Adding SSH keys via the API

Problem: I need to add a SSH key to a server for a certain account.

Via the API, Halo can create or modify a server account, and update its set of SSH keys by providing the key array in the request body of a POST or PUT call. CloudPassage provides a collection of REST APIs which accept and return JSON-formatted data.

** NOTE ** Halo API has changed since this blog post was written – please see Halo API Developer Guide and Using the Halo API for details

We’ll be utilizing the REST Console Chrome extension to perform the web calls. (REST Console is an HTTP Request Visualizer and Constructor tool that helps developers build, debug and test RESTful APIs.) And for reference we’ll be looking at the CloudPassage API guide located here.

Step 1

Gather the API calls needed to perform a SSH key update.

Looking in the API guide, we’ll find a section dealing just with “Server Accounts”. Down a little ways under “Server Accounts” there is the section “Update SSH keys for server account”

Note the format for the PUT call:


Note the format for the GET call:


Looking at both calls we’ll see they both require 2 variables; {server_id}, and {username}. Most likely we’ll know the username we wish to add a key to, however what is server_id? Server_id is a unique ID that Halo assigned to each of our servers. We’ll be using the GET call to pull the current account information and we’ll be using the PUT call to update the desired account. The PUT call will require data to be passed in the request body.

Note the format for the request body:

 { "account" : { "ssh_authorized_keys" : [{ "key" : "ssh-dsa AAAAe06448012e21a713e06448012ksadk1ks2229askd913e06448012e21a713-current-key" },{ "key" : "ssh-dsa AAAAe06448012egfjhdgyw3433333rfsfsfs480sk2kdk2llk2209ss2e21a713-new-key" }] } }

Now this type of call will erase any existing keys that might be contained in “authorized_keys”. So make sure to *include* any keys already in there with your PUT call. Here you can see we are adding the current key and the new key with the PUT call. If you wanted to replace the current key with a new key, then you would just include the new key.

Step 2

Let’s grab the server_id value for the server we wish to add SSH keys. We’ll perform a GET call that will return a list of our active servers and their corresponding server_id values.

Query the server with: “GET”

Should return:

 "servers": [{ "id": "ffac359ce7536515a44204628ca8cec3", "url": "", "hostname": "ip-10-xx-xx-xx", "connecting_ip_address": "", "state": "active", "interfaces": [{ "name": "eth0", "ip_address": "" }] }] }

We see the server “id” is listed on line 2. We’ll need to use that “id” in the following steps to push the ssh keys.

Step 3

Let’s setup our REST Console so we can perform the needed calls. Firstly, in the “Target” section we’ll add the URL GET call with the server_id “ffac359ce7536515a44204628ca8cec3” and username “Bob”. “”

See below.

Secondly in the “Body” section, we’ll define the Content-Type as “appication/json” and add the API key under Request Parameters as “x-cpauth-access”. The API key is required and authenticates you to CloudPassages servers for your specific account. See below.

Perform the GET and return the account information for username “Bob”.

Pressing “GET” on our REST Console and a API call is performed with the current set variables. As you see in our “Response” section, the account information for “Bob” is returned. Note; you can force “Syntax Highlighting” to “JSON” if the REST Console doesn’t detect it. Also note; the “authorized_ssh_keys” has a value of “null”. No SSH key has been set for this account. See Below.

Step 4

Let’s add a “Request Payload” to the “Body” section of our Rest Console so we can add SSH keys to the “Bob” account.

Our “Target” will remain the same, however we’ll be adding to the “Request Payload”.

 Target= Request Payload= { "account" : { "ssh_authorized_keys" : [{ "key" : "ssh-dsa AAAAe06448012e21a713e06448012e21a713e06448012e21a713e06448012e21a713===" },{ "key" : "ssh-dsa AAAAe06448012egfjhdgyw3433333rfsfsfs48012e21a713e06448012e21a713===" }] } } 

Here we’re going to add two keys to the account “Bob”. See below.

Step 5

Perform the “PUT” and add the SSH keys to account “Bob”.

Pressing the “PUT” button on our REST Console will send the API request to the CloudPassage servers adding the SSH keys we’ve define in the “Request Payload”. See Below.

The “Response” section of our REST Console shows the status of the “PUT” call we just performed. We can see the SSH keys have been added to the queue, and the current status is “queued”. Queued means the next time the daemon running on that server checks into the CloudPassage compute grid, it will receive a command to add the SSH keys to the “Bob” account. Because the daemon check-in time is set to 1 minute, the keys will be on the server in less than a minute.

Step 6

Validate the keys have been added to account “Bob”.

Let’s go ahead and log into the server and see if indeed the SSH keys have been added to the account “Bob”.  See below.

Looking in /home/bob/.ssh, we see the “authorized_keys” file does indeed contain the keys we just added via the API call.

So that’s it. We’ve queried the CloudPassage API for the server_id, used our API key to authenticate ourselves, and pushed a new key to the selected server and specific account. All of this over the REST Console plug-in for Chrome. This all could just have easily been done writing a perl or python, or “pick your programming poison”, script.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts