To make sure your connection to the Genesis Cloud instance is secure, two modes of authentication for SSH are available: SSH Public/Private Key pair and Password.
SSH Key-pair (Recommended)
This is the preferred method because it is significantly more secure and once setup way less of a hassle to use. The connection established using a public and a private key. To generate this key
- on Linux or macOS: on your local machine open a terminal and execute
ssh-keygen
. To protect your keys you can enter a passphrase that will be used to encrypt the communication. You can also leave the prompt for a passphrase empty. Store the key in the default location. Retrieve the public key using:cat ~/.ssh/id_rsa.pub
Upload your public key using the 'Add SSH Key' button. Paste the complete key and add a fitting name. Once this authentication is set up you can easily access every new instance that you create.
- on Windows: Establish the connection using PuTTY & securely access the instance
Password (Intended for testing)
Alternatively, you can also set up your instance access using a password for the ubuntu user. This requires you to enter this password every time you want to access the instance.
Passwords are considered less secure than an SSH keypair given that a weak password can be brute-forced (that means just testing all combinations or the most common password patterns). As SSH connections are open to the Internet they are routinely attacked by automatic botnets or bad actors. Cracking even 7 letter passwords can take as little as a few seconds when using a well-populated wordlist of typical password patterns e.g. password1234.
To ensure your instance's security if you still chose to set up a password we autogenerate a password for you in our web application and enforce rules for password requirements when using the API.
Please note: For your own security, the auto-generated password will only be shown once, so make sure to store it in a secure location like a password manager. We don't provide a password reset mechanism at this point.
Common Problems
ECDSA Key is being rejected
When connecting to an instance for the first time a warning appears. Sample output:
$ ssh ubuntu@194.61.20.69
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:cRoUH04xQ2y5x2z1GyQmmE3BLqPMvelMaIj4h/L4Ci0.
Please contact your system administrator.
Add correct host key in /home/gc/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/gc/.ssh/known_hosts:4
remove with:
ssh-keygen -f "/home/gc/.ssh/known_hosts" -R "194.61.20.69"
ECDSA host key for 194.61.20.69 has changed and you have requested strict checking.
Host key verification failed.
Password prompt appears
A password prompt appears even though you did not choose to authenticate via password. Sample output:
$ ssh ubuntu@194.61.21.203
The authenticity of host '194.61.21.203 (194.61.21.203)' can't be established.
ECDSA key fingerprint is SHA256:s4IcxkBCy13S6O8N1nppCAX4a9ZTC0v17GXr5OFSKeE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '194.61.21.203' (ECDSA) to the list of known hosts.
ubuntu@194.61.21.203's password:
There are two possible reasons for this. One is that you selected to perform password authentication accidentally. Beware that at this time you can select either password authentication or key-pair authentication, but not both.
If you selected instance access via SSH Key but still are prompted for a password there are a few things that can go wrong with the key authentication.
- Is the private SSH key on the device from which you try to access your Genesis Cloud instance?
- What are the permissions of your ssh folder and the private key file?
- If you did not store private ssh key in the default location you might need to specify it using
ssh -i <PATH-TO-KEY> ubuntu@194.61.21.203
Instance is unresponsive even though it just turned active
Starting the SSH server on the instance takes a little time to become available even though the instance state has already turned to active. If you took enough time to find this answer it should already be fine. Maybe just check again? Can you ping the instance?
If the problem persists reach out to support.
Key file has the wrong permissions
SSH refuses to connect because your key file has the wrong permission settings.
$ ssh -i test/id_rsa ubuntu@194.61.21.97
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'test/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "test/id_rsa": bad permissions
ubuntu@194.61.21.97's password:
Here SSH is concerned that other users also working on your local machine are able to view your key file. If you want to be sure that this problem is fixed, generate a new key and update all the places where you uploaded your old one. If you are sure that no one else is able to see your key files (for example if you are the only user on your machine) you can fix this issue by modifying the permission settings of your private key file.
$ chmod 600 test/id_rsa
Connection timed out
If your SSH connection lays idle for a long time it might time out. This will look something like this:
packet_write_wait: Connection to 194.61.21.142 port 22: Broken pipe
This is easily fixed by just reconnecting.