How to specify a different location for ssh keys loading during rhc setup?

Question

I am using rhc cli tool for OpenShift projects. I have encountered a problem with default rhc ssh key.

On any ssh related action (setup, app-create, etc..) rhc creates ~/.ssh/id_rsa key if it does not exist. I do not like that behaviour, and I would like it to use something like ~/.ssh/OpenShift-SSH-Keys/my_id_rsa.

Because during rhc setup, it did not ask me from which location I wanted to load the keys. Thus I also looked in ~/.openshift/express.conf and I only saw the configurations for ssl; not ssh.

So I found on the internet this following configuration line to add to ~/.openshift/express.conf:

ssh_key_file='~/.ssh/OpenShift-SSH-Keys/my_id_rsa'

I added it and also modified my ~/.ssh/config file:

# Openshift *.rhcloud.com ssh-key config
Host *.rhcloud.com
         IdentityFile ~/.ssh/OpenShift-SSH-Keys/my_id_rsa
         IdentitiesOnly yes
         VerifyHostKeyDNS yes
         StrictHostKeyChecking no
         PasswordAuthentication no
         UserKnownHostsFile ~/.ssh/known_hosts

To finish I setup my account like that:

rhc setup --config ~/.openshift/express.conf -l myusername@gmail.com

Output of this command line:

OpenShift Client Tools (RHC) Setup Wizard

This wizard will help you upload your SSH keys, set your application namespace, and check that other programs like Git are
properly installed.

If you have your own OpenShift server, you can specify it now. Just hit enter to use the server for OpenShift Online:
openshift.redhat.com.
Enter the server hostname: |openshift.redhat.com| 

You can add more servers later using 'rhc server'.

Using myusername@gmail.com to login to openshift.redhat.com
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
Password: ************************

OpenShift can create and store a token on disk which allows to you to access the server without using your password. The
key is stored in your home directory and should be kept secret.  You can delete the key at any time by running 'rhc
logout'.
Generate a token now? (yes|no) yes
Generating an authorization token for this client ... RSA 1024 bit CA certificates are loaded due to old openssl compatibility
lasts 29 days

Saving configuration to /Users/theuser/.openshift/express.conf ... done

No SSH keys were found. We will generate a pair of keys for you.

    Created: /Users/theuser/.ssh/id_rsa.pub

Your public SSH key must be uploaded to the OpenShift server to access code.  Upload now? (yes|no) no

You can upload your public SSH key at a later time using the 'rhc sshkey' command

Checking for git ... found git version 2.5.0

Checking common problems .. done

Checking for a domain ... mydomainz1955

Checking for applications ... found 1

  myapp http://myapp-mydomainz1955.rhcloud.com/

  You are using 2 of 3 total gears
  The following gear sizes are available to you: small

Your client tools are now configured.

As you can see in the output of the command line: No SSH keys were found. We will generate a pair of keys for you., although I specified in the ~/.openshift/express.conf that I already had ssh keys generated, rhc setup did not take them in consideration or did not find them.

So according to you guys, is it possible to somehow specify a different location for ssh keys loading during rhc setup?

Note: I know how to add additional ssh key, but I would like to stop rhc creating/using ~/.ssh/id_rsa

Answer 1

As far as I see you just want rhc to not use your default ssh key. So here is how you create a separate key and configure rhc to use it instead of the default one.

Key points are that:

• you select no to generating and uploading ssh key during rhc setup
• you add your key separately with rhc sshkey add
• you configure ssh to use the different key for that domain as you list in your original example

Does this cover your concerns?

[crackit@koTapaH ~]$ mkdir /home/crackit/my_key_location
[crackit@koTapaH ~]$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/crackit/.ssh/id_rsa): /home/crackit/my_key_location/key.rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/crackit/my_key_location/key.rsa.
Your public key has been saved in /home/crackit/my_key_location/key.rsa.pub.
The key fingerprint is:
c5:20:15:fb:17:96:86:8f:88:28:18:17:2a:b8:eb:51 crackit@koTapaH
The key's randomart image is:
+--[ RSA 2048]----+
|  .   ..+.       |
|.. .   . + . .   |
|= .     . + =    |
|.=   . . + = .   |
|o .E. . S o o    |
| ...       .     |
|..               |
|. .              |
| .               |
+-----------------+
[crackit@koTapaH ~]$ rhc setup
OpenShift Client Tools (RHC) Setup Wizard

This wizard will help you upload your SSH keys, set your application namespace,
and check that other programs like Git are properly installed.

