Changing SSH Keys on OCI Compute Instances
Every now and then comes the need to update your SSH keys on a server in the cloud. Wither you are doing an general update or changing out your laptop, ssh keys need to be updated. In my case, I was changing laptops from Mac to Windows (not 100% sold on M1/M2 for consulting purposes … story for another time). When I went to interact with other OCI compute nodes that were previously built with OpenSSH key, I noticed I couldn’t get a connection to the compute instances. Leading to the need for changing the SSH keys on these nodes.
Now can you change keys if you cannot access the node. Oracle provides some good details on making connections via Instance Console Connections, but I didn’t find this very helpful. Cool yes, helpful not really. This lead me to come up with a bit of a different approach for changing SSH keys – use a new compute instance and change the keys.
What we needed to do was the following:
1. Dig out the old laptop and retrieve the OpenSSH keys that were previously used. Just need the private key. Email this to yourself or any other means of getting it over to the Windows machine.
2. Use PuttyGen and import the private key.
3. Once the key has been imported, it needs to be exported to force a new file format. If trying to use an older format, will lead to errors and other issues.
4. One the key is saved, it needs to be uploaded to the new compute node that will handle all the updating of the keys for other compute nodes.
5. Once the old RSA key has been uploaded to the new compute node, making SSH connections to the older nodes should be simple with the following command:
$ ssh –i id_rsa2 opc@<ip_address>
The <ip_address> to use can be either the public or private address for the compute node. Since we were already connected to a node within the VCN, we opted for the private address.
6. From here, we needed to add the new authorized key to the ~/.ssh/authorized_keys file. After a few trail and error process, we found that it was easier to copy the private key and “echo” it into the authorized_keys file.
$ echo <ssh_key_string> >> authorized_keys
Once the authorized_keys have been updated on the compute node, update the Putty configurations for the compute instance and connect to the instance.
Now, that all our instances have been updated with the correct keys, the Compute Instance that was provisioned to just change keys can be removed.
Oracle provides some great information within their documentation; however, we often find them a little bit difficult to follow. Seems like some of the steps are incomplete or missing something. Leading many to figure out creative ways of getting the same items done. Hopefully, this post will help you or someone else understand how to quickly change the SSH keys on compute nodes.
RheoData is a global systems integrator and disabled veteran-owned organization headquartered in Atlanta, Georgia. With operations being established in 2019, RheoData has built its business providing solutions across the enterprise landscape with architecture design/reviews, implementation, data replication, and managed services to ensure high-quality enterprise systems.