By: Massimo Re Ferre’

A common method often pitched as a best practice for interacting with Linux instances in the cloud is to use SSH Keys-based logins (as opposed to traditional remote SSH logins which use a username and password).

By default, when you create a Linux image in VMware vCloud® AirTM, a temporary password is generated. The first time you login into the instance, there is a policy that forces you to change that password. If you deploy a handful of instances this may not be a big deal, but if you start deploying instances at scale, it may become a tedious process.

Enter the SSH Keys method.

While vCloud Air doesn’t provide an out-of-the-box SSH Keys login experience, it is fairly easy to setup. There are many articles that explain how to create your private and public keys. Essentially, it all starts by creating your own public and private keys by typing the following command on your Linux or Mac shell:

> ssh-keygen -t rsa

This creates two files in the .ssh folder of your home: the files are, by default, (your public key) and id_rsa (your private key). Your private key will (ideally) never leave your laptop. The trick is how to get the public key on the Linux instances you deploy in vCloud Air.

This is where the Guest Customization process comes in handy. I have described this process in this blog post.

Long story short, you can embed your public key in the Linux instance via the Customization Script section of your VM prior to powering it on. As of today, this section is only available through the vCloud Director UI interface (or via the vCloud Air APIs). This is the string you need to paste there:

if [ x$1 == x”precustomization” ]; then
echo Do Nothing
elif [ x$1 == x”postcustomization” ]; then
mkdir -p /root/.ssh
echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ8qwtDgeMf/+tUnn3m59v9cobr5fOu98b4M/7xnvn4LsEX+yefl9X9E+ClpFRnaHfAer9zuybvDgVI/SLswAo1a9qZUGdSLVAlLNCZXuRl7ngxoRXH5r3SPqRDtMb1tJ1t6R2MHkP+Br4uCgu5k/VypWMnvNC3PITKO+ga7jzIa0MG/Doh7xHfNr6T1kOmptIkN3LD6i1B305w3yrVmOt8/4I8essSVCQUhbKP/BAz5z0x2Cc8GSNgwuchzjAGet/oxTCMSoAMxRX1DAZ6y4w+7Q1jpSgfD5+xm8mJ2xkTkoJsPYXaR+Ub5/DkSYss/I1Faui7kNCqzg/Y5fbE1oJ > /root/.ssh/authorized_keys
restorecon -R -v /root/.ssh

The bolded part is going to be specific to your setup (it’s essentially your public key). Double check when you copy and paste the text into different windows that the text is still correct. I have seen weird things happen during this process, such as carriage return characters disappearing or apexes characters messing up.

An alternative (and more elegant) method to embed the public key into the Linux instance is by instantiating it via APIs. This process is fairly similar to what I have described in this blog post to prepare a VM as a Docker host. In this case, instead of running those Docker related commands at customization time, we will run the script above.

As usual this is a two-phase process – we deploy the vApp containing the Linux image and then reconfigure the VM to set the proper name, description, network connectivity as well as the proper guest customization script. Please refer to the blog linked above for the full details and switch the customization portion found there with the script in this post.

I have mapped the private IP of the Linux VM (with computer name SSHKEY) to a public IP address (x.x.x.x) with the proper firewall rules to allow in-bound connections to port 22. This is what an SSH into that VM looks like (as seen from my Internet connected laptop):

Screen Shot 2014-12-05 at 9.38.49 AM

As you can see I am not prompted with the password for the user root because the authentication happens with the SSH keys.

I have tested this process with both CentOS 6.4 64-bit and 32-bit images in the VMware catalog. I have not done extensive tests, but it appears that the Ubuntu 12.04 64-bit and 32-bit images do not customize properly with the script above. Apparently Ubuntu works best by stripping out the IF statement, the mkdir command (the .SSH directory already exists) and the restorecon command (which is otherwise required for the CentOS template).

Based on the tests I have done this is the script to be used for Ubuntu:

echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ8qwtDgeMf/+tUnn3m59v9cobr5fOu98b4M/7xnvn4LsEX+yefl9X9E+ClpFRnaHfAer9zuybvDgVI/SLswAo1a9qZUGdSLVAlLNCZXuRl7ngxoRXH5r3SPqRDtMb1tJ1t6R2MHkP+Br4uCgu5k/VypWMnvNC3PITKO+ga7jzIa0MG/Doh7xHfNr6T1kOmptIkN3LD6i1B305w3yrVmOt8/4I8essSVCQUhbKP/BAz5z0x2Cc8GSNgwuchzjAGet/oxTCMSoAMxRX1DAZ6y4w+7Q1jpSgfD5+xm8mJ2xkTkoJsPYXaR+Ub5/DkSYss/I1Faui7kNCqzg/Y5fbE1oJ > /root/.ssh/authorized_keys

One last caveat worth mentioning is that, by default, vCloud Air mandates that all passwords be changed at first login. Since we do not use passwords to login but instead SSH keys, we are no longer concerned with this security measure. If you want to avoid the Linux instance that requires you to change the password at first login, make sure that you remove that checkbox in the guest customization task.

In the vCloud Director UI there is a flag called “Require administrator to change password on first login. You should unflag it.

In the vCloud Director APIs there is an XML input in the call to reconfigure the VM. You should set it to:


For more information about vCloud Air, visit

Be sure to subscribe to the the vCloud blog with your favorite RSS reader, or follow our social channels at @vCloud and for the latest updates.