SSH Authentication

This guide will show you how to enable and use the SSH authentication with the OpenNebula CLI with authentication driver ssh. Using this method, users log in to the OpenNebula with a token encrypted with their private SSH keys.


No additional installation required.

Considerations & Limitations

This authentication method works only for interaction with OpenNebula over CLI.


This authentication mechanism is enabled by default. If it doesn’t work, make sure you have the authentication method ssh enabled in the AUTH_MAD section of your /etc/one/oned.conf. For example:

    EXECUTABLE = "one_auth_mad",
    AUTHN = "ssh,x509,ldap,server_cipher,server_x509"


Create New Users

This authentication method uses standard SSH RSA key pairs for authentication. Users can create these files (if they don’t exist) using this command:

ssh-keygen -t rsa

OpenNebula commands look for the generated SSH keys in the standard location $HOME/.ssh/id_rsa, so it is a good idea not to change the default path. It’s recommended to protect the private key with a password!

Users requesting a new account have to get a public key by running oneuser key. For example:

oneuser key
Enter PEM pass phrase:

The string written to the console must be sent to the cloud administrator so they can create the new user in a similar way to the default user/password authentication users.

The following example command creates new user with username johndoe, assuming that the previous public key is saved in the text file /tmp/pub_key (instead of using the --read-file option, the public key could be specified as the second parameter):

oneuser create johndoe --ssh --read-file /tmp/pub_key

If the administrator has access to the user’s private ssh key, they can create new users with the following command:

oneuser create johndoe --ssh --key /home/newuser/.ssh/id_rsa

Update Existing Users to SSH

Change the authentication method of an existing user to SSH with the following commands:

oneuser chauth <id|name> ssh
oneuser passwd <id|name> --ssh --read-file /tmp/pub_key

As with the create command, you can specify the public key as the second parameter or use the user’s private key with the --key option.

User Login

Before using the OpenNebula CLI, users must execute the oneuser login command to generate a login token. The token will be stored in the filename set by $ONE_AUTH environment variable (which defaults to $HOME/.one/one_auth). The command requires the OpenNebula username and the argument --ssh specifying the authentication method. For example:

oneuser login johndoe --ssh

The default SSH key is assumed to be in $HOME/.ssh/id_rsa, otherwise the path can be specified with the --key option.

The generated token has a default expiration time of 10 hours. You can change that with the --time option.