It is recommended you add an SSH key pair so you can use it to log into your VMs instead of a password. This key pair can also be used to access private Github or git repositories.
Once you have the keys set up in Morpheus, you can arrange for them to be added to new VMs when they are provisioned (last step below) - note that updating these keys or adding them to existing machines needs to be done manually.
If an LDAP server was provided as part of your tenancy (an option, typically default for EUMETSAT-homed tenancies), you may prefer to add the keys to the LDAP server instead - they will then work on all machines (already provisioned or future ones) and can be updated at any time. This section is just about "local" Morpheus-created users. Here's the Getting Started for EUMETSAT tenancies: EUMETSAT tenancy: Default setup
To use the keys for passwordless login, please look at one of the many guides on the Internet for your ssh client (examples below) but note you may need to transform key format in some cases.
- openssh (standard command line tool for Linux and Mac) - https://serverpilot.io/docs/how-to-use-ssh-public-key-authentication/
- PuTTY - https://system.cs.kuleuven.be/cs/system/security/ssh/setupkeys/putty-with-key.html
- mobaxterm - https://cinhtau.net/2016/02/03/use-ssh-keys-for-authentication-with-mobaxterm/
Creating the keys
You will need to create a key pair if you don't have an existing key pair already. If you do, then see below.
From a Linux or Mac, you may generate it with the command (follow the instructions it prompts you with):
ssh-keygen -m pem
This creates a key pair in "PEM" format, as required by Morpheus.
Converting existing keys
Note that it's often good practice to use different credentials for different services, so you may want to create a new key pair instead of reusing existing ones.
However, if you do want to reuse existing keys, they're probably in OpenSSH format, and Morpheus wants PEM (RSA) format. Take a copy first, as the conversion process overwrites the original, then run
ssh-keygen -p -m pem -f /path/to/key_to_be_converted_and_overwritten.
For non-OpenSSH formats or clients, please search for an appropriate conversion mechanism or contact EWC support for help.
Adding the keys in Morpheus
- Go to Infrastructure - Keys & Certs.
- Click the + ADD button
- The following screen should appear:
- Give a meaningful name to the key, such as your username.
- You can leave the public key field blank - Morpheus will fill this automatically by (re)generating it from the private key.
Browse for the private key, or paste its contents. For OpenSSH, it should normally be stored in:
- If your private key requires a passphrase, add it into the relevant text box.
- Save changes
Updating User Settings
Now that your keys are added into Morpheus, you may also configure your user profile so the keys are injected automatically into every new VM you provision when your Linux user is created. See Setting up your User Settings for more information.
Martin Grønlien Pejcoch
It seems that ed25519 keys are not supported.
Martin Grønlien Pejcoch
The documentation hint states that:
Certain features do not require storage of the private key.
It would be more interesting to know which features "do" require storage of the private key. Also users should be encouraged to generate a special pair of private and public keys (or a new pair could be generated inside the system), the current setup might lead to some users uploading their private key and a passphrase, which they also use elsewhere, which doesn't look very safe.
The private key is mainly to be used if you want to integrate a private git repo in Morpheus which required authentication. In that case, you could use user/password or the keys. For the purpose of SSH into the different instances, the public key is enough.
I'm trying to add an ssh key pair, but the input window gives errors on the private key part. Can anyone confirm?
Hi Olaf Tuinder
It seems that Morpheus has changed since we wrote the article and now only accepts private keys in PEM format (though looks like the public key is in openssh format, infuriatingly). Assuming you're using openssh like 99% of the ssh'ing world, you can convert an existing key with:
# Note this will overwrite the key file, so take a copy first and operate on that!
# No passphrase
ssh-keygen -p -m pem -f /path/to/key
# With passphrase
ssh-keygen -p -P "old passphrase" -N "new passphrase" -m pem -f path/to/key
Or you can generate a new keypair with
ssh-keygen -m pem
Small tip - it seems you only have to provide the private key to Morpheus and it'll (re)generate the public part for you.
Please could you test if this works and, if so, we'll update this article? It seemed to work for me, with an RSA key at least.
(p.s. edited to correct a missing -p from the 'no passphrase' command, thanks Olaf )
I followed the 'No passphrase' option, which generated a new key pair, and Morpheus accepted both these public and private keys. It also accepted only my private key and generated something itself, like you said.