Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Excerpt

SSH keys allow for a secure method of logging into a server without the need to type a password each time a connection is established.

...

Column


Panel
titleOn this page:

Table of Contents
maxLevel2


Introduction

The process involves creating a key pair on the client machine, consisting of a public key and a private key. These keys take the form of long character strings saved in files. The public key is placed on the remote host the user wishes to access, such as the login node of a supercomputer. When the user wants to log in, the SSH client on the local user machine presents the private key to the remote server. If the public and secret keys match, access is granted. The main benefit is avoiding the need to type a password each time the user wants to establish a connection.

Generating SSH key pairs using ssh-keygen

The theory behind public-key cryptography is complicated, as is the algorithm used to generate a key pair. Luckily, the ssh-keygen command implements it and it is easy to use. This section shows how to generate a SSH key pair.

Linux/macOS

On a local Linux or macOS machine, open a terminal and execute the following command:

$ ssh-keygen -t ecdsa ed25519 -b 521 -f ~/.ssh/pawsey_ecdsaed25519_key

Windows

On a Windows machine, type powershell in the search tool to open a PowerShell command-line shell. Once in the PowerShell window, execute the following command:

$ ssh-keygen -t ecdsa -b 521 ed25519 -f $env:USERPROFILE/.ssh/pawsey_ecdsaed25519_key

These methods of executing the ssh-keygen command will generate a new SSH key pair named pawsey_ecdsaed25519_key in your ~/.ssh or $env:USERPROFILE directory.

...

Column
width900px


Code Block
languagebash
themeDJango
titleTerminal 1. A passphrase is recommended to be entered
Generating public/private ecdsaed25519 key pair.
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type the passphrase again]



...

Note
titlePawsey strongly recommends users protecting their private keys with a passphrase.

Pawsey strongly recommends users protecting their private keys with a passphrase. Otherwise, should someone gain access to the private key, he or she could log in to systems impersonating the legitimate owner of the key. The passphrase is only used to unlock the private key, and it is never transmitted. Also, there are programs, called SSH agents, that can securely manage SSH keys and passphrases, eliminating the requirement of entering a passphrase each time a user logs into a system (see below for more details).

Once a user entered a passphrase, a confirmation is displayed. It is similar to the one shown in terminal 2.

Column
width900px


Code Block
languagebash
themeDJango
titleTerminal 2. Output from a successfully generated key pair
Your identification has been saved in /home/<user>/.ssh/pawsey_ecdsaed25519_key.
Your public key has been saved in /home/<user>/.ssh/pawsey_ecdsaed25519_key.pub.
The key fingerprint is:
SHA256:K8R/F6+nBeDNpRskOfl/FnwpTPiWI3WBPpbeHTMU8uk dip008@apple-kf
The key's randomart image is:
+---[ECDSAED25519 521256]---+
|             ..o.|
|           o..o.o|
|          *.oo++ |
|     .   . O=B=+.|
|      o S ..@BoE*|
|     . . .  oOo.+|
|      . o . o + o|
|       . . . o.o |
|            oo   |
+----[SHA256]-----+


The user now has a public key, the pawsey_ecdsaed25519_key.pub file, and a private key, the pawsey_ecdsaed25519_key  file. Terminal 3 shows how to list the generated files on Linux; terminal 4 does the equivalent on Windows.

Column
width900px


Code Block
languagebash
themeDJango
titleTerminal 3. Listing of the newly generated key pair files on Linux or macOS
$ ls ~/.ssh
pawsey_ecdsaed25519_key
pawsey_ecdsaed25519_key.pub


Code Block
languagebash
themeDJango
titleTerminal 4. Listing of the newly generated key pair files on Windows
$ dir $env:USERPROFILE\.ssh

	Directory: C:\Users\[username]\.ssh

Mode			  LastWriteTime			Length Name
----              -------------			------ ----
-a----		15/04/2021	9:40 AM			  1766 pawsey_ecdsaed25519_key
-a----		15/04/2021	9:40 AM			   402 pawsey_ecdsaed25519_key.pub


After generating the keys and specifying a passphrase, you need to add them to the SSH agent, ssh-agent.

Adding the private key to the SSH agent

ssh-agent is a program that manages SSH private keys, particularly those protected by a passphrase. Once a user let ssh-agent manage a passphrase-protected private key, he or she will not have to type the passphrase when ssh or scp access it to log into a remote host.

