Securing root access to cluster nodes over SSH

In certain situations, you or the technical support team may need root access to cluster nodes via SSH. We recommend using SSH keys as they are generally more secure than passwords. You can generate a key pair on a client from which you will connect to the nodes via SSH. The private key will be stored on the client. Make sure you do not share the private key with anyone for security reasons. The public key will need to be uploaded to Virtuozzo Hybrid Infrastructure.

After the key is uploaded, you can access your cluster nodes by using the key authentication method with SSH. When connecting via SSH, follow these rules:

  • Do not enable third-party repositories. Install third-party software only from the default repository.
  • Use only commands allowed in the product documentation.

To create and upload a public key

Admin panel

  1. Obtain an SSH public key from the technical support team, or generate an SSH key pair on a client by using the ssh-keygen utility:

    1. Open the terminal and run the command:

      # ssh-keygen -t rsa

      After the following dialog appears, press Enter:

      Enter file in which to save the key (/home/user/.ssh/id_rsa):

      When prompted to enter a passphrase to secure the SSH connection, press Enter to skip this step:

      Enter passphrase (empty for no passphrase):

      The key will be created with the following message:

      Your public key has been saved in /home/user/.ssh/id_rsa.pub.
      The key fingerprint is:
      476:b2:a8:7f:08:b4:c0:af:81:25:7e:21:48:01:0e:98 user@localhost
      
      The key's randomart image is:
      +---[RSA 3072]----+
      |            oo.o+|
      |           oo.o.+|
      |        . ..+E..=|
      |   .     ooB+o...|
      |  o . . So.o&    |
      |   = . o ..O O   |
      |    + . o = B o  |
      |     .   . + +   |
      |          .      |
      +----[SHA256]-----+
    2. Run the following command to display the public key:

      $ cat ~/.ssh/id_rsa.pub
    3. Copy the displayed key.
  2. Go to Settings > System settings > SSH keys, and then click Add.
  3. In the Add SSH key window, paste the key, and then click Add.

    Alternatively, you can upload the SSH key to the admin panel by clicking Upload and selecting the public key from your local machine. By default, the generated public key is located in /root/.ssh/id_rsa.pub.

Command-line interface

Use the following command:

vinfra cluster sshkey add <file>
<file>
SSH public key file

For example, to add a public SSH key from the file id_rsa.pub to the list of trusted keys, run:

# vinfra cluster sshkey add id_rsa.pub

The added SSH key will appear in the vinfra cluster sshkey list output:

# vinfra cluster sshkey list
+---------------------+----------------------------------+------------------+
| id                  | key                              | label            |
+---------------------+----------------------------------+------------------+
| 8ccf7f1b-6a53-<...> | ssh-rsa AAAAB3NzaC1yc2EAAAA<...> | user@example.com |
|                     | user@example.com                 |                  |
+---------------------+----------------------------------+------------------+

To delete a public key

Admin panel

  1. Go to Settings > System settings > SSH keys.
  2. Select the required SSH key, and then click Delete.
  3. Click Yes in the confirmation window.

Command-line interface

Use the following command:

vinfra cluster sshkey delete <sshkey>
<sshkey>
SSH key value

For example, to delete the SSH key with the ID 8ccf7f1b-6a53-4d74-99ce-c410d51a9921, run:

# vinfra cluster sshkey delete 8ccf7f1b-6a53-4d74-99ce-c410d51a9921