1. Using Oracle Cloud Infrastructure Compute Classic
  2. Enabling Secure Access to Instances Using SSH

2 Enabling Secure Access to Instances Using SSH

This section provides information about generating and using SSH keys to enable secure access to your instances.

Note:

You can’t use SSH keys to log in to a Windows instance. To log in to your Windows instance using RDP, see Accessing a Windows Instance Using RDP.

For information about using an SSH key to log in to your Oracle Linux instance, see Accessing an Oracle Linux Instance Using SSH.

For information about using an SSH key to log in to your Oracle Solaris instance, see Accessing an Oracle Solaris Instance Using SSH. (Not available on Oracle Cloud at Customer)

Topics

About SSH Keys

You can log in securely to your Compute Classic instances from a remote host by using a secure shell (SSH) connection.

Note:

You can’t use SSH keys to log in to a Windows instance. To log in to your Windows instance using RDP, see Accessing a Windows Instance Using RDP.

SSH is a cryptographic network protocol that uses two keys, a public key and a private key, to provide secure communication between two computers. SSH uses port 22 by default.

Before creating instances, generate at least one SSH key pair and ensure that the private key is available on each host that you’ll use to access instances. You can use any SSH utility to generate SSH keys and log in to your instances. For example, if you’re logging in from a Windows host, you can use PuTTY. If you’re using a Linux host, you can use OpenSSH.

You can associate a single SSH public key with multiple instances. Also, if you’ve already created and uploaded SSH public keys to Compute Classic, then you can associate multiple SSH keys with an instance when you create the instance. If you’ve created your instance using an Oracle-provided image, then you can use SSH to log in to your instance as the opc user. You can then inject additional SSH public keys by editing the /home/opc/.ssh/authorized_keys file on your instance.

Caution:

If you need to edit the ~/.ssh/authorized_keys file of the opc user on an instance, then before you make any changes to the file, start a second ssh session and ensure that it remains connected while you edit the authorized_keys file. This second ssh session serves as a backup. If the authorized_keys file gets corrupted or you inadvertently make changes that result in the opc user getting locked out of the instance, then you can use the backup ssh session to fix or revert the changes. Before closing the backup session, test the changes you made in the ~/.ssh/authorized_keys file by logging in with the new or updated SSH key. Remember, if you don’t have any other user set up on your instance, and if any changes to the ~/.ssh/ authorized_keys file result in the opc user getting locked out, then you might not be left with any way to access your instance.

Note:

When an instance that’s set up to boot from a nonpersistent boot disk is deleted and re-created, any SSH public keys that you added or edited manually (that is, not during instance creation) must be added or edited again. To do this, you must log in to the instance by using the original SSH private key. So retain and safeguard your original SSH private key.

To log in to an instance by using SSH, you must provide the private key that matches a public key associated with the instance.

Generating an SSH Key Pair

To access your instances using SSH, generate an SSH key pair, associate the public key with your instances, and use the private key to log in to the instances using SSH.

Note:

You can’t use SSH keys to log in to a Windows instance. To log in to your Windows instance using RDP, see Accessing a Windows Instance Using RDP.

Caution:

Keep your SSH keys secure. Lay down policies to ensure that the keys aren’t lost or compromised when employees leave the organization or move to other departments. If you lose your private key, then you can’t access your instances. For business continuity, ensure that the SSH keys of at least two IT system administrators are added to your instances.

Topics

Generating an SSH Key Pair on UNIX and UNIX-Like Systems

Use the following procedure to generate an SSH key pair on UNIX and UNIX-like systems:

  1. Run the ssh-keygen command.

    You can use the -t option to specify the type of key to create.

    For example, to create an RSA key, run:

    ssh-keygen -t rsa

    You can use the -t option to specify the length (bit size) of the key, as shown in the following example: 

    ssh-keygen -b 2048 -t rsa

  2. The command prompts you to enter the path to the file in which you want to save the key.

    A default path and file name are suggested in parentheses. For example: /home/user_name/.ssh/id_rsa. To accept the default path and file name, press Enter. Otherwise, enter the required path and file name, and then press Enter.

  3. The command prompts you to enter a passphrase.

    The passphrase is not mandatory if you want to log in to an instance created using an Oracle-provided image. However, it is recommended that you specify a passphrase to protect your private key against unauthorized use.

