SSH Key Authentication Overview
22/Apr 2018
For those of you new to automation, it can be overwhelming on first exposure to handle every link in the chain to launch your first Nutanix Calm blueprint. Many Calm Marketplace blueprints leverage Linux, cloud-init, and SSH keypairs to enable security best-practices for composable infrastructure as code.
Under Construction
I will continue to update and expand this blog, it serves as a script for a quick video I plan to make.
The Basics
- Linux operating system images ready for the cloud do not have any
accounts with credentials by default.
- Therefore, one cannot remotely log in to a cloud VM = security best practice.
- Static passwords are pets, passwords should have a dynamic lifecycle.
- But if you must use a static password, make it mathematically secure.
- SSH keys = long mathematical passwords, broken into public and private parts.
Combining these two ideas together, one would want to dynamically insert SSH public keys onto a cloud VM during instantiation. For Linux, cloud-init provides this facility.
The Details: SSH
Secure SHell (SSH) keys can be generated by:
- ssh-keygen in Linux and MacOS
- cygwin on Windows to get the OpenSSH suite
- Perhaps? it is easier to use Windows Powershell SSH, but I haven’t tried this yet.
- WSL: Windows Subsystem for Linux
- PuTTY-gen on Windows
- For exported PuTTY keys, they have their own .PPK format.
- Insure you export the public key, then private key in OpenSSH format and append .pem file suffix.
- Make your keys passphraseless (i.e.: no password to unlock) and store them in a secure place.
- https://portal.nutanix.com/#/page/docs/details?targetId=Nutanix-Calm-Admin-Operations-Guide-v59:nuc-generating-ssh-key-windows-t.html
Use Your SSH Keypair
How do I put a SSH public key onto a VM image?
Easy Way
- bake credentials into the VM image by putting SSH cred on an VM,
- export a snapshot of the VM,
- use that as your image with the pre-seeded SSH credential.
We use the easy way at Calm bootcamps, but it is a bad security practice for credentials to be static. Start here, but improve to the next section after you’ve achieved your first success. To use static credential in the Calm blueprint:
- For each service, select that VM image with SSH credentials
- In the Application Profile, populate the public key variable with your public key and uncheck the runtime checkbox.
- In the Credentials section, upload your private key, toggle off runtime icon.
- Launch your blueprint and insure Calm can login and orchestrate your VM images.
- Troubleshooting: insure that cloud-init username matches the Credentials login account name.
Security Best Practice
- For Linux, use a cloud-init enabled VM image
- Use cloud-init to inject your public key upon VM boot (you can do this for AHV VMs with the guest-customization area in Calm) as a runtime variable in the Application profile
- Give Calm your private key as a runtime credential during launch
- This practice is used for the Marketplace blueprints on Linux.
Please see this Nutanix Knowledge Base article: https://portal.nutanix.com/kb/5232
The Details: Linux cloud images
- Should be cloud-init enabled disk images, not an ISO.
- e.g.: https://wiki.centos.org/Download > Cloud/Containers section > http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2 (note that I chose the uncompressed QCOW2 format for the AHV Image Service)
- Troubleshooting:
tail /var/log/cloud-init-output.log
In Practice
On Windows, you can configure your PuTTY session to use your SSH keypair, but it is even better to load your SSH keypair into PuTTY-Agent for every PuTTY session to attempt to use. While your PuTTY client software will use your PuTTY keypair, please note that you must export your PuTTY keypair to the OpenSSH format to be used on the server. Furthermore, during upload, Calm may require you to name your private key with the .pem file suffix. You can workaround this by opening your private key file, selecting all, and then cutting and pasting the contents.
For Unix/Linux/MacOS, you can generate your keypair with ssh-keygen and load your OpenSSH keypair into ssh-agent upon shell invocation. In this example, I used 4096 bits (which is considered secure today, less bits are easier to crack), I saved my key into my home directory’s .ssh folder, and I also saved it without a passphrase to make things easier. I would recommend using a passphrase next, because Calm can support it now.
ssh-keygen -m pem -b 4096 -f ~/.ssh/First.LastName-YYYY-passphraseless
Fortunately, because you have likely provided your SSH keypair while provisioning a blueprint, Calm will reuse these credentials when you audit the Application deployment: pick the Manage tab, choose the VM service desired, and then leverage the Web terminal session to log in with one-click!