Introduction

Purpose

User should be able to reset the ssh key for a VM, i.e., to associate a new/different ssh key for a VM

Feature Specifications

Feature Objective

  • This feature provides reset of a SSH key for an existing VM which means resetting the old ssh key that is assigned to the VM previously with the new ssh key.
  • User should be able to provide the keypair name which is already created or registered.
  • After resetting the ssh key for the VM, if the template used by VM is password enabled then Encrypted.Password entry needs to be updated in the DB.
  • Password for the VM is to be encrypted with the new ssh public key.
  • This feature can also be applicable for a VM which does not have ssh key before. (i.e., for setting a ssh keypair for a VM)

Use cases

If a user lost the SSH keypair that got assigned to a VM  then there will be no access to that VM. If somehow the key got compromised and user wants to change the ssh key. At these points there should be a way to reset the SSH Key for the VM. 

Architecture and Design description

  • The design is similar to the reset password feature, things change in terms of the SSH keypair.
  • User is able to use an existing keypair or a new keypair to reset ssh key
    • Prior to use reset ssh key api, user can create a new keypair or register a keypair by providing publickey.
    • To create a new keypair there is an api createSSHKeyForVirtualMachine=com.cloud.api.commands.CreateSSHKeyPairCmd 
    • To register a new keypair there is an api registerSSHKeyForVirtualMachine=com.cloud.api.commands.ResetSSHKeyPairCmd 
  • User provides the keypair name in reset ssh api
  • During resetting, if the template used by VM is password enabled then Encrypted.Password entry needs to be updated in the DB
    • Since the password is not saved anywhere, a new password is to be generated for the VM, encrypt it with the new public key and update the entry Encrypted.Password.
    • There is no provision to get the password of a VM to encrypt it with new ssh public key. (Since password is transient)
  • Send user data to virtual router for updating the new public key and password as plain text (if password enabled template).
  • If the User VM is in running state, it is rebooted as part of the ssh key reset to update the new ssh public key in VM (cloud-set-guest-sshkey script runs as a init service in VM to get the new ssh public key from virtual router). If the VM is in stopped state, then reset SSH api action won't reboot the VM.

web services APIs

  • resetSSHKeyForVirtualMachine=com.cloud.api.commands.ResetSSHKeyCmd
    • o   Parameters
      • id : The ID of the virtual machine
      • name: name of the ssh keypair
      • account: Account name of owner
      • domainid: Domain ID of owner
    • Response
      • Uservm details (UserVmResponse)
      • name: name of the ssh keypair
      • password: the password (if exists) of the virtual machine

 

Command example:    http://localhost:8096/client/api?command=resetSSHKeyForVirtualMachine&account=admin&domainid=1&id=9936af8e-e899-4d13-b66d-2d72c7044a83&name=keypair1

(Keypair1 is the name of the sshkeypair that is already created/registered)

UI flow

UI component is not required for this feature.

  • No labels

2 Comments

  1. shweta agarwal

    in the API parameters

    Please mention which all parameters are required and which all are optional.

    The password which it will return in the response to  resetSSHKeyForVirtualMachine api will it be encrypted password or in plain text .

    What will happen to the current session of the VM which user has  login with the old password when you will change the password

    More over

    A design consideration

    When i have several VM  with same SSH keypair and my private key is compromised .I would like to change Keypair of all my VMs having old keypair

    So there should be a provision to do the same with the API .

    For example If i give my oldkeypair name and new keypair name then it should change the keypair of all the VMs having old keypair of my account.

  2. Harikrishna Patnala

    Adding to the FS,

    To get the new public key from the VR, we need to run the script "cloud-set-guest-sshkey" in the guest VM as an init.service.

    There are two versions of this script. One that replaces the old key in the authorized_keys file with the new ssh public key.

    Another script had a fix to retain the ssh keys generated by the user. When we use this API, the new ssh public key is appended to the authorized_keys file so that user keys won't be deleted.

    So to avoid logging in into the guest vm using the old keypair, we need to manually delete the old public key in the VM.