    Note:

    With some images provided on Oracle Marketplace, the use of a passphrase might be mandatory.

  4. When prompted, enter the passphrase again to confirm it.

The command generates an SSH key pair consisting of a public key and a private key, and saves them in the specified path. The file name of the public key is created automatically by appending .pub to the name of the private key file. For example, if the file name of the SSH private key is id_rsa, the file name of the public key would be id_rsa.pub.

Make a note of the path and file names of the private and public keys. When you create an instance, you must specify the SSH public key value. When you log in to an instance, you must provide the path to the corresponding SSH private key and you must enter the passphrase when prompted.

Generating an SSH Key Pair on Windows

You can generate an SSH key pair on a Microsoft Windows machine by using an application such as PuTTY. See the tutorial, Creating SSH Keys for Use with Oracle Cloud Services.

Adding an SSH Public Key

To access an instance using SSH, generate at least one SSH key pair and upload the SSH public key that should be associated with the instance to Compute Classic. You’ll use this SSH key to access your instance later on, when your instance is running.

Note:

You can’t use SSH keys to log in to a Windows instance. To log in to your Windows instance using RDP, see Accessing a Windows Instance Using RDP.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  • You must have generated an SSH key pair. See Generating an SSH Key Pair.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab, and then in the Network drop-down list, click SSH Public Keys.
    The SSH Public Keys page is displayed.
  3. Click Add SSH Public Key.
  4. Enter or select the following details:

    • Enter a name for the key.

      Choose a name that you can use to identify the key easily.

    • In the Value field, click Select File. Navigate to the path where your SSH key is saved, and select the SSH public key file that you want to add. The value of the SSH key appears in the field.

      Alternatively, you can paste the value of the SSH public key that you want to add.

      Important:

      Paste the key value exactly as it was generated. Don’t append or insert any spaces, characters, or line breaks.

      See the following example:


      Screenshot showing an example of an SSH public key entered in the Value field.

    • To enable the key, select the Enabled check box. Alternatively, you can deselect the check box and enable the key later.

  5. Click Add.

After adding an SSH public key, you can attach it to an instance when you create the instance.

To add an SSH public key using the CLI, use the opc compute ssh-key add command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To add an SSH public key using the API, use the POST /sshkey/ method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.

Attaching an SSH Public Key to an Instance

You must attach an SSH key to an instance when you create the instance. You’ll use this SSH key to access your instance later on, when your instance is running.

Note:

You can’t use SSH keys to log in to a Windows instance. To log in to your Windows instance using RDP, see Accessing a Windows Instance Using RDP.

For more information about creating an instance, see Creating Instances.

Viewing an SSH Public Key

After you’ve generated an SSH key pair and added a public SSH key, you can view the SSH key name and value.

Note:

You don’t need to do this if you’re creating a Windows instance, because you can’t log in to a Windows instance using SSH.

To complete this task, you must have the Compute_Monitor or Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab, and then in the Network drop-down list, click SSH Public Keys.
    The SSH Public Keys page is displayed.
  3. You can filter the list of SSH public keys according to their category or status. To list SSH keys with a specific status (such as enabled or disabled), click the Show menu and select the appropriate filter. To list SSH keys of a specific category (such as all or personal), click the Category menu and select the appropriate filter.
  4. Go to the SSH key that you want to view. From the menu icon menu, select View.

To view an SSH public key using the CLI, use the opc compute ssh-key get command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To view an SSH public key using the API, use the GET /sshkey/name method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.

Updating an SSH Public Key

After adding an SSH public key to Compute Classic, you can change the key value. The updated key value takes effect when the associated instances are re-created. You can also disable and re-enable the key.

Caution:

When you disable a key that’s associated with an instance, the instance continues to be accessible using ssh. But before re-creating the instance, you must either remove the disabled key from the orchestration of that instance or enable the key. Otherwise, the orchestration won’t start.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to update an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state. See Workflows for Updating Orchestrations v2.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab, and then in the Network drop-down list, click SSH Public Keys.
    The SSH Public Keys page is displayed.
  3. Identify the key that you want to update. From the menu icon menu, select Update.
    The Edit SSH Public Key dialog box is displayed.
  4. In the Value field, click Select File. Navigate to the path where your SSH key is saved, and select the SSH public key file that you want to add. The value of the SSH key appears in the field.
    Alternatively, you can copy and paste the new value of the SSH public key in the Value field.

