Versions Compared

Version Old Version 3 New Version Current
Changes made by

Alexis Espinosa

Alexis Espinosa

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Excerpt

SSH keys allow for a secure method of logging into a server without the need to type a password each time a connection is established.

...

On a local Linux or macOS machine, open a terminal and execute the following command:

$ ssh-keygen -t ecdsa ed25519 -b 521 -f ~/.ssh/pawsey_ecdsaed25519_key

Windows

On a Windows machine, type powershell in the search tool to open a PowerShell command-line shell. Once in the PowerShell window, execute the following command:

$ ssh-keygen -t ecdsa -b 521 ed25519 -f $env:USERPROFILE/.ssh/pawsey_ecdsaed25519_key

These methods of executing the ssh-keygen command will generate a new SSH key pair named pawsey_ecdsaed25519_key in your ~/.ssh or $env:USERPROFILE directory.

...

Column
width900px


Code Block
languagebash
themeDJango
titleTerminal 1. A passphrase is recommended to be entered
Generating public/private ecdsaed25519 key pair.
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type the passphrase again]



...

Note
titlePawsey strongly recommends users protecting their private keys with a passphrase.

Pawsey strongly recommends users protecting their private keys with a passphrase. Otherwise, should someone gain access to the private key, he or she could log in to systems impersonating the legitimate owner of the key. The passphrase is only used to unlock the private key, and it is never transmitted. Also, there are programs, called SSH agents, that can securely manage SSH keys and passphrases, eliminating the requirement of entering a passphrase each time a user logs into a system (see below for more details).

Once a user entered a passphrase, a confirmation is displayed. It is similar to the one shown in terminal 2.

Column
width900px


Code Block
languagebash
themeDJango
titleTerminal 2. Output from a successfully generated key pair
Your identification has been saved in /home/<user>/.ssh/pawsey_ecdsaed25519_key.
Your public key has been saved in /home/<user>/.ssh/pawsey_ecdsaed25519_key.pub.
The key fingerprint is:
SHA256:K8R/F6+nBeDNpRskOfl/FnwpTPiWI3WBPpbeHTMU8uk dip008@apple-kf
The key's randomart image is:
+---[ECDSAED25519 521256]---+
|             ..o.|
|           o..o.o|
|          *.oo++ |
|     .   . O=B=+.|
|      o S ..@BoE*|
|     . . .  oOo.+|
|      . o . o + o|
|       . . . o.o |
|            oo   |
+----[SHA256]-----+


The user now has a public key, the pawsey_ecdsaed25519_key.pub file, and a private key, the pawsey_ecdsaed25519_key  file. Terminal 3 shows how to list the generated files on Linux; terminal 4 does the equivalent on Windows.

Column
width900px


Code Block
languagebash
themeDJango
titleTerminal 3. Listing of the newly generated key pair files on Linux or macOS
$ ls ~/.ssh
pawsey_ecdsaed25519_key
pawsey_ecdsaed25519_key.pub


Code Block
languagebash
themeDJango
titleTerminal 4. Listing of the newly generated key pair files on Windows
$ dir $env:USERPROFILE\.ssh

	Directory: C:\Users\[username]\.ssh

Mode			  LastWriteTime			Length Name
----              -------------			------ ----
-a----		15/04/2021	9:40 AM			  1766 pawsey_ecdsaed25519_key
-a----		15/04/2021	9:40 AM			   402 pawsey_ecdsaed25519_key.pub


After generating the keys and specifying a passphrase, you need to add them to the SSH agent, ssh-agent.

...

In most flavours of Linux, add the key to the agent by using the ssh-add command:

$ ssh-add ~/.ssh/pawsey_ecdsaed25519_key

macOS

First, start the ssh-agent to run in the background. From Terminal, enter the following command.

...

Column
width900px


Code Block
languagebash
themeEmacs
titleListing 1. Store passphrases in the Keychain.
linenumberstrue
Host *
 AddKeysToAgent yes
 UseKeychain yes
 IdentityFile ~/.ssh/pawsey_ecdsaed25519_key


Finally, add the key to the SSH agent by using the additional option -K-apple-use-keychain. (The -K This additional option is specific to the macOS version of ssh-add.)

$ ssh-add --apple-use-K keychain ~/.ssh/pawsey_ecdsaed25519_key

Windows

For Windows PowerShell, to add your key to the ssh-agent, ensure the OpenSSH Authentication Agent status is running:

...

Column
width900


Code Block
languagebash
themeDJango
titleTerminal 6. Add the private key to ssh-agent
$ ssh-add $env:USERPROFILE\.ssh\pawsey_ecdsaed25519_key
Enter passphrase for C:\Users\[username]\.ssh\pawsey_ecdsaed25519_key:
Identity added: C:\Users\[username]\.ssh\pawsey_ecdsaed25519_key (C:\Users\[username]\.ssh\pawsey_ecdsaed25519_key)


Copy your public key to the server

...

On the user's local machine, execute the command

$ ssh$ ssh-copy-id -i ~/.ssh/pawsey_ecdsaed25519_key.pub <username>@<remotehost>

...

Warning

Ensure that >> is used in the cat >> ~/.ssh/authorized_keys part of the command. If the authorized_keys file already exists on the server, the contents will be appended to the file. If the user were to accidentally use > with the command, all the currently existing contents in the authorized_keys file will be replaced.

$ cat ~/.ssh/pawsey_ecdsaed25519_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

...

  • Prints the output of the local public key ~/.ssh/pawsey_ecdsaed25519_key.pub
  • Redirects the output to the remote host.
  • Creates a hidden directory in your home directory (~/.ssh) on the remote host if not already existing
  • Pastes the contents of the public key into the file ~/.ssh/authorized_keys, located on the Setonix login node

...

$ type $env:USERPROFILE\.ssh\pawsey_ecdsaed25519_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

...

  • Prints the output of the local public key $env:USERPROFILE\.ssh\pawsey_ecdsaed25519_key.pub
  • Redirects the output to the remote host.
  • Creates a hidden directory in your home directory (~/.ssh) on the remote host if not already existing
  • Pastes the contents of the public key into the file ~/.ssh/authorized_keys, located on the Setonix login node

...

Column
width900px


Code Block
languagebash
themeDJango
titleTerminal 7. Listing of the newly generated key pair files on Linux or macOS
$ ssh username@setonix.pawsey.org.au
Last login: Mon Jan 10 11:07:13 2022 from 130.116.145.55
##############################################################################
#                    Pawsey Supercomputing Centre                            #
#        Empowering cutting-edge research for Australia's future             #
#                                                                            #
#     This service is for authorised clients only.                           #
#     It is a criminal offence to:                                           #
#          - Obtain access to data without permission                        #
#          - Damage, delete, alter or insert data without permission         #
#                                                                            #
##############################################################################
.
.
.
===============================================================================
 By using Pawsey facilities you agree to the Conditions of use available at
 https://support.pawsey.org.au/documentation/display/US/Conditions+of+Use
 
===============================================================================
username@setonix-101:~> hostname
setonix-101


Related pages

...