SSH Keys

The guide describes when you should manage your own SSH keys for your Linux instances, and which metadata values to use when you add or remove SSH keys yourself through the gcloud tool or the API.

If you only need to connect to your Linux instances and do not need to manage your own keys manually, see Connecting to Linux Instances. If you need to connect to a Windows instance, see Connecting to Windows instances.

Overview

Compute Engine manages SSH keys for you. You can connect to an instance from your browser or connect to your instances through the gcloud tool. However, in some situations you might want to generate your own key-pairs and apply them to your projects and instances yourself.

Risks of manual key management

If you add and manage SSH keys yourself through the gcloud tool or the API, you must keep track of the used keys and delete the invalid keys. Valid public keys must not give access to someone who no longer needs it. For example, if a team member leaves your project, remove their SSH keys so they cannot continue to access your instances.

Additionally, specifying your gcloud or API calls incorrectly can potentially wipe out all of the public SSH keys in your project or on your instances, which disrupts connections for your project members.

The keys that you apply through the gcloud tool and the API are formatted differently than if you apply keys through the console. If you need to manage your keys in the Cloud Platform Console rather than through the gcloud tool or the API, see Connecting to Linux Instances.

If you are not sure that you want to manage your own keys, use Compute Engine tools to connect to your instances instead.

SSH Key Metadata Values

Use specific metadata values to apply public SSH keys to your instances.

  • Project-level keys
    • sshKeys - A project-level value that applies one or more public SSH keys to all of the instances in your project, but does not apply to instances that are configured to block project-wide keys.
  • Instance-level keys
    • ssh-keys - An instance-level value that applies one or more public SSH keys to a specific instance. This value functions only if your instance uses a newer Compute Engine image.
    • block-project-ssh-keys - An instance-level value that blocks the instance from using any project-wide SSH keys.

Supported images

Some images do not support the ssh-keys and block-project-ssh-keys metadata values. These metadata values function only on images that were created after the following dates:

Images Dates
CentOS 6 and 7 February 10th, 2016
Debian 8 February 10th, 2016
openSUSE 13 February 10th, 2016
RHEL 6 and 7 February 10th, 2016
SUSE 11 and 12 March 1st, 2016
Ubuntu 16.04 LTS and 14.04 LTS March 3rd, 2016
Ubuntu 12.04 LTS March 29th, 2016

Root SSH login to Compute Engine instances

By default, public images and most common operating systems do not allow root login over SSH. As a best practice, the /etc/ssh/sshd_config SSH configuration file has the PermitRootLogin parameter set to no.

Because of this parameter, you cannot connect to instances as the root user even if you specify an SSH key for root in your project or instance metadata. If a user requires root permissions, they can get those permissions by running commands through sudo.

What's next

Send feedback about...

Compute Engine Documentation