openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
7d66de20b13883ccceb1b028448b152cc5df096b
openshift-docs/modules/ssh-agent-using.adoc
Kathryn Alexander 468fd8df6c BZ1962418: adding note about ssh key algorithms for FIPS
2021-06-14 12:10:41 +00:00

299 lines
10 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * installing/installing_aws/installing-aws-user-infra.adoc
// * installing/installing_aws/installing-aws-customizations.adoc
// * installing/installing_aws/installing-aws-default.adoc
// * installing/installing_aws/installing-aws-government-region.adoc
// * installing/installing_aws/installing-aws-network-customizations.adoc
// * installing/installing_aws/installing-aws-private.adoc
// * installing/installing_aws/installing-aws-vpc.adoc
// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
// * installing/installing_azure/installing-azure-customizations.adoc
// * installing/installing_azure/installing-azure-default.adoc
// * installing/installing_azure/installing-azure-government-region.adoc
// * installing/installing_azure/installing-azure-private.adoc
// * installing/installing_azure/installing-azure-vnet.adoc
// * installing/installing_azure/installing-azure-user-infra.adoc
// * installing/installing_bare_metal/installing-bare-metal.adoc
// * installing/installing_gcp/installing-gcp-customizations.adoc
// * installing/installing_gcp/installing-gcp-private.adoc
// * installing/installing_gcp/installing-gcp-default.adoc
// * installing/installing_gcp/installing-gcp-vpc.adoc
// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
// * installing/installing_openstack/installing-openstack-installer-custom.adoc
// * installing/installing_openstack/installing-openstack-installer-kuryr.adoc
// * installing/installing_openstack/installing-openstack-installer.adoc
// * installing/installing_aws/installing-restricted-networks-aws.adoc
// * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
// * installing/installing_platform_agnostic/installing-platform-agnostic.adoc
// * installing/installing_vmc/installing-restricted-networks-vmc.adoc
// * installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc
// * installing/installing_vmc/installing-vmc-user-infra.adoc
// * installing/installing_vmc/installing-vmc-network-customizations-user-infra.adoc
// * installing/installing_vmc/installing-vmc.adoc
// * installing/installing_vmc/installing-vmc-customizations.adoc
// * installing/installing_vmc/installing-vmc-network-customizations.adoc
// * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc
// * installing/installing_vsphere/installing-vsphere.adoc
// * installing/installing_vsphere/installing-vsphere-network-customizations.adoc
// * installing/installing_vsphere/installing-vsphere-installer-provisioned.adoc
// * installing/installing_vsphere/installing-vsphere-installer-provisioned-customizations.adoc
// * installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc
// * installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc
// * installing/installing_ibm_z/installing-ibm-z.adoc
// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
// * installing/installing_ibm_z/installing-ibm-power.adoc
// * installing/installing-rhv-restricted-network.adoc
ifeval::["{context}" == "installing-restricted-networks-vsphere"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-vmc-user-infra"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-gcp-customizations"]
:gcp:
endif::[]
ifeval::["{context}" == "installing-gcp-default"]
:gcp:
endif::[]
ifeval::["{context}" == "installing-gcp-network-customizations"]
:gcp:
endif::[]
ifeval::["{context}" == "installing-gcp-private"]
:gcp:
endif::[]
ifeval::["{context}" == "installing-gcp-vpc"]
:gcp:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
:gcp:
endif::[]
ifeval::["{context}" == "installing-bare-metal"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-vsphere"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-vmc-user-infra"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-aws-user-infra"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-azure-user-infra"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-openstack-installer-custom"]
:osp:
endif::[]
ifeval::["{context}" == "installing-openstack-installer-kuryr"]
:osp:
endif::[]
ifeval::["{context}" == "installing-openstack-installer"]
:osp:
endif::[]
ifeval::["{context}" == "installing-ibm-z"]
:ibm-z:
endif::[]
ifeval::["{context}" == "installing-ibm-z-kvm"]
:ibm-z-kvm:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
:ibm-z:
endif::[]
ifeval::["{context}" == "installing-rhv-default"]
:rhv:
endif::[]
ifeval::["{context}" == "installing-rhv-customizations"]
:rhv:
endif::[]
ifeval::["{context}" == "installing-platform-agnostic"]
:user-infra:
endif::[]
[id="ssh-agent-using_{context}"]
= Generating an SSH private key and adding it to the agent
If you want to perform installation debugging or disaster recovery on your cluster, you must provide an SSH key to both your `ssh-agent` and the installation program. You can use this key to access the bootstrap machine in a public cluster to troubleshoot installation issues.
[NOTE]
====
In a production environment, you require disaster recovery and debugging.
