Generating SSH keys to use for CoreOS host connectivity

While this is likely widely known, I figured this was worth documenting for someone that might not have done this before.  If you’ve looked at CoreOS at all you know that in order to connect to a CoreOS server it needs to be configured with your machines SSH key.  This is done through the cloud-config file which we’ll cover in much greater detail in a later post.  So let’s quickly walk through how to generate these keys on the three different operating systems I’m using for testing…

You’ll need to have OpenSSH installed on the CentOS host you’re using in order for this to work.  Check to see if it’s installed…

Now let’s check to make sure that we don’t already have a key generated…

There’s no .ssh folder listed in our home directory so let’s move on to generating the key. 

Note: If there was a .ssh folder already present, there’s a good chance you already have a key generated.  If you want to use this existing key, skip ahead to after we generate the new key.

Since there isn’t a .ssh folder present, let’s create a new key.  This is done with the ‘ssh-keygen’ utility…


Notice here that it asked us to enter a pass phrase.  In my lab testing I always leave that blank.  If you want added security you can add a passphrase which you’ll be prompted for during login.  Now that the key is generated, we can provide the public key to CoreOS.  Let’s take a look at the public key by browsing to the directory the utility generated it in…

Notice that the key has some additional information tacked onto the end.  In my case, that’s ‘jon@tools.interubernet.local’.  This is NOT part of the key and should not be provided as part of the cloud-config.  The rest of the file should be provided though.  In my case, the relevant piece of the cloud-config file would look like this…

Note that the text here is obviously word wrapped.  While copying the key I’ve had some issues where certain text editors broke the string into 4 separate lines.  Make sure that the cloud-config file sees the key as only one line or this won’t work.  After the cloud-config is loaded, let’s do a quick test to make sure things worked…

All done.

Mac OS X
You’re in luck here.  It’s the same process on a Mac as it is in CentOS.  There might be a slightly different folder structure but the process is identical.

Windows (Putty)
This is a little bit trickier but it’s the same concept.  You need to download another tool from the putty toolkit called ‘PuttyGen’

Once you have that downloaded, run it and you should get the following screen…


Hit the ‘Generate’ button and then start moving your mouse around inside the ‘Key’ box…


Once the key generation has complete you’ll get a screen that looks like this…


Now you want to save the public and the private key.  I created a folder on my desktop called ‘keys’ and first saved the public key there (just click the ‘Save public key’ button) and then saved the private key in the same folder (same process, just click the ‘Save private key’ button).  Once this is done, you can either copy the public key from the window at the top of the generator, or open your saved public key and copy it from there.  This key needs to be configured in your cloud-config file. 

Note: Same deal applies here where there was some extra stuff after the public key. Make sure you don’t include that in the cloud-config file…

After the CoreOS host is configured with the public key, the next step is to make a Putty profile that is configured with the matching private key.  Open Putty and make a new session…

Enter the IP of the CoreOS host you want to connect to and then navigate down to the sub menu ‘Data’ under the ‘Connection’ menu.  Here enter the username ‘core’ under the ‘Auto-Login username’…

Next, enlarge the ‘SSH’ menu and select the ‘Auth’ menu item.  Here you can specify your private key…


Once this is set, go back to the main Putty menu and save your session…

Now, provided that the cloud-config has the new key you should be able to connect to your CoreOS host…

I know this is a little ‘cart before the horse’ but I wanted to cover this in a quick post before we discussed actually building the CoreOS host.  That post is coming shortly!


  1. Victor Saad’s avatar

    Good tutorial, easy to understand!

    I did all the steps (using puttygen), and I add the ssh-rsa AAAAAAA……. in my cloud-config (into vm properties, XenServer), but it keep returning Server Refused our key.

    I remade the file a couple of times but I wasnt successful.


    hostname: %VMNAMETOHOSTNAME%
    ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxy/z5NuYkz9/fRnfU4IUoGs8UfIa7kvHUmOFEWiN6U1R7P+EnpAk82AKAeqJqLPiYBHO+O6Qs9/mD/uSVpS1pQ== rsa-key-2017030
    # – ssh-rsa
    # The following entry will automatically be replaced with a public key
    # generated by container management plugin. The key-entry must exist,
    # in order to enable container management for this VM.
    – ssh-rsa %CONTAINERRSAPUB%
    – name: etcd.service
    command: start
    – name: fleet.service
    command: start

    # Hypervisor Linux Guest Agent
    – name: xe-linux-distribution.service
    command: start
    content: |
    Description=Hypervisor Linux Guest Agent

    ExecStartPre=/media/configdrive/agent/xe-linux-distribution /var/cache/xe-linux-distribution
    # generate a new token for each unique cluster at
    # discovery:
    # Enable ARP notifications for smooth network recovery after migrations
    – path: /etc/sysctl.d/10-enable-arp-notify.conf
    permissions: 0644
    owner: root
    content: |
    net.ipv4.conf.all.arp_notify = 1

    # Template loaded from /usr/lib/python2.7/site-packages/xscontainer/data/cloud-config.template

    PS: I had change the key on this post.


  2. Gary’s avatar

    @Victor, I don’t think this bit of the key should be in the config file: “rsa-key-2017030”



Your email address will not be published. Required fields are marked *