Excerpt |
---|
SSH keys allow for a secure method of logging into a server without the need to type a password each time a connection is established. |
...
Column | |||||||||
---|---|---|---|---|---|---|---|---|---|
|
Introduction
The process involves creating a key pair on the client machine, consisting of a public key and a private key. These keys take the form of long character strings saved in files. The public key is placed on the remote host the user wishes to access, such as the login node of a supercomputer. When the user wants to log in, the SSH client on the local user machine presents the private key to the remote server. If the public and secret keys match, access is granted. The main benefit is avoiding the need to type a password each time the user wants to establish a connection.
Generating SSH key pairs using ssh-keygen
The theory behind public-key cryptography is complicated, as is the algorithm used to generate a key pair. Luckily, the ssh-keygen
command implements it and it is easy to use. This section shows how to generate a SSH key pair.
Linux/macOS
On a local Linux or macOS machine, open a terminal and execute the following command:
$ ssh-keygen -t ecdsa -b 521 -f ~/.ssh/pawsey_ecdsa_key
Windows
On a Windows machine, type powershell
in the search tool to open a PowerShell command-line shell. Once in the PowerShell window, execute the following command:
...
Note | ||
---|---|---|
| ||
Pawsey strongly recommends users protecting their private keys with a passphrase. Otherwise, should someone gain access to the private key, he or she could log in to systems impersonating the legitimate owner of the key. The passphrase is only used to unlock the private key, and it is never transmitted. Also, there are programs, called SSH agents, that can securely manage SSH keys and passphrases, eliminating the requirement of entering a passphrase each time a user logs into a system (see below for more details). |
Once a user entered a passphrase, a confirmation is displayed. It is similar to the one shown in terminal 2.
Column | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
...
After generating the keys and specifying a passphrase, you need to add them to the SSH agent, ssh-agent
.
Adding the private key to the SSH agent
ssh-agent
is a program that manages SSH private keys, particularly those protected by a passphrase. Once a user let ssh-agent
manage a passphrase-protected private key, he or she will not have to type the passphrase when ssh
or scp
access it to log into a remote host.
Linux
First, start the ssh-agent
daemon to run in the background on your local machine. From the terminal, enter the following command.
...
$ ssh-add ~/.ssh/pawsey_ecdsa_key
macOS
First, start the ssh-agent
to run in the background. From Terminal, enter the following command.
...
$ ssh-add -K ~/.ssh/pawsey_ecdsa_key
Windows
For Windows PowerShell, to add your key to the ssh-agent
, ensure the OpenSSH Authentication Agent status is running:
...
Column | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
Copy your public key to the server
Once the key pair has been generated, the user has to copy the public key to a precise location on the remote server to be accessed.
Linux/macOS
For Linux and macOS, there are two methods.
Method 1
On the user's local machine, execute the command
...
Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed.
If the command establishes the correct connection to the host, then it will ask for your password to accept and finalise the copy.
Method 2
We will use a combination of SSH and the Linux cat
command to paste the key contents to the server. You can use the following command.
...
- Prints the output of the local public key
~/.ssh/pawsey_ecdsa_key.pub
- Redirects the output to the remote host.
- Creates a hidden directory in your home directory (
~/.ssh
) on the remote host if not already existing - Pastes the contents of the public key into the file
~/.ssh/authorized_keys
, located on the Setonix login node
Windows
Within the PowerShell terminal, the user executes the following command to copy the public key contents to the server's authorized_keys
file.
...
Column | ||
---|---|---|
|
Final remarks
All the methods indicated above will register the public key into the file /home/<user>/.ssh/authorized_key
s, located on the Setonix login node.
...
Column | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
Related pages
...