====
ifdef::ibm-z,ibm-z-kvm[]
[IMPORTANT]
====
Do not skip this procedure in production environments where disaster recovery and debugging is required.
====
endif::[]
You can use this key to SSH into the master nodes as the user `core`. When you
deploy the cluster, the key is added to the `core` user's
`~/.ssh/authorized_keys` list.
ifndef::osp,ibm-z,ibm-z-kvm,rhv[]
[NOTE]
====
You must use a local key, not one that you configured with platform-specific
approaches such as
link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html[AWS key pairs].
====
endif::[]
ifdef::openshift-origin[]
[NOTE]
====
On clusters running {op-system-first}, the SSH keys specified in the Ignition config files are written to the `/home/core/.ssh/authorized_keys.d/core` file. However, the Machine Config Operator manages SSH keys in the `/home/core/.ssh/authorized_keys` file and configures *sshd* to ignore the `/home/core/.ssh/authorized_keys.d/core` file.
As a result, newly provisioned {product-title} nodes are not accessible using SSH until the Machine Config Operator reconciles the machine configs with the `authorized_keys` file. After you can access the nodes using SSH, you can delete the `/home/core/.ssh/authorized_keys.d/core` file.
====
endif::openshift-origin[]
.Procedure
. If you do not have an SSH key that is configured for password-less authentication
on your computer, create one.
For example, on a computer that uses a Linux operating system, run the
following command:
+
[source,terminal]
----
$ ssh-keygen -t ed25519 -N '' \
-f <path>/<file_name> <1>
----
<1> Specify the path and file name, such as `~/.ssh/id_rsa`, of the new SSH key. If you have an existing key pair, ensure your public key is in the your ``~/.ssh` directory.
+
Running this command generates an SSH key that does not require a password in
the location that you specified.
+
[NOTE]
====
If you plan to install an {product-title} cluster that uses FIPS Validated / Modules in Process cryptographic libraries on the `x86_64` architecture, do not create a key that uses the `ed25519` algorithm. Instead, create a key that uses the `rsa` or `ecdsa` algorithm.
====
. Start the `ssh-agent` process as a background task:
+
[source,terminal]
----
$ eval "$(ssh-agent -s)"
----
+
.Example output
[source,terminal]
----
Agent pid 31874
----
. Add your SSH private key to the `ssh-agent`:
+
[source,terminal]
----
$ ssh-add <path>/<file_name> <1>
----
+
.Example output
[source,terminal]
----
Identity added: /home/<you>/<path>/<file_name> (<computer_name>)
----
<1> Specify the path and file name for your SSH private key, such as `~/.ssh/id_rsa`
ifdef::gcp[]
. Set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to the full path to your service account private key file.
+
[source,terminal]
----
$ export GOOGLE_APPLICATION_CREDENTIALS="<your_service_account_file>"
----
. Verify that the credentials were applied.
+
[source,terminal]
----
$ gcloud auth list
----
endif::gcp[]
.Next steps
* When you install {product-title}, provide the SSH public key to the installation program.
ifdef::user-infra[]
If you install a cluster on infrastructure that you provision, you must provide this key to your cluster's machines.
endif::user-infra[]
ifeval::["{context}" == "installing-restricted-networks-vsphere"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-vmc-user-infra"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-gcp-customizations"]
:!gcp:
endif::[]
ifeval::["{context}" == "installing-gcp-default"]
:!gcp:
endif::[]
ifeval::["{context}" == "installing-gcp-network-customizations"]
:!gcp:
endif::[]
ifeval::["{context}" == "installing-gcp-private"]
:!gcp:
endif::[]
ifeval::["{context}" == "installing-gcp-vpc"]
:!gcp:
endif::[]
ifeval::["{context}" == "installing-bare-metal"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-vsphere"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-vmc-user-infra"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-aws-user-infra"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-azure-user-infra"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-openstack-installer-custom"]
:!osp:
endif::[]
ifeval::["{context}" == "installing-openstack-installer-kuryr"]
:!osp:
endif::[]
ifeval::["{context}" == "installing-openstack-installer"]
:!osp:
endif::[]
ifeval::["{context}" == "installing-ibm-z"]
:!ibm-z:
endif::[]
ifeval::["{context}" == "installing-ibm-z-kvm"]
:!ibm-z-kvm:
endif::[]
ifeval::["{context}" == "installing-rhv-default"]
:!rhv:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
:!ibm-z:
endif::[]
ifeval::["{context}" == "installing-rhv-customizations"]
:!rhv:
endif::[]
ifeval::["{context}" == "installing-platform-agnostic"]
:!user-infra:
endif::[]
View Git Blame Copy Permalink