If you have your own OpenShift server, you can specify it now. Just hit enter to
use the server for OpenShift Online: openshift.redhat.com.
Enter the server hostname: |openshift.redhat.com| 

You can add more servers later using 'rhc server'.

Login to openshift.redhat.com: 
Login to openshift.redhat.com: asdfgg@example.com
Password: *************

OpenShift can create and store a token on disk which allows to you to access the
server without using your password. The key is stored in your home directory and
should be kept secret.  You can delete the key at any time by running 'rhc
logout'.
Generate a token now? (yes|no) yes
Generating an authorization token for this client ... lasts about 1 month

Saving configuration to /home/crackit/.openshift/express.conf ... done

No SSH keys were found. We will generate a pair of keys for you.

    Created: /home/crackit/.ssh/id_rsa.pub

Your public SSH key must be uploaded to the OpenShift server to access code.
Upload now? (yes|no)
no

You can upload your public SSH key at a later time using the 'rhc sshkey'
command

Checking for git ... found git version 2.1.0

Checking common problems .. done

Checking for a domain ... foobar

Checking for applications ... found 2

  jenkins http://jenkins-foobar.rhcloud.com/
  tmp     http://tmp-foobar.rhcloud.com/

  You are using 2 of 3 total gears
  The following gear sizes are available to you: small, medium

Your client tools are now configured.

[crackit@koTapaH ~]$ rhc sshkey add mykey my_key_location/key.rsa.pub 
RESULT:
SSH key my_key_location/key.rsa.pub has been added as 'mykey'

[crackit@koTapaH ~]$ vi .ssh/config
<.. do your modifications here ..>

[crackit@koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040@tmp-foobar.rhcloud.com ...

    *********************************************************************

    You are accessing a service that is for use only by authorized users.
    If you do not have authorization, discontinue use at once.
    Any use of the services is subject to the applicable terms of the
    agreement which can be found at:
    https://www.openshift.com/legal

    *********************************************************************

    Welcome to OpenShift shell

    This shell will assist you in managing OpenShift applications.

    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
    Shell access is quite powerful and it is possible for you to
    accidentally damage your application.  Proceed with care!
    If worse comes to worst, destroy your application with "rhc app delete"
    and recreate it
    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!

    Type "help" for more info.


[tmp-foobar.rhcloud.com 550000a0e0b8cdca4c000040]\> exit
exit
Connection to tmp-foobar.rhcloud.com closed.
[crackit@koTapaH ~]$ 

Update: I didn't notice keys are generated. But I am sure that the generated keys during rhc setup are not actually used. First because the keys from default location are never added to openshift. And you can see a quick proof below. Another way to see is rhc sshkeys list.

Another thing is that if you already have keys in default location, then no keys are generated (in which case you still select no to not upload them). But it is actually a minor bug IMO in rhc that ssh keys are generated without asking the user. It might be a very rare use case - you don't have default key and you want to use a key from non-standard location (this is not your use case where you have a key in standard location, just don't want to use it) but still IMO one shouldn't generate something user did not request. So here's how I show you that only my desired custom key is used:

[crackit@koTapaH ~]$ rm -rf .ssh/id_rsa*
[crackit@koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040@tmp-foobar.rhcloud.com ...
<...>
    Type "help" for more info.


[tmp-foobar.rhcloud.com 550000a0e0b8cdca4c000040]\> exit
exit
Connection to tmp-foobar.rhcloud.com closed.
[crackit@koTapaH ~]$ ls .ssh/
config  known_hosts
[crackit@koTapaH ~]$

Update 2 Of course token cannot help you with ssh:

[crackit@koTapaH ~]$ rm -rf my_key_location
[crackit@koTapaH ~]$ rhc ssh tmp
Connecting to 550000a0e0b8cdca4c000040@tmp-foobar.rhcloud.com ...
no such identity: /home/crackit/my_key_location/key.rsa: No such file or directory
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

SSH key is used for ssh. Token is used for API requests. These are different use cases. rhc uses the ssh executable underneath so using a custom key means to edit ~/.ssh/config to set your default key to another location or set different keys for different hosts. This is not handled well by rhc setup. But once you have your key set, you don't have to run rhc setup anymore.