This article describes how to get the fingerprints of the SSH key pair your Nectar instance is using and the key pair your SSH client is using. If the fingerprints are not the same, SSH connection attempts to the instance will fail with a "Permission denied" message on Linux. The message will be "Server refused our key" if you are using Putty on Windows. This article should be read in context with Troubleshooting SSH access to a NeCTAR instance.

Nectar instance key pair fingerprint

If the instance has not been rebooted since it was launched, you can find the SSH key pair fingerprint for the instance listed in the console log. Open the Nectar dashboard and navigate to Project -> Compute -> Instances -> your instance, and select the Log tab. Scroll through the log to locate the key fingerprint for the default login username for your instance's image. The default usernames for Nectar Official images are listed in the image catalog.

If the instance has been rebooted you can find the SSH key pair fingerprint using the Nectar dashboard instance list and key pair list. Another option is launching a new instance with the same key pair, then checking the console log as described above.

To find the SSH key fingerprint using the dashboard, first find the name of the key pair your instance is using, by navigating to Project -> Compute -> Instances. Locate the Key Pair name of the instance in the instance list.

Next, view your key pairs by navigating to Project -> Compute -> Key Pairs. Locate the Fingerprint for your key pair in the list.

If you prefer, you can also use the OpenStack command line interface to find the key fingerprint for your instance. View the console log using the following command, replacing ubuntu-test with your instance name or id:

$ openstack console log show ubuntu-test
[  OK  ] Started Apply the settings specified in cloud-config.
         Starting Execute cloud user/final scripts...
ci-info: ++++++++++Authorized keys from /home/ubuntu/.ssh/authorized_keys for user ubuntu+++++++++++
ci-info: +---------+-------------------------------------------------+---------+-------------------+
ci-info: | Keytype |                Fingerprint (md5)                | Options |      Comment      |
ci-info: +---------+-------------------------------------------------+---------+-------------------+
ci-info: | ssh-rsa | 29:42:96:f1:b7:8b:80:fb:69:77:45:e7:6b:76:6f:14 |    -    | Generated-by-Nova |
ci-info: +---------+-------------------------------------------------+---------+-------------------+

Show the key pair name for your instance using:

$ openstack server show --column key_name ubuntu-test
| Field    | Value    |
| key_name | test-key |

Show the fingerprint for the key pair, replacing test-key with your key pair name:

$ openstack keypair show --column fingerprint test-key
| Field       | Value                                           |
| fingerprint | 29:42:96:f1:b7:8b:80:fb:69:77:45:e7:6b:76:6f:14 |

SSH client key pair fingerprint

The process for finding the key pair your workstation SSH client uses for accessing your Nectar instance varies for Linux workstations and for Windows workstations using Putty. 

Linux workstations

If you are using a Linux workstation and the OpenSSH client to access your instance, the ssh-keygen utility can be used to view the fingerprint of your SSH key.

$ ssh-keygen -E md5 -lf ~/.ssh/test-key.pem
2048 MD5:29:42:96:f1:b7:8b:80:fb:69:77:45:e7:6b:76:6f:14 no comment (RSA)

If you receive an "unknown option" error you are probably using an older version of OpenSSH (<6.8, pre 2015). Try the following options instead:

$ ssh-keygen -yf ~/.ssh/test-key.pem >
$ ssh-keygen -lf
2048 29:42:96:f1:b7:8b:80:fb:69:77:45:e7:6b:76:6f:14 (RSA)

For this example, and after confirming the client and instance fingerprints are the same, you should be able to access your instance using the OpenSSH client as follows:

$ ssh -i ~/.ssh/test-key.pem ubuntu@<instance IP address or DNS name>

Windows workstations using Putty

For Windows workstations using the Putty SSH client to access your instance, your private key needs to be converted to the Putty PPK format using the puttygen tool before it can be used with Putty. You can also use puttygen to find the key fingerprint. Start puttygen on your workstation and select File -> Load private key from the menu.

Select the converted private key file, test-key.ppk in this example. Once loaded, key details including the key fingerprint are displayed.

Once you have confirmed that the client and instance fingerprints are the same, Putty needs to be configured with the IP address or DNS name of your instance, the login username, and the PPK private key file.