Managing Key Pairs on Linux Instances
Instances launched using Oracle Linux, Ubuntu, or other Linux images use an SSH key pair instead of a password to authenticate a remote user (see Security Credentials). A key pair consists of a private key and public key. You keep the private key on your computer and provide the public key when you create an instance. When you connect to the instance using SSH, you provide the path to the private key in the SSH command.
By default, creating an OCI Compute Linux instance generates an OpenSSH key pair. Use the generated OpenSSH keys to connect to the instance from Windows, MacOS or Linux. An OpenSSH key pair can be generated for each instance or reused to connect to several instances.
Alternatively, use OpenSSH to generate a key pair on a local Windows, MacOS, or Linux machine. Then, use the generated key pair to create new OCI Compute instances.
For platform images, these SSH key types are supported: RSA, DSA, DSS, ECDSA, and Ed25519. If you bring your own image, you're responsible for managing the SSH key types that are supported. For RSA, DSS, and DSA keys, a minimum of 2048 bits is recommended. For ECDSA keys, a minimum of 256 bits is recommended.
Oracle does not store a copy of the private key generated by the Console. Therefore, keeping a copy of the private key is required to connect to your instance. Without the private key, the only remedy to connect to an instance is to create a new instance using a new private key.
Anyone who has access to the private key can connect to the instance. Store the private key in a secure location.
On Windows systems, OpenSSH has been available by default since Windows 10 and Windows Server 2019. In addition, OpenSSH on Windows is available with the Windows Subsystem for Linux and Git for Windows (GitBash). Alternatively, PuTTY provides SSH support for older Windows versions and can interoperate with OpenSSH keys.
The following describes the structure of an OpenSSH public key file and shows a sample public key file.
A public key has the following format:
<key_type> <public_key> <optional_comment>
For example, an RSA public key looks like this:
ssh-rsa AAAAB3BzaC1yc2EAAAADAQABAAABAQD9BRwrUiLDki6P0+jZhwsjS2muM...
...yXDus/5DQ== rsa-key-20201202
Creating an OpenSSH Key Pair with ssh-keygen
If you are using a Windows, MacOS or Linux you can use ssh-keygen
to generate an OpenSSH public and private key pair. Follow these steps:
- Open a shell, terminal, or command prompt to start
ssh-keygen
. -
At the prompt, enter
ssh-keygen
with the following suggested parameters.ssh-keygen -t rsa -N "" -b 2048 -C "<key_comment>"
The following list describes the purpose of each
ssh-keygen
option.-t rsa
: Use the RSA algorithm.-N ""
: A passphrase to protect the use of the key (like a password). A blank value means no passphrase is set.-b 2048
: Generates a 2048-bit key. A minimum of 2048 bits is recommended for SSH-2 RSA.-C "<key_comment>"
: A text comment that is placed in the public key file.- (Optional)
-f <path/key_name>
: The location where the key pair will be saved and the key name for the files.
- Your are prompted for the key directory and key name. You can use the default of
<your-home-directory>/.ssh/id_rsa
. Optionally, specify a different location and name. - Press Enter.
- Using default values, the following files are created in the
<your-home-directory>/.ssh
directory.id_rsa
: Your private key file.id_rsa.pub
: Your public key file.
Use the files as needed to create a secure SSH connection to your instance. For more details, see: Connecting to a Linux Instance.
Setting a private key passphrase can be inconvenient as you are prompted for it every time you use the SSH command. Please follow the security policies of your organization when considering the choice.
OpenSSH has been included with Windows since Windows 10 and Windows Server 2019. If you are using an older version of the Windows operating system, you can use PuTTY and the PuTTY Key Generator to create keys. For details on creating keys, see Creating an SSH Key Pair Using PuTTY Key Generator.