Versions Compared

Version Old Version 1 New Version Current
Changes made by

Alexis Espinosa

Alexis Espinosa

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Excerpt

SSH keys allow for a secure method of logging into a server without the need to type a password each time a connection is established.

...

Panel
titleOn this page:

Table of Contents
maxLevel2

Introduction

The process involves creating a key pair on the client machine, consisting of a public key and a private key. These keys take the form of long character strings saved in files. The public key is placed on the remote host the user wishes to access, such as the login node of a supercomputer. When the user wants to log in, the SSH client on the local user machine presents the private key to the remote server. If the public and secret keys match, access is granted. The main benefit is avoiding the need to type a password each time the user wants to establish a connection.

Generating SSH key pairs using ssh-keygen

The theory behind public-key cryptography is complicated, as is the algorithm used to generate a key pair. Luckily, the ssh-keygen command implements it and it is easy to use. This section shows how to generate a SSH key pair.

Linux/macOS

On a local Linux or macOS machine, open a terminal and execute the following command:

$ ssh-keygen -t ed25519 -f ~/.ssh/pawsey_ed25519_key

Windows

On a Windows machine, type powershell in the search tool to open a PowerShell command-line shell. Once in the PowerShell window, execute the following command:

$ ssh-keygen -t ed25519 -f $env:USERPROFILE/.ssh/pawsey_ed25519_key

These methods of executing the ssh-keygen command will generate a new SSH key pair named pawsey_ed25519_key in your ~/.ssh or $env:USERPROFILE directory.

As an additional layer of security, you are prompted to choose and type a passphrase to protect the private key from being used by whoever gets access to it.

...

Warning
titleThe passphrase is not your Pawsey password

This is a passphrase for the use of the ssh-key and, for security reasons, should be different from the Pawsey password.

Terminal 1 shows an example execution of ssh-keygen.

...

width900px
Code Block
languagebash
themeDJango
titleTerminal 1. A passphrase is recommended to be entered
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type the passphrase again]
Note
titlePawsey strongly recommends users protecting their private keys with a passphrase.

Pawsey strongly recommends users protecting their private keys with a passphrase. Otherwise, should someone gain access to the private key, he or she could log in to systems impersonating the legitimate owner of the key. The passphrase is only used to unlock the private key, and it is never transmitted. Also, there are programs, called SSH agents, that can securely manage SSH keys and passphrases, eliminating the requirement of entering a passphrase each time a user logs into a system (see below for more details).

Once a user entered a passphrase, a confirmation is displayed. It is similar to the one shown in terminal 2.

...

width900px
Code Block
languagebash
themeDJango
titleTerminal 2. Output from a successfully generated key pair
Your identification has been saved in /home/<user>/.ssh/pawsey_ed25519_key.
Your public key has been saved in /home/<user>/.ssh/pawsey_ed25519_key.pub.
The key fingerprint is:
SHA256:K8R/F6+nBeDNpRskOfl/FnwpTPiWI3WBPpbeHTMU8uk dip008@apple-kf
The key's randomart image is:
+--[ED25519 256]--+
|             ..o.|
|           o..o.o|
|          *.oo++ |
|     .   . O=B=+.|
|      o S ..@BoE*|
|     . . .  oOo.+|
|      . o . o + o|
|       . . . o.o |
|            oo   |
+----[SHA256]-----+

The user now has a public key, the pawsey_ed25519_key.pub file, and a private key, the pawsey_ed25519_key  file. Terminal 3 shows how to list the generated files on Linux; terminal 4 does the equivalent on Windows.

...

width900px
Code Block
languagebash
themeDJango
titleTerminal 3. Listing of the newly generated key pair files on Linux or macOS
$ ls ~/.ssh
pawsey_ed25519_key
pawsey_ed25519_key.pub
Code Block
languagebash
themeDJango
titleTerminal 4. Listing of the newly generated key pair files on Windows
$ dir $env:USERPROFILE\.ssh

	Directory: C:\Users\[username]\.ssh

Mode			  LastWriteTime			Length Name
----              -------------			------ ----
-a----		15/04/2021	9:40 AM			  1766 pawsey_ed25519_key
-a----		15/04/2021	9:40 AM			   402 pawsey_ed25519_key.pub

After generating the keys and specifying a passphrase, you need to add them to the SSH agent, ssh-agent.

Adding the private key to the SSH agent

ssh-agent is a program that manages SSH private keys, particularly those protected by a passphrase. Once a user let ssh-agent manage a passphrase-protected private key, he or she will not have to type the passphrase when ssh or scp access it to log into a remote host.

