Creating and Managing SSH Keypairs in OpenStack

Overview

SSH keypairs provide a secure, password-free method for accessing OpenStack instances. Rather than relying on potentially weak or forgotten passwords, keypairs use public-key cryptography to authenticate your connection. OpenStack Horizon lets you either generate new keypairs directly in the interface or import keys you've already created on your local machine.

This guide walks through both workflows, explains when to use each approach, and covers best practices for managing keypairs in production environments.

Understanding SSH Keypairs in OpenStack

An SSH keypair consists of two mathematically linked components: a private key that stays on your local machine and a public key that gets installed on your instances. When you attempt to connect, OpenStack verifies that your private key matches the public key stored in the instance, granting access without requiring a password.

OpenStack stores the public key in its database and injects it into instances during launch. You retain the private key and use it when connecting via SSH. This separation ensures that even if someone gains access to an instance, they cannot retrieve your private key to access other systems.

Generating a New Keypair in Horizon

If you don't already have an SSH keypair or prefer to create one specifically for OpenStack, Horizon provides a straightforward generation tool.

Step 1: Navigate to Key Pairs

Log into the Horizon dashboard, expand the Compute section in the left sidebar, and select Key Pairs. This page displays all keypairs associated with your project.

Step 2: Create a New Keypair

Click the Create Key Pair button in the upper right corner of the Key Pairs page.

Step 3: Configure Keypair Settings

In the dialog that appears:

• Key Pair Name: Enter a descriptive name that identifies the purpose or environment (e.g., production-webserver or dev-team-access).
• Key Type: Select SSH Key (the default option).

Leave other settings at their defaults unless your organization has specific requirements.

Step 4: Download the Private Key

Click Create Key Pair. Horizon generates the keypair and immediately prompts you to download the private key file (typically named keypair-name.pem).

Save this file immediately. OpenStack only displays the private key once. If you lose it, you cannot recover it and will need to generate a new keypair.

Step 5: Secure the Private Key

After downloading, set appropriate file permissions to prevent unauthorized access:

1chmod 400 ~/path/to/keypair-name.pem
Copy

This restricts read access to your user account only. SSH clients refuse to use key files with overly permissive permissions.

Step 6: Verify the Keypair

Return to the Key Pairs page in Horizon. Your new keypair should appear in the list with the name you specified. The Fingerprint column displays a unique identifier that you can use to verify the key's identity.

Importing an Existing SSH Key

If you already have an SSH keypair on your local machine or use the same key across multiple cloud platforms, importing the public key into OpenStack avoids creating duplicate keys.

Step 1: Locate Your Public Key

SSH public keys are typically stored in ~/.ssh/ and have a .pub extension. Common filenames include:

• id_rsa.pub
• id_ed25519.pub
• id_ecdsa.pub

To view your public key content:

1cat ~/.ssh/id_rsa.pub
Copy

The output is a single line starting with the key type (e.g., ssh-rsa or ssh-ed25519), followed by the key data and an optional comment.

Step 2: Navigate to Key Pairs in Horizon

Log into Horizon, expand the Compute section, and select Key Pairs.

Step 3: Import the Public Key

Click Import Public Key in the upper right corner.

Step 4: Enter Key Details

In the import dialog:

• Key Pair Name: Choose a descriptive name for this key in OpenStack.
• Key Type: Select SSH Key.
• Load Public Key from a file: If you prefer to upload the .pub file directly, choose this option and browse to select it.
• Public Key: Alternatively, paste the entire contents of your public key (the output from cat ~/.ssh/id_rsa.pub) into this text field.

Step 5: Complete the Import

Click Import Public Key. OpenStack validates the format and adds the key to your project. The private key remains on your local machine.

Step 6: Confirm Import Success

Return to the Key Pairs page. Your imported key should appear in the list with a matching fingerprint to your local key. You can verify the fingerprint on your local machine with:

1ssh-keygen -lf ~/.ssh/id_rsa.pub
Copy

The fingerprint displayed in Horizon should match the output from this command.

Attaching a Keypair to an Instance

Keypairs must be associated with an instance at launch time. You cannot add a keypair to a running instance through Horizon after it has been created.

During Instance Launch

When creating a new instance in Horizon:

1. Navigate to Compute > Instances and click Launch Instance.
2. Complete the instance configuration steps (name, source, flavor, networks).
3. In the Key Pair tab, select the checkbox next to the keypair you want to use.
4. Continue with the remaining configuration and launch the instance.

OpenStack injects the selected public key into the instance during initialization, typically into /home/username/.ssh/authorized_keys for the default user.

Connecting to an Instance with SSH

Once an instance is running with your keypair attached, connect using the private key.

Standard SSH Connection

1ssh -i ~/path/to/keypair-name.pem username@instance-ip-address
Copy

Replace username with the default user for your instance's operating system:

• Ubuntu: ubuntu
• CentOS: centos
• Debian: debian
• Fedora: fedora

Replace instance-ip-address with the floating IP or instance IP from Horizon.

