Introduction
Oracle Cloud Infrastructure SSH Keys are one of the most important security components used while accessing OCI compute instances. In real-world OCI implementations, SSH keys help administrators and DevOps teams securely connect to Linux virtual machines without exposing passwords over the network.
In most enterprise OCI projects, organizations disable password-based login completely and rely only on SSH key authentication. This approach improves security, simplifies automation, and supports modern cloud governance practices.
Whether you are managing a single compute instance or a large OCI environment with hundreds of virtual machines, understanding SSH keys in Oracle Cloud Infrastructure is essential for administrators, cloud engineers, DevOps professionals, and architects.
This article explains Oracle Cloud Infrastructure SSH Keys in a practical and implementation-focused manner using OCI 26A aligned concepts and current cloud administration practices.
What are Oracle Cloud Infrastructure SSH Keys?
SSH (Secure Shell) Keys are authentication credentials used to securely access OCI Linux compute instances.
Instead of logging in using a username and password, OCI uses a pair of cryptographic keys:
- Public Key
- Private Key
The public key is uploaded to the OCI compute instance during creation.
The private key remains with the administrator and is used to establish a secure connection.
How SSH Key Authentication Works
- User generates SSH key pair
- Public key is uploaded to OCI
- OCI stores the public key on the Linux VM
- User connects using private key
- Server validates the connection
This authentication model is significantly more secure than password authentication.
Why SSH Keys are Important in OCI
SSH keys are widely used in:
- OCI Compute administration
- DevOps automation
- CI/CD pipelines
- Kubernetes node management
- Terraform deployments
- Secure remote administration
- Bastion host access
In enterprise OCI projects, SSH keys are part of the organization’s cloud security standards.
Key Features of OCI SSH Keys
Secure Authentication
SSH keys eliminate the need for password-based login.
Strong Encryption
OCI supports industry-standard RSA and ED25519 encryption methods.
Automated Access
SSH keys are ideal for automation tools such as:
- Terraform
- Ansible
- Jenkins
- OCI CLI
Integration with Bastion Service
OCI Bastion Service uses SSH keys for secure private access.
Multi-User Administration
Different administrators can use separate SSH keys for controlled access.
Real-World Implementation Use Cases
Scenario 1 – Production Linux Server Administration
A financial organization hosts Oracle applications on OCI compute instances.
Administrators:
- Disable password login
- Use SSH keys for authentication
- Rotate keys every 90 days
This improves compliance and security.
Scenario 2 – DevOps CI/CD Pipeline
A DevOps team deploys applications automatically to OCI compute instances using Jenkins.
SSH keys allow:
- Secure automation
- Passwordless deployment
- Script-based server access
Scenario 3 – OCI Bastion Access
An organization deploys private compute instances without public IP addresses.
Administrators connect using:
- OCI Bastion Service
- SSH private keys
This prevents direct internet exposure.
Types of SSH Keys Supported in OCI
OCI commonly supports:
| Key Type | Description |
|---|---|
| RSA | Most widely used |
| ED25519 | Modern and faster encryption |
| DSA | Not recommended |
| ECDSA | Alternative elliptic curve option |
Most OCI implementations use RSA 2048-bit or ED25519 keys.
OCI SSH Key Architecture
The SSH authentication process in OCI works as follows:
- SSH client initiates connection
- OCI compute instance receives request
- Public key validation occurs
- Secure encrypted session starts
Main Components
| Component | Purpose |
|---|---|
| Public Key | Stored on server |
| Private Key | Stored with user |
| SSH Client | Used to connect |
| OCI Compute Instance | Target VM |
Prerequisites Before Using SSH Keys in OCI
Before configuring SSH access, ensure the following:
OCI Requirements
- OCI account
- Compute instance
- VCN configured
- Security list allowing port 22
Client Machine Requirements
- Terminal access
- OpenSSH installed
- PuTTY (for Windows optional)
Network Requirements
Port 22 must be enabled in:
- Security Lists
- Network Security Groups
- Operating System firewall
Generating SSH Keys in Linux or macOS
SSH keys can be generated using the terminal.
