starred/the-bastion
1
0
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2026-05-09 08:25:27 +02:00
Code Issues 46 Projects Packages Wiki Activity

[GH-ISSUE #574] If I already have my own ssh keypair, how do I use them instead of automatically generated keypair? #150

New issue
Open
opened 2026-05-07 00:19:25 +02:00 by BreizhHardware · 1 comment
BreizhHardware commented 2026-05-07 00:19:25 +02:00
Owner
Copy link

Originally created by @gobiursus on GitHub (Aug 25, 2025).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/574

Hi,
Before I even heard of the-bastion, I was already using a SSH keypair. How do I use my existing SSH keypair instead of using the automatically generated SSH keys?
Thank you

Originally created by @gobiursus on GitHub (Aug 25, 2025). Original GitHub issue: https://github.com/ovh/the-bastion/issues/574 Hi, Before I even heard of the-bastion, I was already using a SSH keypair. How do I use my existing SSH keypair instead of using the automatically generated SSH keys? Thank you
BreizhHardware commented 2026-05-07 00:19:26 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Sep 10, 2025):

This is not officially supported, because the idea is that if/whether a private key leaves the bastion, they should be considered as compromised. In other words, if importing preexisting private keys was possible, if later they are found out to be compromised, there would be no way to know whether this was before they were imported on the bastion, or due to a bug/vulnerability in it.

Now, if you still want to do it, it's possible, as long as you are okay with manually pushing them on the bastion server. The easiest way to do it is to simply replace a preexisting private/public keypair by the keypair you'd like to import.

There are 2 cases: importing egress keys for a group, or importing keys for a personal account.

For a group, keys are located there:

/home/keykeeper/keyGROUPNAME/id_ALGO_groupname.TIMESTAMP
/home/keykeeper/keyGROUPNAME/id_ALGO_groupname.TIMESTAMP.pub

So, for a group named "example", having an ed25519 keypair, this would be:

/home/keykeeper/keyexample/id_ed25519_example.1724152995
/home/keykeeper/keyexample/id_ed25519_example.1724152995.pub

If you replace the contents of these files with your own preexisting keypair, this will work. take care not to change the ownerships of the files, though.

For an account, keys are located there:

/home/ACCOUNT/.ssh/id_ALGO_private.TIMESTAMP
/home/ACCOUNT/.ssh/id_ALGO_private.TIMESTAMP.pub

You may also replace the contents of these files.

To check that the changes you made are valid, you can use groupInfo and accountListEgressKeys.

<!-- gh-comment-id:3274699288 --> @speed47 commented on GitHub (Sep 10, 2025): This is not officially supported, because the idea is that if/whether a private key leaves the bastion, they should be considered as compromised. In other words, if importing preexisting private keys was possible, if later they are found out to be compromised, there would be no way to know whether this was before they were imported on the bastion, or due to a bug/vulnerability in it. Now, if you still want to do it, it's possible, as long as you are okay with manually pushing them on the bastion server. The easiest way to do it is to simply replace a preexisting private/public keypair by the keypair you'd like to import. There are 2 cases: importing egress keys for a group, or importing keys for a personal account. For a group, keys are located there: ``` /home/keykeeper/keyGROUPNAME/id_ALGO_groupname.TIMESTAMP /home/keykeeper/keyGROUPNAME/id_ALGO_groupname.TIMESTAMP.pub ``` So, for a group named "example", having an ed25519 keypair, this would be: ``` /home/keykeeper/keyexample/id_ed25519_example.1724152995 /home/keykeeper/keyexample/id_ed25519_example.1724152995.pub ``` If you replace the contents of these files with your own preexisting keypair, this will work. take care not to change the ownerships of the files, though. For an account, keys are located there: ``` /home/ACCOUNT/.ssh/id_ALGO_private.TIMESTAMP /home/ACCOUNT/.ssh/id_ALGO_private.TIMESTAMP.pub ``` You may also replace the contents of these files. To check that the changes you made are valid, you can use `groupInfo` and `accountListEgressKeys`.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
expifix
groupcreate_fix_uid
fix_group_gid_fast
gh-pages
clush
expiration
jsonvalidator
v3.23.01
v3.23.00
v3.22.00
v3.21.00
v3.20.00
v3.19.01
v3.19.00
v3.18.99-rc1
v3.18.00
v3.17.01
v3.17.00
v3.16.99-rc3
v3.16.99-rc2
v3.16.99-rc1
v3.16.01
v3.16.00
v3.15.00
v3.14.16
v3.14.15
v3.14.00
v3.13.01
v3.13.00
v3.12.00
v3.11.02
v3.11.01
v3.11.00
v3.10.00
v3.09.02
v3.09.00-really
v3.09.00
v3.09.00-rc3
v3.09.00-rc2
v3.09.00-rc1
v3.08.01
v3.08.00
v3.07.00
v3.06.00
v3.05.01
v3.05.00
v3.04.00
v3.03.99-rc2
v3.03.99-rc1
v3.03.01
v3.03.00
v3.02.00
v3.01.99-rc4
v3.01.99-rc3
v3.01.99-rc2
v3.01.99-rc1
v3.01.03
v3.01.02
v3.01.01
v3.01.00
v3.00.02
v3.00.01
v3.00.00
Labels
Clear labels   
answered

   
bug

   
documentation

   
enhancement

   
enhancement

   
feature

   
feature

   
kept-open-for-info

   
pull-request
Mirrored from GitHub Pull Request

  
question
No labels
answered
bug
documentation
enhancement
enhancement
feature
feature
kept-open-for-info
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/the-bastion#150
No description provided.