Ask Your Question
3

Is it possible to create instance with multiple SSH keys?

asked 2015-09-24 07:10:59 -0500

rozie gravatar image

updated 2015-09-25 09:19:49 -0500

When running nova boot from CLI, --key-name can be specified. Looks like there can only be one (only one seems to be used). Is it possible - in any reasonable way[1] - to create assign more than one SSH key to an instance? Don't have to be with nova boot command, can be any other way (another command, API etc.).

[1] Hacks like creation of a key which consist of two keys is not an option here.

UPDATE: Reported a bug for this feature: https://bugs.launchpad.net/nova/+bug/...

edit retag flag offensive close merge delete

Comments

Why do you consider putting two SSH keys into one nova key-pair a hack? That looks to me like a proper, easy solution.

j-harbott gravatar imagej-harbott ( 2015-09-24 08:19:44 -0500 )edit

It does not scale. Consider having 10 users (keys) and wanting to assign different set of their keys to different instances: first instance - keys 1 and 2, second - keys 2, 3, 4, third - keys 1, 3, 4 etc. How many keypairs would I need to create?

rozie gravatar imagerozie ( 2015-09-25 03:50:33 -0500 )edit
add a comment

2 answers

Sort by » oldest newest most voted
4

answered 2015-09-25 05:22:29 -0500

dasp gravatar image

updated 2015-09-25 05:24:17 -0500

It is possible via cloud-init for images that support it. In Horizon, you'd feed the following as a user-script (you can do the same via nova boot CLI):

#cloud-config
ssh_authorized_keys:
    - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoUPND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ mykey@host
    - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3I7VUf2l5gSn5uavROsc5HRDpZdQueUq5ozemNSj8T7enqKHOEaFoU2VoPgGEWC9RyzSQVeyD6s7APMcE82EtmW4skVEgEGSbDc1pvxzxtchBj78hJP6Cf5TCMFSXw+Fz5rF1dR23QDbN1mkHs7adr8GW4kSWqU7Q7NDwfIrJJtO7Hi42GyXtvEONHbiRPOe8stqUly7MvUoN+5kfjBM8Qqpfl2+FNhTYWpMfYdPUnE7u536WqzFmsaqJctz3gBxH9Ex7dFtrxR4qiqEr9Qtlu3xGn7Bw07/+i1D+ey3ONkZLN+LQ714cgj8fRS4Hj29SCmXp5Kt5/82cD/VN3NtHw== smoser@brickies

You can set as many keys as you wish, they would all apply to the default user (e.g. ubuntu).

To set it via CLI, save the cloud-config script to a ~/user-data.txt file and use: nova boot --user-data ~/user-data.txt [...]

All you can do with #cloud-init: https://bazaar.launchpad.net/~cloud-i...

edit flag offensive delete link more

Comments

This will work, but it's workaround too. I believe if there's a way in nova to set up SSH keys, it should work for any number of keys (or remove this option at all and let's use cloud-config for SSH keys). Bug reported.

rozie gravatar imagerozie ( 2015-09-25 09:23:36 -0500 )edit

Thanks, +1'ed

vincent-legoll gravatar imagevincent-legoll ( 2015-09-29 01:59:57 -0500 )edit
add a comment
2

answered 2015-09-24 12:40:56 -0500

apu123 gravatar image

Here are a couple idea, though I am sure there are better solutions out there:

Option 1: Just add them manually after the instance has launched (add them to .ssh/authorized_keys)?

Option 2: Add a script to the nova boot command with the --user-data option. However, I understand this is a cloud-init only feature, ie for ubuntu VMs. However, the user-data service is still available to a non-cloud-init VM, so you could theoretically write a boot script for your VM that runs every time it boots to check if there is a user-data script waiting for it.

I'm curious what other folks have to say...

edit flag offensive delete link more

Comments

Those are workarounds. Of course they will work, but I guess bug should be reported against Openstack if it does allow only for single key (I'm not sure about this, so that's why I'm asking). Authorized_keys allows for many keys, I see no point in using string instead of array of strings on boot.

rozie gravatar imagerozie ( 2015-09-25 03:53:20 -0500 )edit

Yes, I think you should ask for an enhancement request / bug to allow for multiple "--key-name" options to be specified on command line

vincent-legoll gravatar imagevincent-legoll ( 2015-09-25 04:09:00 -0500 )edit

and put a link here, so that we can go put "+1"s on it ;-)

vincent-legoll gravatar imagevincent-legoll ( 2015-09-25 04:19:16 -0500 )edit

Updated a question with link to bug.

rozie gravatar imagerozie ( 2015-09-25 09:20:16 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-09-24 07:10:59 -0500

Seen: 5,598 times

Last updated: Sep 25 '15

Related questions

OpenStack:What is the difference between using “CLI to the OpenStack APIs” and the separate APIs of the components?

Comparing and contrasting the OpenStack API, CLI and SDK

Cannot ping/ssh to CirrOS/Ubuntu instance

cannot ssh into ubuntu instance. Connection reset by peer

Overcommitting of CPUs on Qemu?

Authentication strategy

nova fails to start server

how does nova decide the VM nic type?

Too much warning on every CLI [closed]

post creation failing