Excerpt |
---|
SSH keys allow for a secure method of logging into a server without the need to type a password each time a connection is established. |
...
Column | |||||||||
---|---|---|---|---|---|---|---|---|---|
|
Introduction
The process involves creating a key pair on the client machine, consisting of a public key and a private key. These keys take the form of long character strings saved in files. The public key is placed on the remote host the user wishes to access, such as the login node of a supercomputer. When the user wants to log in, the SSH client on the local user machine presents the private key to the remote server. If the public and secret keys match, access is granted. The main benefit is avoiding the need to type a password each time the user wants to establish a connection.
Generating SSH key pairs using ssh-keygen
The theory behind public-key cryptography is complicated, as is the algorithm used to generate a key pair. Luckily, the ssh-keygen
command implements it and it is easy to use. This section shows how to generate a SSH key pair.
Linux/macOS
On a local Linux or macOS machine, open a terminal and execute the following command:
$ ssh-keygen -t ecdsa ed25519 -b 521 -f ~/.ssh/pawsey_ecdsaed25519_key
Windows
On a Windows machine, type powershell
in the search tool to open a PowerShell command-line shell. Once in the PowerShell window, execute the following command:
$
ssh-keygen -t
ecdsa -b 521 ed25519 -f
ecdsa$env:USERPROFILE/.ssh
/pawsey_ed25519_key
These methods of executing the ssh-keygen
command will generate a new SSH key pair named pawsey_ecdsaed25519_key
in your ~/.ssh
or $env:USERPROFILE
directory.
...
Column | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
...
Note | ||
---|---|---|
| ||
Pawsey strongly recommends users protecting their private keys with a passphrase. Otherwise, should someone gain access to the private key, he or she could log in to systems impersonating the legitimate owner of the key. The passphrase is only used to unlock the private key, and it is never transmitted. Also, there are programs, called SSH agents, that can securely manage SSH keys and passphrases, eliminating the requirement of entering a passphrase each time a user logs into a system (see below for more details). |
Once a user entered a passphrase, a confirmation is displayed. It is similar to the one shown in terminal 2.
Column | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
The user now has a public key, the pawsey_ecdsaed25519_key.pub
file, and a private key, the pawsey_ecdsaed25519_key
file. Terminal 3 shows how to list the generated files on Linux; terminal 4 does the equivalent on Windows.
Column | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
|
After generating the keys and specifying a passphrase, you need to add them to the SSH agent, ssh-agent
.
Adding the private key to the SSH agent
ssh-agent
is a program that manages SSH private keys, particularly those protected by a passphrase. Once a user let ssh-agent
manage a passphrase-protected private key, he or she will not have to type the passphrase when ssh
or scp
access it to log into a remote host.
Linux
First, start the ssh-agent
daemon to run in the background on your local machine. From the terminal, enter the following command.
...
In most flavours of Linux, add the key to the agent by using the ssh-add
command:
$ ssh-add ~/.ssh/
pawsey_
ecdsaed25519_key
macOS
First, start the ssh-agent
to run in the background. From Terminal, enter the following command.
...
Column | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||
|
Finally, add the key to the SSH agent by using the additional option
. (The -K This additional option is specific to the macOS version of -
K-apple-use-keychain
ssh-add
.)
$ ssh-add --apple-use-K keychain ~/.ssh/pawsey_ecdsaed25519_key
Windows
For Windows PowerShell, to add your key to the ssh-agent
, ensure the OpenSSH Authentication Agent status is running:
...
Column | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
Copy your public key to the server
Once the key pair has been generated, the user has to copy the public key to a precise location on the remote server to be accessed.
Linux/macOS
For Linux and macOS, there are two methods.
Method 1
On the user's local machine, execute the command
$ ssh$ ssh-copy-id -i ~/.ssh/pawsey_ecdsaed25519_key.pub <username>@<remotehost>
Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed.
If the command establishes the correct connection to the host, then it will ask for your password to accept and finalise the copy.
Method 2
We will use a combination of SSH and the Linux cat
command to paste the key contents to the server. You can use the following command.
Warning |
---|
Ensure that |
$ cat ~/.ssh/pawsey_ecdsaed25519_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
...
- Prints the output of the local public key
~/.ssh/pawsey_ecdsaed25519_key.pub
- Redirects the output to the remote host.
- Creates a hidden directory in your home directory (
~/.ssh
) on the remote host if not already existing - Pastes the contents of the public key into the file
~/.ssh/authorized_keys
, located on the Setonix login node
Windows
Within the PowerShell terminal, the user executes the following command to copy the public key contents to the server's authorized_keys
file.
...
$ type $env:USERPROFILE\.ssh\pawsey_ecdsaed25519_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
...
- Prints the output of the local public key
$env:USERPROFILE\.ssh\pawsey_ecdsaed25519_key.pub
- Redirects the output to the remote host.
- Creates a hidden directory in your home directory (
~/.ssh
) on the remote host if not already existing - Pastes the contents of the public key into the file
~/.ssh/authorized_keys
, located on the Setonix login node
...
Column | ||
---|---|---|
|
Final remarks
All the methods indicated above will register the public key into the file /home/<user>/.ssh/authorized_key
s, located on the Setonix login node.
...
Column | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
Related pages
...