Step 1 – Open Terminal
Run the following command:
ssh-keygen -t rsa -b 2048Step 2 – Choose File Location
Example:
/home/oracle/.ssh/id_rsaStep 3 – Set Passphrase
You can:
- Use passphrase
- Leave blank for automation
Step 4 – SSH Keys Generated
OCI creates:
| File | Purpose |
|---|---|
| id_rsa | Private key |
| id_rsa.pub | Public key |
Generating SSH Keys in Windows Using PuTTYgen
Windows administrators often use PuTTYgen.
Step 1 – Download PuTTYgen
Install PuTTY package.
Step 2 – Generate Key Pair
- Select RSA
- Choose 2048 bits
- Click Generate
Step 3 – Save Keys
Save:
- Private key (.ppk)
- Public key
Creating OCI Compute Instance with SSH Keys
Step 1 – Navigate to Compute Instances
Navigation:
OCI Console → Compute → InstancesStep 2 – Create Instance
Click:
Create InstanceStep 3 – Configure Basic Details
Enter:
- Instance Name
- Availability Domain
- Image
- Shape
Example:
- Oracle Linux 9
- VM.Standard.E5.Flex
Step 4 – Add SSH Public Key
Under:
Add SSH KeysChoose:
- Generate key pair automatically
OR - Upload public key
Paste contents from:
id_rsa.pubExample:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...Step 5 – Configure Networking
Select:
- VCN
- Subnet
- Public IP
Ensure SSH access is enabled.
Step 6 – Create Instance
Click:
CreateOCI provisions the compute instance.
Connecting to OCI Compute Instance Using SSH
Once the instance is active, connect using SSH.
Linux/macOS Connection
Command:
ssh -i id_rsa opc@<public-ip>Example:
ssh -i id_rsa opc@129.x.x.xWindows PuTTY Connection
Steps:
- Open PuTTY
- Enter public IP
- Load private key (.ppk)
- Connect
Default OCI Usernames
Different OCI images use different usernames.
| Operating System | Default Username |
|---|---|
| Oracle Linux | opc |
| Ubuntu | ubuntu |
| CentOS | opc |
| Debian | debian |
This is a common interview question in OCI administration.
Adding Additional SSH Keys to Existing OCI Instance
In enterprise environments, multiple administrators may require access.
Step 1 – Connect to Server
Use existing SSH access.
Step 2 – Navigate to Authorized Keys
Command:
cd ~/.sshStep 3 – Edit authorized_keys
Open file:
vi authorized_keysStep 4 – Paste New Public Key
Add new public key entry.
Save the file.
Step 5 – Set Correct Permissions
Commands:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keysTesting SSH Connectivity
After configuration, validate the connection.
Test Scenario
Attempt SSH login using private key.
Example:
ssh -i id_rsa opc@129.x.x.xExpected Result
Successful login without password prompt.
Validation Checks
Verify:
- Correct IP
- Correct username
- Port 22 open
- Private key permissions correct
Common SSH Errors in OCI
Error 1 – Permission Denied (publickey)
Cause:
- Wrong private key
- Incorrect username
- Missing public key
Solution:
- Verify SSH key pair
- Check authorized_keys file
Error 2 – Connection Timed Out
Cause:
- Port 22 blocked
- Security list issue
- Firewall issue
Solution:
- Open TCP port 22
Error 3 – Unprotected Private Key File
Cause:
Private key has open permissions.
Solution:
chmod 600 id_rsaError 4 – Host Key Verification Failed
Cause:
Server fingerprint changed.
Solution:
Remove old entry:
ssh-keygen -R <IP>Security Best Practices for OCI SSH Keys
Use Strong Key Length
Recommended:
- RSA 2048 or higher
- ED25519
Disable Password Authentication
Enterprise OCI environments usually disable password login completely.
Rotate SSH Keys Regularly
Many organizations rotate keys every:
- 60 days
- 90 days
Use OCI Bastion Service
Avoid exposing public IP addresses.