Linux

First, start the ssh-agent daemon to run in the background on your local machine. From the terminal, enter the following command.

$ eval "$(ssh-agent -s)"

It will respond with an agent PID.

In most flavours of Linux, add the key to the agent by using the ssh-add command:

$ ssh-add ~/.ssh/pawsey_ed25519_key

macOS

First, start the ssh-agent to run in the background. From Terminal, enter the following command.

$ eval "$(ssh-agent -s)"

Next, modify the ~/.ssh/config file to automatically load keys into the SSH agent and store passphrases in the Keychain. To do this, add the lines shown in listing 1 to the ~/.ssh/config file on the local machine:

...

width900px
Code Block
languagebash
themeEmacs
titleListing 1. Store passphrases in the Keychain.
linenumberstrue
Host *
 AddKeysToAgent yes
 UseKeychain yes
 IdentityFile ~/.ssh/pawsey_ed25519_key

Finally, add the key to the SSH agent by using the additional option --apple-use-keychain. (This additional option is specific to the macOS version of ssh-add.)

$ ssh-add --apple-use-keychain ~/.ssh/pawsey_ed25519_key

Windows

For Windows PowerShell, to add your key to the ssh-agent, ensure the OpenSSH Authentication Agent status is running:

...

width900px
Code Block
languagebash
themeDJango
titleTerminal 5. Check the status of the SSH Agent
$ Get-Service ssh-agent

Status	 Name			DisplayName
------   ----			-----------
Running  ssh-agent		OpenSSH Authentication Agent

If the ssh-agent is disabled, the following steps are required to start the service:

Open the Services dialog, click Start, type services and select the Services app.

...

Image Removed

...

Right-click OpenSSH Authentication Agent and then select Properties:

...

Image Removed

...

Next, add your private key to the ssh-agent and enter your passphrase as entered when generating the key pair: 

...

width900
Code Block
languagebash
themeDJango
titleTerminal 6. Add the private key to ssh-agent
$ ssh-add $env:USERPROFILE\.ssh\pawsey_ed25519_key
Enter passphrase for C:\Users\[username]\.ssh\pawsey_ed25519_key:
Identity added: C:\Users\[username]\.ssh\pawsey_ed25519_key (C:\Users\[username]\.ssh\pawsey_ed25519_key)

Copy your public key to the server

Once the key pair has been generated, the user has to copy the public key to a precise location on the remote server to be accessed. 

Linux/macOS

For Linux and macOS, there are two methods.

Method 1

On the user's local machine, execute the command

$ ssh-copy-id -i ~/.ssh/pawsey_ed25519_key.pub <username>@<remotehost>

Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed.
If the command establishes the correct connection to the host, then it will ask for your password to accept and finalise the copy.

Method 2

We will use a combination of SSH and the Linux cat command to paste the key contents to the server. You can use the following command.

Warning

Ensure that >> is used in the cat >> ~/.ssh/authorized_keys part of the command. If the authorized_keys file already exists on the server, the contents will be appended to the file. If the user were to accidentally use > with the command, all the currently existing contents in the authorized_keys file will be replaced.

$ cat ~/.ssh/pawsey_ed25519_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed.

The command performs the following:

  • Prints the output of the local public key ~/.ssh/pawsey_ed25519_key.pub
  • Redirects the output to the remote host.
  • Creates a hidden directory in your home directory (~/.ssh) on the remote host if not already existing
  • Pastes the contents of the public key into the file ~/.ssh/authorized_keys, located on the Setonix login node

Windows

Within the PowerShell terminal, the user executes the following command to copy the public key contents to the server's authorized_keys file.

Warning

Ensure that >> is used in the cat >> ~/.ssh/authorized_keys part of the command. If the authorized_keys file already exists on the server, the contents will be appended to the file. If the user were to accidentally use > with the command, all the currently existing contents in the authorized_keys file will be replaced.

$ type $env:USERPROFILE\.ssh\pawsey_ed25519_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed. The command performs the following:

  • Prints the output of the local public key $env:USERPROFILE\.ssh\pawsey_ed25519_key.pub
  • Redirects the output to the remote host.
  • Creates a hidden directory in your home directory (~/.ssh) on the remote host if not already existing
  • Pastes the contents of the public key into the file ~/.ssh/authorized_keys, located on the Setonix login node

Note that /home is shared among all Pawsey systems, so this single command will set up SSH keys for each Pawsey system for which you have access.

...

Note

Currently, the Windows implementation of the OpenSSH client does not have the ssh-copy-id command available.

Final remarks

All the methods indicated above will register the public key into the file /home/<user>/.ssh/authorized_keys, located on the Setonix login node.

Note that /home is shared among all Pawsey systems, so any of these methods will set up, at once, the SSH keys for all the Pawsey system for which you have access.

...

Using the command-line SSH client

When connecting using a command-line SSH client, the format of the command will be

ssh [options] <username>@<generic-hostname>

Replace <username> with the username of your Pawsey account, and <generic-hostname> with one of the hostnames listed in Table 1 in Connecting to a Supercomputer.

To authenticate the connection, a user can either enter the password for each connection or use an SSH key. SSH keys provide more security and eliminate the need to enter the password each time the ssh command is executed.

An SSH key is an access credential in the SSH protocol. Its function is similar to that of username and password but enables automated processes and single sign-on users.

Column


Tip
titleConnecting from Mac or Linux

All Linux and macOS distributions come installed with a terminal application that can be used for SSH access to the login nodes.

  • Linux users have different terminals available depending on which distribution and window manager they use (for example: GNOME Terminal in GNOME; Konsole in KDE).

Consult your Linux distribution's documentation for details on how to load a terminal.

  • On macOS you can use the Terminal application, which is located in the Utilities folder within the Applications folder.

Another popular terminal application for MacOS is iTerm2, which needs to be installed separately.

.

Tip
titleConnecting from Windows

The Microsoft Windows operating system now has in-built SSH client support. It may first need to be enabled as an optional feature in the settings. When using the client at the Windows command prompt or PowerShell, the correct MAC option must also be provided:

$ ssh -m hmac-sha2-512 [options] <username>@<generic-hostname>

Alternatively, the line MACs hmac-sha2-512 can be added to a file called config that can be created in the C:\Users\<username>\.ssh directory in Windows to avoid providing this option every time.

It does not currently support X forwarding of graphical interfaces, for which use of the MobaXterm client is recommended.


Example of logging into a Pawsey system

Should a user need to report an issue to Pawsey's Help Desk, the Help Desk will want to be supplied with the specfic hostname into which the user had logged in.

Once logged in to one of a group of nodes, the specific name of the node can be seen in the default shell prompt, although, should the user change their prompt, the actual name of the node can always be obtained by running the hostname command.

Terminal 1 shows an example of a user logging in to one of Setonix's "login" nodes, where the specific name of the node that has been assigned to the connection can be seen in the default prompt, as well as the running of the hostname command. (Note that the complete "MotD" (Message of the Day) content has been truncated in the example output.)

Column
width900px


$
Code Block
languagebash
themeDJango
titleTerminal 71. Listing of the newly generated key pair files on Linux or macOS
Connection via the SSH command
mymachine$ ssh username@setonix.pawsey.org.au
Password:
################################################################################
# 
# NOTICE TO USERS 
# 
# .
# .
################################################################################
Last login: Mon Jan 10 11:07:13 2022 from 130.116.145.55
##############################################################################
# 
                  Pawsey Supercomputing Research Centre
               Enabling Science and          #
#        Empowering cutting-edge research for Australia's future             #
#                                                                            #
#     Accelerating Discovery

This service is for authorised clients only.                           #
#     It is a criminal offence to:  
                                        #
#          - Obtain access to data without permission        
               #
#          - Damage, delete, alter or insert data without permission

By continuing to use this system, you are #agreeing #to the terms and conditions
at https://pawsey.atlassian.net/wiki/display/US/Conditions+of+Use
.
.
Support and helpdesk is staffed Monday - Friday 09:00 to 17:00 AWST, and can be
contacted via email (help@pawsey.org.au) or web (https://pawsey.org.au/support/)

  Please include your username, project name, relevant Job IDs,
  and paths to batch scripts and any output/error logs with your query.
  If your query relates to connectivity, please include the IP address
  of the machine you #are ##############################################################################connecting from.
.
.
===============================================================================
 By using Pawsey facilities you agree to the Conditions of use available at
 https://support.pawsey.org.au/documentation/display/US/Conditions+of+Use
 
===============================================================================
username@setonix-01----------------------------------------------------------------------------
username@setonix-03:~> pwd
/home/username
username@setonix-03:~> hostname
setonix-0103


Related pages

Connecting to a Supercomputer

Page Tree
rootConnecting to a Supercomputer
startDepth0