It is recommended you add an SSH key pair so you can use it to log into your VMs instead of a password. This key pair can also be used to access private Github or git repositories.
Once you have the keys set up in Morpheus, you can arrange for them to be added to new VMs when they are provisioned (last step below) - note that updating these keys or adding them to existing machines needs to be done manually.
For new VMs, only the keys of the person creating the VM will be added. You have to add any other users manually.
If an LDAP server was provided as part of your tenancy (an option, typically default for EUMETSAT-homed tenancies), you may prefer to add the keys to the LDAP server instead - they will then work on all machines (already provisioned or future ones) and can be updated at any time. This section is just about "local" Morpheus-created users. Here's the Getting Started for EUMETSAT tenancies: EUMETSAT tenancy: Default setup
To use the keys for passwordless login, please look at one of the many guides on the Internet for your ssh client (examples below) but note you may need to transform key format in some cases.
- openssh (standard command line tool for Linux and Mac) - https://serverpilot.io/docs/how-to-use-ssh-public-key-authentication/
- PuTTY - https://system.cs.kuleuven.be/cs/system/security/ssh/setupkeys/putty-with-key.html
- mobaxterm - https://cinhtau.net/2016/02/03/use-ssh-keys-for-authentication-with-mobaxterm/
Creating the keys
You will need to create a key pair if you don't have an existing key pair already. If you do, then see below.
From a Linux or Mac, you may generate it with the command (follow the instructions it prompts you with):
ssh-keygen -m pem -t rsa
This creates a key pair in "PEM" format, as required by Morpheus, using the RSA algorithm (elliptic curves seem not to be supported yet).
Converting existing keys
Note that it's often good practice to use different credentials for different services, so you may want to create a new key pair instead of reusing existing ones.
However, if you do want to reuse existing keys, they're probably in OpenSSH format, and Morpheus wants PEM (RSA) format. Take a copy first, as the conversion process overwrites the original, then run ssh-keygen -p -m pem -f /path/to/key_to_be_converted_and_overwritten.
For non-OpenSSH formats or clients, please search for an appropriate conversion mechanism or contact EWC support for help.
Adding the keys in Morpheus
- Go to Infrastructure -> Trust -> Key Pairs.
- Click the + ADD button
As options you can select alternatively:
- select "Existing Key Pair" if you you have already your keys pairs
or
- select "Generate Key Pair" if you want to let Morpheus to generate a key pair (private and public keys) for you. In this case save the generated private key.
- When importing an "Existing Key Pair" the following screen should appear:
- Give a meaningful name to the key, such as your username.
- You can leave the public key field blank - Morpheus will fill this automatically by (re)generating it from the private key.
Browse for the private key, or paste its contents. For OpenSSH, it should normally be stored in:
~/.ssh/id_rsa
- If your private key requires a passphrase, add it into the relevant text box.
- Save changes
Updating User Settings
Now that your keys are added into Morpheus, you may also configure your user profile so the keys are injected automatically into every new VM you provision when your Linux user is created. See Setting up your User Settings for more information.
9 Comments
Unknown User (famp)
It seems that ed25519 keys are not supported.
Darren Snee
Yeah, unknown is correct, the bash build line in the documentation should be changed from
ssh-keygen -m pem
to
ssh-keygen -m pem -t rsa
the system gives no warning if it fails.
It's worth not pasting in your public key and if it doesn't regenerate it for you, then you know it has failed to go in.
Mike Grant
Thanks Darren, didn't think to force the type. I've edited the documentation.
Darren Snee
no worries, thought it might save someone some time down the line
Unknown User (famp)
The documentation hint states that:
Certain features do not require storage of the private key.
It would be more interesting to know which features "do" require storage of the private key. Also users should be encouraged to generate a special pair of private and public keys (or a new pair could be generated inside the system), the current setup might lead to some users uploading their private key and a passphrase, which they also use elsewhere, which doesn't look very safe.
Xavier Abellan
The private key is mainly to be used if you want to integrate a private git repo in Morpheus which required authentication. In that case, you could use user/password or the keys. For the purpose of SSH into the different instances, the public key is enough.
Olaf Tuinder
I'm trying to add an ssh key pair, but the input window gives errors on the private key part. Can anyone confirm?
Mike Grant
Hi Olaf Tuinder
It seems that Morpheus has changed since we wrote the article and now only accepts private keys in PEM format (though looks like the public key is in openssh format, infuriatingly). Assuming you're using openssh like 99% of the ssh'ing world, you can convert an existing key with:
# Note this will overwrite the key file, so take a copy first and operate on that!
# No passphrase
ssh-keygen -p -m pem -f /path/to/key
# With passphrase
ssh-keygen -p -P "old passphrase" -N "new passphrase" -m pem -f path/to/key
Or you can generate a new keypair with
ssh-keygen -m pem
Small tip - it seems you only have to provide the private key to Morpheus and it'll (re)generate the public part for you.
Please could you test if this works and, if so, we'll update this article? It seemed to work for me, with an RSA key at least.
Cheers,
Mike.
(p.s. edited to correct a missing -p from the 'no passphrase' command, thanks Olaf )
Olaf Tuinder
Hi Mike
I followed the 'No passphrase' option, which generated a new key pair, and Morpheus accepted both these public and private keys. It also accepted only my private key and generated something itself, like you said.