Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Excerpt

SSH keys allow for a secure method of logging into a server without the need to type a password each time a connection is established.

...

Column


Panel
titleOn this page:

Table of Contents
maxLevel2


Introduction

The process involves creating a key pair on the client machine, consisting of a public key and a private key. These keys take the form of long character strings saved in files. The public key is placed on the remote host the user wishes to access, such as the login node of a supercomputer. When the user wants to log in, the SSH client on the local user machine presents the private key to the remote server. If the public and secret keys match, access is granted. The main benefit is avoiding the need to type a password each time the user wants to establish a connection.

Generating SSH key pairs using ssh-keygen

The theory behind public-key cryptography is complicated, as is the algorithm used to generate a key pair. Luckily, the ssh-keygen command implements it and it is easy to use. This section shows how to generate a SSH key pair.

Linux/macOS

On a local Linux or macOS machine, open a terminal and execute the following command:

$ ssh-keygen -t ecdsa -b 521 -f ~/.ssh/pawsey_ecdsa_key

Windows

On a Windows machine, type powershell in the search tool to open a PowerShell command-line shell. Once in the PowerShell window, execute the following command:

...

Note
titlePawsey strongly recommends users protecting their private keys with a passphrase.

Pawsey strongly recommends users protecting their private keys with a passphrase. Otherwise, should someone gain access to the private key, he or she could log in to systems impersonating the legitimate owner of the key. The passphrase is only used to unlock the private key, and it is never transmitted. Also, there are programs, called SSH agents, that can securely manage SSH keys and passphrases, eliminating the requirement of entering a passphrase each time a user logs into a system (see below for more details).

Once a user entered a passphrase, a confirmation is displayed. It is similar to the one shown in terminal 2.

Column
width900px


Code Block
languagebash
themeDJango
titleTerminal 2. Output from a successfully generated key pair
Your identification has been saved in /home/<user>/.ssh/pawsey_ecdsa_key.
Your public key has been saved in /home/<user>/.ssh/pawsey_ecdsa_key.pub.
The key fingerprint is:
SHA256:K8R/F6+nBeDNpRskOfl/FnwpTPiWI3WBPpbeHTMU8uk dip008@apple-kf
The key's randomart image is:
+---[ECDSA 521]---+
|             ..o.|
|           o..o.o|
|          *.oo++ |
|     .   . O=B=+.|
|      o S ..@BoE*|
|     . . .  oOo.+|
|      . o . o + o|
|       . . . o.o |
|            oo   |
+----[SHA256]-----+


...

After generating the keys and specifying a passphrase, you need to add them to the SSH agent, ssh-agent.

Adding the private key to the SSH agent

ssh-agent is a program that manages SSH private keys, particularly those protected by a passphrase. Once a user let ssh-agent manage a passphrase-protected private key, he or she will not have to type the passphrase when ssh or scp access it to log into a remote host.

Linux

First, start the ssh-agent daemon to run in the background on your local machine. From the terminal, enter the following command.

...

$ ssh-add ~/.ssh/pawsey_ecdsa_key

macOS

First, start the ssh-agent to run in the background. From Terminal, enter the following command.

...

$ ssh-add -K ~/.ssh/pawsey_ecdsa_key

Windows

For Windows PowerShell, to add your key to the ssh-agent, ensure the OpenSSH Authentication Agent status is running:

...

Column
width900


Code Block
languagebash
themeDJango
titleTerminal 6. Add the private key to ssh-agent
$ ssh-add $env:USERPROFILE\.ssh\pawsey_ecdsa_key
Enter passphrase for C:\Users\[username]\.ssh\pawsey_ecdsa_key:
Identity added: C:\Users\[username]\.ssh\pawsey_ecdsa_key (C:\Users\[username]\.ssh\pawsey_ecdsa_key)


Copy your public key to the server

Once the key pair has been generated, the user has to copy the public key to a precise location on the remote server to be accessed. 

Linux/macOS

For Linux and macOS, there are two methods.

Method 1

On the user's local machine, execute the command

...

Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed.
If the command establishes the correct connection to the host, then it will ask for your password to accept and finalise the copy.

Method 2

We will use a combination of SSH and the Linux cat command to paste the key contents to the server. You can use the following command.

...

  • Prints the output of the local public key ~/.ssh/pawsey_ecdsa_key.pub
  • Redirects the output to the remote host.
  • Creates a hidden directory in your home directory (~/.ssh) on the remote host if not already existing
  • Pastes the contents of the public key into the file ~/.ssh/authorized_keys, located on the Setonix login node

Windows

Within the PowerShell terminal, the user executes the following command to copy the public key contents to the server's authorized_keys file.

...

Column


Note

Currently, the Windows implementation of the OpenSSH client does not have the ssh-copy-id command available.


Final remarks

All the methods indicated above will register the public key into the file /home/<user>/.ssh/authorized_keys, located on the Setonix login node.

...

Column
width900px


Code Block
languagebash
themeDJango
titleTerminal 7. Listing of the newly generated key pair files on Linux or macOS
$ ssh username@setonix.pawsey.org.au
Last login: Mon Jan 10 11:07:13 2022 from 130.116.145.55
##############################################################################
#                    Pawsey Supercomputing Centre                            #
#        Empowering cutting-edge research for Australia's future             #
#                                                                            #
#     This service is for authorised clients only.                           #
#     It is a criminal offence to:                                           #
#          - Obtain access to data without permission                        #
#          - Damage, delete, alter or insert data without permission         #
#                                                                            #
##############################################################################
.
.
.
===============================================================================
 By using Pawsey facilities you agree to the Conditions of use available at
 https://support.pawsey.org.au/documentation/display/US/Conditions+of+Use
 
===============================================================================
username@setonix-1:~> hostname
setonix-1


Related pages

...