SSH Keys in Cloudera Director

The Role of Keys in SSH

SSH is a protocol for communicating over an encrypted channel between computers. A common use of SSH is to connect to a remote computer in order to establish a shell process, within which commands can be issued. The SSH client logs in to the SSH server and receives a shell prompt. The client can issue shell commands, and then terminate the connection or log out when finished.

SSH uses the same kind of strong encryption that is used by TLS and SSL for encrypted web traffic. An observer should not be able to determine the contents of the network traffic between the client and the server. Through encryption, SSH provides confidentiality of communications.

When establishing an SSH connection for shell use, a client needs to authenticate to a server. Authentication can be performed in a few ways. One common way is through a username and password pair. While this is a well understood and widely supported means of authentication, it is vulnerable to the use of weak passwords.

A better option is to use a key pair. Like key pairs in TLS and SSL, an SSH key pair is composed of a private key and a corresponding public key. When the server is configured with the public key, the client can authenticate using the private key. Due to the way that the authentication mechanism works, the private key does not need to be passed over the network. Also, a private key is much larger, and much harder to guess, than a password. For these reasons, SSH key authentication is almost always preferred over password authentication.

Use of SSH Keys in Cloud Providers

When a cloud provider creates a new instance, and you want to be able to connect to it over SSH, you must somehow inform the provider about the public key for authentication. The cloud provider is responsible for installing the public key in the correct location for it to work for authenticating with the corresponding private key.

The way that you tell a cloud provider about a key pair varies. For example, in AWS, you set up an EC2 key pair, which has an associated name. You can either have AWS generate the key pair and send you the data, or generate the key pair yourself and only upload the public key. No matter the provider, when you create an instance, you include information about the key pair.

Generally, the cloud provider copies the public key into the authorized_keys file in the standard login account for the instance. This is enough to configure the instance's SSH server to allow authentication to that account with the corresponding private key. To use it on the command line:
ssh -i /path/to/private_key.pem username@instance_ip_address

Cloudera Director's Use of SSH Keys

Cloudera Director uses SSH to issue commands to instances that it launches and configures as part of bootstrapping deployments and clusters. Therefore, Cloudera Director requires the private key used to authenticate to the standard login account of each instance that it launches. It is insufficient for it to only be supplied the public key or an identifier for the private key material; only the private key itself is sufficient for authentication to succeed.

When you create a new environment in Cloudera Director, you supply the default username for a standard login account and the default SSH private key for authentication to that account. Every instance that Cloudera Director launches under the environment is accessed, by default, using the username and private key. An instance template, which specifies instance features like size and backing image, can override the username.

The private key must be provided to Cloudera Director in unencrypted form. However, Cloudera Director encrypts its own database where it stores private keys.

Good Practices for SSH Key Management with Cloudera Director

  • Use large key sizes. When creating an RSA key pair, use a key length of at least 2048 bits.
  • Protect private keys by keeping them off the network. A cloud provider only requires the public key from an SSH key pair to launch instances you can authenticate to. The corresponding private key does not need to leave the computer where it was generated. Accordingly, for better security, instead of having AWS generate your key pair, generate it locally and upload only the public key.
  • Change the Cloudera Director database encryption password. Cloudera Director ships with encryption of its own database enabled, but with a default encryption password. Follow the instructions for changing the encryption password in Starting with Encryption to avoid easy decryption if the database is compromised.
  • Do not use personal SSH key pairs for Cloudera Manager and cluster instances. Instead, generate dedicated "service" SSH key pairs that are only for use by instances launched by Cloudera Director. This allows the lifecycle of personal and service key pairs to be managed separately. Also, service key pairs can then be shared without compromising any individual user's key pairs.
  • Install additional SSH public keys on instances with bootstrap scripts. To permit wider authentication to instances, use a bootstrap script to append approved public keys to the authorized_keys file for the standard login accounts, as an alternative to sharing the private key of the "primary" SSH key pair installed by the cloud provider.