Linux

First, start the ssh-agent daemon to run in the background on your local machine. From the terminal, enter the following command.

...

In most flavours of Linux, add the key to the agent by using the ssh-add command:

$ ssh-add ~/.ssh/pawsey_ecdsaed25519_key

macOS

First, start the ssh-agent to run in the background. From Terminal, enter the following command.

...

Column
width900px


Code Block
languagebash
themeEmacs
titleListing 1. Store passphrases in the Keychain.
linenumberstrue
Host *
 AddKeysToAgent yes
 UseKeychain yes
 IdentityFile ~/.ssh/pawsey_ecdsaed25519_key


Finally, add the key to the SSH agent by using the additional option -K-apple-use-keychain. (The -K This additional option is specific to the macOS version of ssh-add.)

$ ssh-add --apple-use-K keychain ~/.ssh/pawsey_ecdsaed25519_key

Windows

For Windows PowerShell, to add your key to the ssh-agent, ensure the OpenSSH Authentication Agent status is running:

...

Column
width900


Code Block
languagebash
themeDJango
titleTerminal 6. Add the private key to ssh-agent
$ ssh-add $env:USERPROFILE\.ssh\pawsey_ecdsaed25519_key
Enter passphrase for C:\Users\[username]\.ssh\pawsey_ecdsaed25519_key:
Identity added: C:\Users\[username]\.ssh\pawsey_ecdsaed25519_key (C:\Users\[username]\.ssh\pawsey_ecdsaed25519_key)


Copy your public key to the server

Once the key pair has been generated, the user has to copy the public key to a precise location on the remote server to be accessed. 

Linux/macOS

For Linux and macOS, there are two methods.

Method 1

On the user's local machine, execute the command

$ ssh$ ssh-copy-id -i ~/.ssh/pawsey_ecdsaed25519_key.pub <username>@<remotehost>

Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed.
If the command establishes the correct connection to the host, then it will ask for your password to accept and finalise the copy.

Method 2

We will use a combination of SSH and the Linux cat command to paste the key contents to the server. You can use the following command.

Warning

Ensure that >> is used in the cat >> ~/.ssh/authorized_keys part of the command. If the authorized_keys file already exists on the server, the contents will be appended to the file. If the user were to accidentally use > with the command, all the currently existing contents in the authorized_keys file will be replaced.

$ cat ~/.ssh/pawsey_ecdsaed25519_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

...

  • Prints the output of the local public key ~/.ssh/pawsey_ecdsaed25519_key.pub
  • Redirects the output to the remote host.
  • Creates a hidden directory in your home directory (~/.ssh) on the remote host if not already existing
  • Pastes the contents of the public key into the file ~/.ssh/authorized_keys, located on the Setonix login node

Windows

Within the PowerShell terminal, the user executes the following command to copy the public key contents to the server's authorized_keys file.

...

$ type $env:USERPROFILE\.ssh\pawsey_ecdsaed25519_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

...

  • Prints the output of the local public key $env:USERPROFILE\.ssh\pawsey_ecdsaed25519_key.pub
  • Redirects the output to the remote host.
  • Creates a hidden directory in your home directory (~/.ssh) on the remote host if not already existing
  • Pastes the contents of the public key into the file ~/.ssh/authorized_keys, located on the Setonix login node

...

Column


Note

Currently, the Windows implementation of the OpenSSH client does not have the ssh-copy-id command available.


Final remarks

All the methods indicated above will register the public key into the file /home/<user>/.ssh/authorized_keys, located on the Setonix login node.

...

Column
width900px


Code Block
languagebash
themeDJango
titleTerminal 7. Listing of the newly generated key pair files on Linux or macOS
$ ssh username@setonix.pawsey.org.au
Last login: Mon Jan 10 11:07:13 2022 from 130.116.145.55
##############################################################################
#                    Pawsey Supercomputing Centre                            #
#        Empowering cutting-edge research for Australia's future             #
#                                                                            #
#     This service is for authorised clients only.                           #
#     It is a criminal offence to:                                           #
#          - Obtain access to data without permission                        #
#          - Damage, delete, alter or insert data without permission         #
#                                                                            #
##############################################################################
.
.
.
===============================================================================
 By using Pawsey facilities you agree to the Conditions of use available at
 https://support.pawsey.org.au/documentation/display/US/Conditions+of+Use
 
===============================================================================
username@setonix-101:~> hostname
setonix-101


Related pages

...