    Important:

    Paste the key value exactly as it was generated. Don’t append or insert any spaces, characters, or line breaks.

    See the following example:


    Screenshot showing an example of an SSH public key entered in the Value field.

  5. Enable or disable the key, as required.
  6. Click Update.

To change the value of the SSH public key using the CLI, use the opc compute ssh-key update command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To update an SSH key using the API, use the PUT /sshkey/name method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.

Tip:

If you update the value of an SSH public key, remember to make the corresponding private key available on each of your local hosts that’ll be used to access instances. The updated public key value takes effect when the instances that the key is associated with are re-created.

Note:

You can also update SSH public keys associated with an instance by logging in to the instance and editing the ~/.ssh/authorized_keys file.

If you need to edit the ~/.ssh/authorized_keys file of a user on your instance, then before you make any changes to the file, start a second ssh session and ensure that it remains connected while you edit the authorized_keys file. This second ssh session serves as a backup. If the authorized_keys file gets corrupted or you inadvertently make changes that result in your getting locked out of the instance, then you can use the backup ssh session to fix or revert the changes. Before closing the backup ssh session, test the changes you made in the authorized_keys file by logging in with the new or updated SSH key.

When an instance that’s set up to boot from a nonpersistent boot disk is deleted and re-created, any SSH public keys that you added or edited manually (that is, not during instance creation) must be added or edited again. To do this, you must log in to the instance by using the original SSH private key. So retain and safeguard your original SSH private key.

Disabling an SSH Public Key

When you add an SSH public key, by default the key is enabled. At any time, you can disable the key, and enable it again.

Caution:

When you disable a key that’s associated with an instance, the instance continues to be accessible using ssh. But before re-creating the instance, you must either remove the disabled key from the orchestration of that instance or enable the key. Otherwise, the orchestration won’t start.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab, and then in the Network drop-down list, click SSH Public Keys.
    The SSH Public Keys page is displayed.
  3. Identify the SSH public key that you want to disable. From the menu icon menu, select Update.
  4. In the Edit SSH Public Key dialog box, deselect Enabled and click Update.

To disable an SSH key using the CLI, use the opc compute ssh-key update command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

Note:

When you use the opc compute ssh-keys update command, you must provide the path to the SSH public key file as an argument to this command. If you no longer have the public key file on your local host, you can download the public key by using the opc compute ssh-keys get command, as described in Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To disable an SSH public key using the API, use the PUT /sshkey/name method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.

Enabling an SSH Public Key

When you add an SSH public key, by default the key is enabled. If you’ve disabled a key, you can enable it at any time.

Note:

You don’t need to do this if you’re creating a Windows instance, because you can’t log in to a Windows instance using SSH.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab, and then in the Network drop-down list, click SSH Public Keys.
    The SSH Public Keys page is displayed.
  3. Identify the SSH public key that you want to enable. From the menu icon menu, select Update.
  4. On the Edit SSH Public Key dialog box, select Enabled and click Update.

To enable an SSH key using the CLI, use the opc compute ssh-key update command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

Note:

When you use the opc compute ssh-keys update command, you must provide the path to the SSH public key file as an argument to this command. If you no longer have the public key file on your local host, you can download the public key by using the opc compute ssh-keys get command, as described in Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To enable an SSH public key using the API, use the PUT /sshkey/name method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.

Deleting an SSH Public Key

When you no longer need an SSH public key, you can delete it.

Caution:

When you delete a key that’s associated with an instance, the instance continues to be accessible using ssh. But before re-creating the instance, you must remove the deleted key from the orchestration of that instance. Otherwise, the orchestration won’t start.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to delete an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state.

If you created the object using orchestration v1, then you can delete the object by terminating the orchestration. See Terminating an Orchestration v1.

If you created the object using an orchestration v2, then you can delete the object by suspending, terminating, or updating the orchestration. See Suspending an Orchestration v2, Terminating an Orchestration v2, or Updating an Orchestration v2.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab, and then in the Network drop-down list, click SSH Public Keys.
    The SSH Public Keys page is displayed.
  3. Identify the SSH key that you want to delete. From the menu icon menu, select Delete.

To delete an SSH public key using the CLI, use the opc compute ssh-key delete command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To delete an SSH public key using the API, use the DELETE /sshkey/name method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.