Configure SSH and SSH keys

For a full list of keys, refer to the SSH module schema.

General example

#cloud-config
allow_public_ssh_keys: true
disable_root: true
disable_root_opts: no-port-forwarding,no-agent-forwarding,no-X11-forwarding
ssh_authorized_keys: [ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEA3FSyQwBI6Z+nCSjUU ..., ssh-rsa
    AAAAB3NzaC1yc2EAAAABIwAAAQEA3I7VUf2l5gSn5uavROsc5HRDpZ ...]
ssh_deletekeys: true
ssh_genkeytypes: [rsa, ecdsa, ed25519]
ssh_keys: {rsa_certificate: '[email protected] AAAAIHNzaC1lZDI1NTE5LWNlcnQt
    ...

    ', rsa_private: '-----BEGIN RSA PRIVATE KEY-----

    MIIBxwIBAAJhAKD0YSHy73nUgysO13XsJmd4fHiFyQ+00R7VVu2iV9Qco

    ...

    -----END RSA PRIVATE KEY-----

    ', rsa_public: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEAoPRhIfLvedSDKw7Xd ...}
ssh_publish_hostkeys:
  blacklist: [rsa]
  enabled: true
ssh_quiet_keygen: true

Configure instance’s SSH keys

#cloud-config
ssh_authorized_keys:
  - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEyQwBI6Z+nCSU... mykey@host
  - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEVUf2l5gSn5uR... smoser@brickies
ssh_keys:
  rsa_private: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIBxwIBAAJhAKD0YSHy73nUgysO13XsJmd4fHiFyQ+0Qcon2LZS/x...
    -----END RSA PRIVATE KEY-----
  rsa_public: ssh-rsa AAAAB3NzaC1AAAABIwAAAGEAoPRh... smoser@localhost
no_ssh_fingerprints: false
ssh:
  emit_keys_to_console: false

Import SSH ID

This example imports SSH keys from:

• GitHub (gh:)

• A public keyserver (in this case, Launchpad, lp:)

Keys are referenced by the username they are associated with on the keyserver.

For a full list of keys, refer to the SSH import ID module schema. You may also find it helpful to consult the manual page.

#cloud-config
ssh_import_id: [user, 'gh:user', 'lp:user']

Log fingerprints of user SSH keys

Writing the fingerprints of authorized user keys to logs is enabled by default.

For a full list of keys, refer to the SSH authkey fingerprints module schema.

Do not write SSH fingerprints

This example prevents SSH fingerprints from being written. The default is false.

#cloud-config
no_ssh_fingerprints: true

Configure hash type

This example configures the hash type to be sha512 instead of the default sha256.

#cloud-config
authkey_hash: sha512

Control SSH key printing to console

By default, all supported host keys (and their fingerprints) are written to the console, but for security reasons, this may not be desirable.

These examples show you how to prevent SSH host keys from being written out. For a full list of keys, refer to the keys to console module schema.

Do not print any SSH keys

#cloud-config
ssh:
  emit_keys_to_console: false

Do not print specific key types

#cloud-config
ssh_key_console_blacklist: [rsa]

Do not print specific fingerprints

#cloud-config
ssh_fp_console_blacklist:
- E25451E0221B5773DEBFF178ECDACB160995AA89
- FE76292D55E8B28EE6DB2B34B2D8A784F8C0AAB0