SSH Keys

SSH keys provide secure authentication for connecting to VMs over SSH (Secure Shell). evroc VMs disable password-based authentication by default, making SSH keys the primary method for remote access.

How SSH keys work

SSH uses public-key cryptography for authentication. You generate an SSH key pair consisting of:

  • Private key - Kept secret on your local machine, used to prove your identity
  • Public key - Installed on the VM during creation, used to verify your identity

When you connect to a VM via SSH, your SSH client uses your private key to authenticate against the public key installed on the VM, eliminating the need for password-based login.

Generating SSH keys

If you don't already have an SSH key pair, generate one on your local machine using the ssh-keygen command:

ssh-keygen -t ed25519 -C "your_email@example.com"

This creates:

  • Private key: ~/.ssh/id_ed25519 (keep this secret and secure)
  • Public key: ~/.ssh/id_ed25519.pub (this is what you provide to evroc)

The public key file contains a single line of text starting with ssh-ed25519.

Adding SSH keys to VMs

If you require SSH access to a VM, you must add at least one SSH public key when creating it. Without an SSH key configured at creation time, you will not be able to access the VM remotely, as password authentication is disabled by default.

You can add SSH keys to a VM in two ways:

1. Using the Console, CLI, or API

When creating a VM, provide your SSH public key through:

  • Console - Paste your public key into the SSH key field during VM creation
  • CLI - Use the --ssh-authorized-key parameter with the evroc compute virtualmachine create command
  • API - Include the public key in the osSettings.ssh.authorizedKeys field of the VirtualMachine resource

See the CLI reference for specific syntax and examples.

2. Using cloud-init

You can also configure SSH keys through a custom cloud-init script:

#cloud-config
users:
  - name: evroc-user
    ssh-authorized-keys:
      - ssh-ed25519 AAAA... user@example.com
      - ssh-rsa AAAA... user2@example.com

This method is useful for:

  • Adding multiple SSH keys for different team members
  • Creating additional users with specific SSH access
  • Configuring SSH keys for non-default users

SSH access requirements

To connect to a VM via SSH, you need:

  1. SSH key pair - Usually generated locally on your machine
  2. Public key installed on the VM at creation time
  3. Network access to the VM:
    • A Public IP attached to the VM (for access from the internet)
    • Or network connectivity to the VM's private IP (for access from within the VPC)
  4. Security group rules that allow access to SSH (TCP port 22 by default) from your source IP address

Default behavior

evroc VMs have the following default SSH configuration:

  • Password authentication disabled - Only SSH key authentication is allowed
  • Root login disabled - You must use the default user account
  • Default user - The default user is evroc-user (consistent across all OS images) with sudo privileges

Enabling password authentication

If you need password-based authentication, you can enable it using a cloud-init script:

#cloud-config
ssh_pwauth: true
manage_etc_hosts: localhost
users:
  - name: evroc-user
    gecos: evroc VM user
    sudo: ALL=(ALL) NOPASSWD:ALL
    groups:
      - sudo
    shell: /bin/bash
    hashed_passwd: "$6$6pdIKHyAjNwa..."
    lock_passwd: false

Warning: Password authentication is less secure than SSH keys and is not recommended for production use.

Multiple users and keys

To grant SSH access to multiple team members, you can:

  1. Add multiple public keys when creating the VM (through CLI/API/console)
  2. Use cloud-init to configure multiple keys for the default user
  3. Use cloud-init to create multiple user accounts, each with their own SSH keys

Next steps