Skip to end of metadata
Go to start of metadata

Using Key Pairs for Authentication

For SSH access to your Xandr instances, we use public-key cryptography instead of a root password.  Public-key cryptography requires a public-private key pair.  The public key can be sent over insecure channels, such as email, and the private key must be kept confidential.

Here are the most basic steps for key pair authentication in the Xandr system:

1. You generate a key pair.  (See instructions below.)  We strongly recommend the key pair be passphrase-protected.
2. You send your public key to Xandr via the Customer Questionnaire.
3. Xandr adds your key to your management instance and to the Xandr database.  Now you can SSH to the management instance using your private key.
4. Whenever you launch an Xandr instance, your public key is automatically placed in a config file (/root/.ssh/authorized_keys) on that instance, allowing you to log in to the instance with your private key.

Generating a Key Pair

If you're on a Mac or Linux OS, you can generate a key pair via the ssh-keygen command.  You will be prompted with instructions on how to create a file with the public and private key pairs, leave the name blank and just press enter, then you would have the chance to setup an optional passphrase. The public key will be saved in <filename>.pub. On Windows you can download a tool such as PuTTYgen.  More detailed instructions for PuTTY generation can be found here or elsewhere on the web.  We recommend that your key consist of at least 1024 bits for full security.

Changing Your Public Key

You can change your public key through the Xandr's cloud portal. If you do not see this option, you may not have admin access. Contact Xandr support for details.

Adding More Keys to an Instance

The API will place only one public key in the config file automatically. To add more keys to an already-launched instance, you must log in to the instance, open the file /root/.ssh/authorized_keys in your favorite editor, and add the other keys one per line. To add more keys during instance launch, see the --authorized keys option below.

--authorized-keys option

Instead of manually adding extra keys, you can use the "--authorized-keys" (-k) option of the "manage-instance launch" command.  This option will put a file to /root/.ssh/authorized_keys on the instance. 

  • We recommend that in general you maintain a base "authorized_keys" file, which has the public keys from any of your company's users and upload that file into each new instance.
  • You can include as many keys as you like inside the file.  Just make sure each key occupies a separate line.  There should be no spaces between lines.
  • Note that the authorized-key option's argument is the path to the public key file on your local computer; the size of the key file is limited to 1MB.


manage-instance launch --name=first_instance --server-id NYM1:39 . . . --authorized-keys /etc/ssh/authorized_key

Another example of a path:

... --authorized-keys /root/authorized_key_file


The key file you upload with the "-k" parameter will replace the contents of /root/.ssh/authorized_keys file entirely.  To be able to log in with your original key that you used to set up your account, you will need to include it in the uploaded key file.

As always, please create a ticket at or contact us at if you have any questions or concerns.

  • No labels