Using SSH Config for Convenience

To avoid specifying the key file and username each time, add an entry to ~/.ssh/config:

1Host my-instance
2    HostName 203.0.113.10
3    User ubuntu
4    IdentityFile ~/.ssh/keypair-name.pem
Copy

Then connect with:

1ssh my-instance
Copy

Managing Multiple Keypairs

In production environments, you often need different keypairs for various purposes: team access, automated deployments, emergency access, and service accounts.

Organizational Strategies

By Environment: Create separate keypairs for development, staging, and production environments. This limits the scope of access if a key is compromised.

By Team: Issue unique keypairs to different teams or departments. This provides better audit trails and simplifies access revocation when team members leave.

By Function: Use dedicated keypairs for automation tools, CI/CD pipelines, and monitoring systems rather than sharing personal keys.

Naming Conventions

Use descriptive, consistent names that include:

• Environment identifier (prod, dev, staging)
• Purpose or system (webserver, database, deployment)
• Date or version if keys rotate regularly

Examples: prod-webserver-2026, dev-team-access, cicd-deploy-key

Rotating and Revoking Keypairs

Regular key rotation improves security by limiting the lifespan of any single key. Revocation becomes necessary when team members depart or keys are potentially compromised.

Deleting a Keypair from OpenStack

To remove a keypair from your project:

1. Navigate to Compute > Key Pairs in Horizon.
2. Select the checkbox next to the keypair you want to delete.
3. Click Delete Key Pairs and confirm the action.

Deleting a keypair from OpenStack does not remove it from existing instances. Instances launched with that keypair retain the public key in their authorized_keys file and remain accessible using the corresponding private key.

Removing Access from Running Instances

To revoke access to instances that have the deleted keypair:

1. Connect to the instance using an admin key or console access.
2. Edit /home/username/.ssh/authorized_keys.
3. Remove the line corresponding to the revoked public key.
4. Save the file.

The instance no longer accepts connections using that keypair.

Key Rotation Workflow

1. Generate or import a new keypair with a distinct name.
2. Launch new instances using the new keypair.
3. For existing instances, manually add the new public key to authorized_keys via console access or an existing keypair.
4. Test connectivity with the new keypair.
5. Remove the old public key from authorized_keys on all instances.
6. Delete the old keypair from OpenStack.

Troubleshooting Common Issues

Permission Denied When Connecting

If SSH returns "Permission denied (publickey)":

• Verify the private key file has correct permissions (400 or 600).
• Confirm you're using the correct username for the instance's OS.
• Check that the keypair was attached during instance launch.
• Ensure the instance's security group allows SSH traffic on port 22.

"Unprotected Private Key File" Error

SSH refuses to use key files with overly permissive permissions:

1chmod 400 ~/path/to/keypair-name.pem
Copy

This restricts the file to read-only access by the owner.

Lost Private Key

If you lose the private key file, you cannot recover it. Options include:

• Console Access: Some cloud providers offer web-based console access that bypasses SSH. Use this to add a new keypair manually to authorized_keys.
• Rebuild Instance: If you have backups or can recreate the instance, rebuild it with a new keypair attached.
• Snapshot and Relaunch: Create a snapshot of the instance, then launch a new instance from that snapshot with a different keypair.

Keypair Not Appearing in Launch Dialog

Keypairs are project-specific in OpenStack. Verify you're working in the correct project by checking the project selector in the upper left corner of Horizon. If you're in the wrong project, switch to the project where you created the keypair.

Security Best Practices

Use Strong Key Types

Modern SSH implementations support multiple key types. Prefer Ed25519 or RSA keys with at least 2048 bits (4096 recommended):

1ssh-keygen -t ed25519 -C "your-email@example.com"
Copy

or

1ssh-keygen -t rsa -b 4096 -C "your-email@example.com"
Copy

Protect Private Keys

• Store private keys in encrypted directories or use a hardware security module (HSM).
• Never commit private keys to version control systems.
• Use SSH agent forwarding carefully, as it can expose keys to compromised intermediate systems.

Implement Key Rotation Policies

Establish a schedule for rotating keypairs (e.g., every 90 days). Automated key rotation reduces the window of vulnerability if a key is compromised.

Audit Keypair Usage

Regularly review the list of keypairs in each project. Remove unused or outdated keys to reduce the attack surface.

Separate Keys by Privilege Level

Don't use the same keypair for both administrative tasks and regular access. Create separate keys for elevated-privilege operations and restrict their distribution.

Next Steps

With SSH keypairs configured, you can securely access OpenStack instances without managing passwords. Consider exploring:

• Instance Metadata: Learn how OpenStack injects keypairs and other metadata during instance initialization.
• Cloud-Init: Understand how to use cloud-init for more advanced instance customization at launch.
• Security Groups: Configure security groups to restrict SSH access to specific IP ranges or networks.
• Bastion Hosts: Implement bastion hosts (jump servers) to centralize and audit SSH access to private instances.

For additional assistance with OpenStack keypair management, contact InMotion Cloud support.

Related Resources

For more information on SSH key management and instance security, see these official resources:

• OpenStack Keypair Documentation - Official CLI reference for managing keypairs
• OpenStack Compute API - Keypairs - REST API reference for keypair operations
• OpenStack Security Guide - Comprehensive security best practices including SSH key management