Servers that support Server Login Control populate their SSH authorized-keys file with multiple trusted keys based on policy received from the RightScale Dashboard, typically inserting one public key per user with server_login permission. When compared to the traditional technique of binding a single, shared SSH key to the server at launch time, Server Login Control has the following advantages:
server_loginprivileges are granted and revoked.
This document will show you how to generate a personal SSH key pair and upload the public key to RightScale for use with Server Login Control.
Important Note: When using Server Login Control (a.k.a Managed SSH) to manage your user's keys, the user's public key may not disappear from the ~/.ssh/authorized_keys file immediately after revoking the 'server_login' permission from that user. This is normal - the key should eventually be removed from the authorized_keys file by a daemon that runs - but it only runs periodically at specific intervals so it may not be removed immediately.
If you find that your user's keys are still in the authorized_keys file after some time has passed and they should not be because they have no server_login permission, please contact our support team for assistance.
The procedure for creating a key pair varies depending on your operating system and preferred SSH client. In all cases, however, the procedure has three steps: create a key pair, change your RightScale SSH preferences, and test to ensure everything works as expected.
ssh-keygen -t rsa
Enter file in which to save the key (/Users/tony/.ssh/id_rsa): Created directory '/Users/tony/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/tony/.ssh/id_rsa. Your public key has been saved in /Users/tony/.ssh/id_rsa.pub.
%HOMEPATH%. If you are using ssh:// protocol links as your session launch preference, configure your SSH client to automatically use your private key for authentication. When you are done, the page will look similar to this:
Launch a server that uses RightImage 5.1.1 or greater. Once the server becomes operational, navigate to the server's page and press the SSH Console button.
If you connect successfully, then everything is working fine. Congratulations!
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.