openshift-docs/modules/ssh-agent-using.adoc

// Module included in the following assemblies:
//
// * installing/installing_aws/installing-aws-user-infra.adoc
// * installing/installing_aws/installing-aws-customizations.adoc
// * installing/installing_aws/installing-aws-default.adoc
// * installing/installing_aws/installing-aws-government-region.adoc
// * installing/installing_aws/installing-aws-network-customizations.adoc
// * installing/installing_aws/installing-aws-private.adoc
// * installing/installing_aws/installing-aws-vpc.adoc
// * installing/installing_azure/installing-azure-customizations.adoc
// * installing/installing_azure/installing-azure-default.adoc
// * installing/installing_azure/installing-azure-government-region.adoc
// * installing/installing_azure/installing-azure-private.adoc
// * installing/installing_azure/installing-azure-vnet.adoc
// * installing/installing_azure/installing-azure-user-infra.adoc
// * installing/installing_bare_metal/installing-bare-metal.adoc
// * installing/installing_gcp/installing-gcp-customizations.adoc
// * installing/installing_gcp/installing-gcp-private.adoc
// * installing/installing_gcp/installing-gcp-default.adoc
// * installing/installing_gcp/installing-gcp-vpc.adoc
// * installing/installing_openstack/installing-openstack-installer-custom.adoc
// * installing/installing_openstack/installing-openstack-installer-kuryr.adoc
// * installing/installing_openstack/installing-openstack-installer.adoc
// * installing/installing_aws/installing-restricted-networks-aws.adoc
// * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
// * installing/installing_platform_agnostic/installing-platform-agnostic.adoc
// * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc
// * installing/installing_vsphere/installing-vsphere.adoc
// * installing/installing_vsphere/installing-vsphere-installer-provisioned.adoc
// * installing/installing_vsphere/installing-vsphere-installer-provisioned-customizations.adoc
// * installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc
// * installing/installing_ibm_z/installing-ibm-z.adoc
// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
// * installing/installing_ibm_z/installing-ibm-power.adoc
// * installing/installing-rhv-restricted-network.adoc


ifeval::["{context}" == "installing-restricted-networks-vsphere"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-bare-metal"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-vsphere"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-aws-user-infra"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-azure-user-infra"]
:user-infra:
endif::[]
ifeval::["{context}" == "installing-openstack-installer-custom"]
:osp:
endif::[]
ifeval::["{context}" == "installing-openstack-installer-kuryr"]
:osp:
endif::[]
ifeval::["{context}" == "installing-openstack-installer"]
:osp:
endif::[]
ifeval::["{context}" == "installing-ibm-z"]
:ibm-z:
endif::[]
ifeval::["{context}" == "installing-ibm-z-kvm"]
:ibm-z-kvm:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
:ibm-z:
endif::[]
ifeval::["{context}" == "installing-rhv-default"]
:rhv:
endif::[]
ifeval::["{context}" == "installing-rhv-customizations"]
:rhv:
endif::[]
ifeval::["{context}" == "installing-platform-agnostic"]
:user-infra:
endif::[]

[id="ssh-agent-using_{context}"]
= Generating an SSH private key and adding it to the agent

If you want to perform installation debugging or disaster recovery on your cluster, you must provide an SSH key to both your `ssh-agent` and the installation program. You can use this key to access the bootstrap machine in a public cluster to troubleshoot installation issues.
[NOTE]
====
In a production environment, you require disaster recovery and debugging.
====

ifdef::ibm-z,ibm-z-kvm[]
[IMPORTANT]
====
Do not skip this procedure in production environments where disaster recovery and debugging is required.
====
endif::[]

You can use this key to SSH into the master nodes as the user `core`. When you
deploy the cluster, the key is added to the `core` user's
`~/.ssh/authorized_keys` list.

ifndef::osp,ibm-z,ibm-z-kvm,rhv[]
[NOTE]
====
You must use a local key, not one that you configured with platform-specific
approaches such as
link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html[AWS key pairs].
====
endif::[]

ifdef::openshift-origin[]
[NOTE]
====
On clusters running {op-system-first}, the SSH keys specified in the Ignition config files are written to the `/home/core/.ssh/authorized_keys.d/core` file. However, the Machine Config Operator manages SSH keys in the `/home/core/.ssh/authorized_keys` file and configures *sshd* to ignore the `/home/core/.ssh/authorized_keys.d/core` file.
As a result, newly provisioned {product-title} nodes are not accessible using SSH until the Machine Config Operator reconciles the machine configs with the `authorized_keys` file. After you can access the nodes using SSH, you can delete the `/home/core/.ssh/authorized_keys.d/core` file.
====
endif::openshift-origin[]

.Procedure

. If you do not have an SSH key that is configured for password-less authentication
on your computer, create one.
For example, on a computer that uses a Linux operating system, run the
following command:
+
[source,terminal]
----
$ ssh-keygen -t ed25519 -N '' \
    -f <path>/<file_name> <1>
----
<1> Specify the path and file name, such as `~/.ssh/id_rsa`, of the new SSH key.
+
Running this command generates an SSH key that does not require a password in
the location that you specified.

. Start the `ssh-agent` process as a background task:
+
[source,terminal]
----
$ eval "$(ssh-agent -s)"
----
+
.Example output
[source,terminal]
----
Agent pid 31874
----

. Add your SSH private key to the `ssh-agent`:
+
[source,terminal]
----
$ ssh-add <path>/<file_name> <1>
----
+
.Example output
[source,terminal]
----
Identity added: /home/<you>/<path>/<file_name> (<computer_name>)
----
<1> Specify the path and file name for your SSH private key, such as `~/.ssh/id_rsa`


.Next steps

* When you install {product-title}, provide the SSH public key to the installation program.
ifdef::user-infra[]
If you install a cluster on infrastructure that you provision, you must provide this key to your cluster's machines.
endif::user-infra[]

ifeval::["{context}" == "installing-restricted-networks-vsphere"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-bare-metal"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-vsphere"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-aws-user-infra"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-azure-user-infra"]
:!user-infra:
endif::[]
ifeval::["{context}" == "installing-openstack-installer-custom"]
:!osp:
endif::[]
ifeval::["{context}" == "installing-openstack-installer-kuryr"]
:!osp:
endif::[]
ifeval::["{context}" == "installing-openstack-installer"]
:!osp:
endif::[]
ifeval::["{context}" == "installing-ibm-z"]
:!ibm-z:
endif::[]
ifeval::["{context}" == "installing-ibm-z-kvm"]
:!ibm-z-kvm:
endif::[]
ifeval::["{context}" == "installing-rhv-default"]
:!rhv:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
:!ibm-z:
endif::[]
ifeval::["{context}" == "installing-rhv-customizations"]
:!rhv:
endif::[]
ifeval::["{context}" == "installing-platform-agnostic"]
:!user-infra:
endif::[]