using SSH.
To complete this task, you must have the Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
To enable an SSH key using the CLI, use the opc compute ssh-key update
command. For help with that command, run the command with the -h
option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.
Note:
When you use the opc compute ssh-keys update
command, you must provide the path to the SSH public key file as an argument to this command. If you no longer have the public key file on your local host, you can download the public key by using the opc compute ssh-keys get
command, as described in Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.
To enable an SSH public key using the API, use the PUT /sshkey/name
method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.
Deleting an SSH Public Key
When you no longer need an SSH public key, you can delete it.
Caution:
When you delete a key that’s associated with an instance, the instance continues to be accessible using ssh
. But before re-creating the instance, you must remove the deleted key from the orchestration of that instance. Otherwise, the orchestration won’t start.
Prerequisites
-
To complete this task, you must have the
Compute_Operations
role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Note:
You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to delete an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state.
If you created the object using orchestration v1, then you can delete the object by terminating the orchestration. See Terminating an Orchestration v1.
If you created the object using an orchestration v2, then you can delete the object by suspending, terminating, or updating the orchestration. See Suspending an Orchestration v2, Terminating an Orchestration v2, or Updating an Orchestration v2.
Procedure
To delete an SSH public key using the CLI, use the opc compute ssh-key delete
command. For help with that command, run the command with the -h
option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.
To delete an SSH public key using the API, use the DELETE /sshkey/name
method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.