Restrict SSH Access
Allow SSH only from:
- Corporate VPN
- Approved IPs
- Bastion hosts
Protect Private Keys
Never:
- Share private keys
- Store in Git repositories
- Send over email
SSH Keys in OCI DevOps and Automation
SSH keys are heavily used in OCI automation.
Terraform
Terraform provisions compute instances using SSH keys.
Example use cases:
- Infrastructure automation
- Auto-scaling deployments
Ansible
Ansible connects to OCI compute instances using SSH.
Used for:
- Configuration management
- Patching
- Software deployment
OCI CLI
OCI CLI authentication also supports key-based security.
SSH Keys and OCI Bastion Service
OCI Bastion Service provides secure access to private compute instances.
Benefits:
- No public IP required
- Centralized access control
- Temporary sessions
- Improved security posture
Most enterprise OCI projects now prefer Bastion over direct public SSH access.
OCI SSH Key Management Strategy
Large organizations usually follow centralized SSH governance.
Typical Enterprise Approach
| Area | Practice |
|---|---|
| Key Rotation | Automated |
| Key Storage | Secure vault |
| Access Monitoring | SIEM integration |
| Access Control | IAM policies |
| Emergency Access | Temporary SSH keys |
Frequently Asked Interview Questions
1. What are SSH keys in OCI?
SSH keys are cryptographic authentication keys used to securely access OCI compute instances without passwords.
2. What is the difference between public and private keys?
The public key is stored on the server while the private key remains with the user.
3. Which port is used for SSH access?
Port 22.
4. What is the default user for Oracle Linux in OCI?
The default user is:
opc5. Why is SSH key authentication preferred?
It is more secure than password-based authentication.
6. Can SSH keys be rotated?
Yes. Enterprise environments regularly rotate keys.
7. What causes “Permission denied (publickey)”?
Usually:
- Wrong username
- Wrong private key
- Missing public key
8. What OCI service improves SSH security?
OCI Bastion Service.
9. What happens if private key permissions are open?
SSH refuses authentication for security reasons.
10. Can multiple SSH keys exist on one server?
Yes. Multiple public keys can be added to authorized_keys.
Common Implementation Challenges
Managing Hundreds of SSH Keys
Large organizations struggle with:
- Key ownership
- Rotation tracking
- Access revocation
Solution:
- Centralized key management
Public IP Security Risks
Direct public SSH access increases attack surface.
Solution:
- Use Bastion Service
- Restrict IP ranges
Lost Private Keys
If private key is lost:
- Access may be unavailable
- Recovery becomes difficult
Solution:
- Backup securely
Expert Consultant Tips
Use Bastion Architecture
Avoid public IPs for production servers.
Use Separate Keys Per Administrator
Do not share generic keys.
Automate Key Rotation
Use automation wherever possible.
Monitor SSH Access
Integrate logs with:
- OCI Logging
- SIEM platforms
Implement Least Privilege Access
Only authorized administrators should receive SSH access.
Summary
Oracle Cloud Infrastructure SSH Keys are a foundational security mechanism used for secure Linux compute access in OCI environments. They provide encrypted authentication, reduce security risks, support automation, and align with enterprise cloud governance standards.
In real OCI implementations, SSH keys are used across:
- Compute administration
- DevOps automation
- Kubernetes management
- OCI Bastion connectivity
- Infrastructure-as-Code deployments
Understanding SSH key generation, configuration, troubleshooting, and best practices is essential for anyone working with Oracle Cloud Infrastructure.
For additional reference, Oracle documentation can be reviewed here:
Oracle Cloud Infrastructure Documentation
FAQ
FAQ 1 – Can OCI compute instances use password login instead of SSH keys?
Yes, but enterprise environments strongly prefer SSH key authentication because it is more secure.
FAQ 2 – Which SSH key type is best for OCI?
RSA 2048-bit and ED25519 are commonly recommended.
FAQ 3 – How can private OCI instances be accessed securely?
OCI Bastion Service is the preferred approach for accessing private compute instances securely.