Skip to end of banner
Go to start of banner

Use of SSH Keys for Authentication

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

SSH keys allow for a secure method of logging into a server without the need to type a password each time a connection is established.

On this page:

Introduction

The process involves creating a key pair on the client machine, consisting of a public key and a private key. These keys take the form of long character strings saved in files. The public key is placed on the remote host the user wishes to access, such as the login node of a supercomputer. When the user wants to log in, the SSH client on the local user machine presents the private key to the remote server. If the public and secret keys match, access is granted. The main benefit is avoiding the need to type a password each time the user wants to establish a connection.

Generating SSH key pairs using ssh-keygen

The theory behind public-key cryptography is complicated, as is the algorithm used to generate a key pair. Luckily, the ssh-keygen command implements it and it is easy to use. This section shows how to generate a SSH key pair.

Linux/macOS

On a local Linux or macOS machine, open a terminal and execute the following command:

$ ssh-keygen -t ecdsa -b 521 -f ~/.ssh/pawsey_ecdsa_key

Windows

On a Windows machine, type powershell in the search tool to open a PowerShell command-line shell. Once in the PowerShell window, execute the following command:

$ ssh-keygen -t ecdsa -b 521 -f $env:USERPROFILE/.ssh/pawsey_ecdsa_key

These methods of executing the ssh-keygen command will generate a new SSH key pair named pawsey_ecdsa_key in your ~/.ssh or $env:USERPROFILE directory.

As an additional layer of security, you are prompted to choose and type a passphrase to protect the private key from being used by whoever gets access to it.


The passphrase is not your Pawsey password

This is a passphrase for the use of the ssh-key and, for security reasons, should be different from the Pawsey password.

Terminal 1 shows an example execution of ssh-keygen.

Terminal 1. A passphrase is recommended to be entered
Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type the passphrase again]

Pawsey strongly recommends users protecting their private keys with a passphrase.

Pawsey strongly recommends users protecting their private keys with a passphrase. Otherwise, should someone gain access to the private key, he or she could log in to systems impersonating the legitimate owner of the key. The passphrase is only used to unlock the private key, and it is never transmitted. Also, there are programs, called SSH agents, that can securely manage SSH keys and passphrases, eliminating the requirement of entering a passphrase each time a user logs into a system (see below for more details).

Once a user entered a passphrase, a confirmation is displayed. It is similar to the one shown in terminal 2.

Terminal 2. Output from a successfully generated key pair
Your identification has been saved in /home/<user>/.ssh/pawsey_ecdsa_key.
Your public key has been saved in /home/<user>/.ssh/pawsey_ecdsa_key.pub.
The key fingerprint is:
SHA256:K8R/F6+nBeDNpRskOfl/FnwpTPiWI3WBPpbeHTMU8uk dip008@apple-kf
The key's randomart image is:
+---[ECDSA 521]---+
|             ..o.|
|           o..o.o|
|          *.oo++ |
|     .   . O=B=+.|
|      o S ..@BoE*|
|     . . .  oOo.+|
|      . o . o + o|
|       . . . o.o |
|            oo   |
+----[SHA256]-----+

The user now has a public key, the pawsey_ecdsa_key.pub file, and a private key, the pawsey_ecdsa_key  file. Terminal 3 shows how to list the generated files on Linux; terminal 4 does the equivalent on Windows.

Terminal 3. Listing of the newly generated key pair files on Linux or macOS
$ ls ~/.ssh
pawsey_ecdsa_key
pawsey_ecdsa_key.pub
Terminal 4. Listing of the newly generated key pair files on Windows
$ dir $env:USERPROFILE\.ssh

	Directory: C:\Users\[username]\.ssh

Mode			  LastWriteTime			Length Name
----              -------------			------ ----
-a----		15/04/2021	9:40 AM			  1766 pawsey_ecdsa_key
-a----		15/04/2021	9:40 AM			   402 pawsey_ecdsa_key.pub

After generating the keys and specifying a passphrase, you need to add them to the SSH agent, ssh-agent.

Adding the private key to the SSH agent

ssh-agent is a program that manages SSH private keys, particularly those protected by a passphrase. Once a user let ssh-agent manage a passphrase-protected private key, he or she will not have to type the passphrase when ssh or scp access it to log into a remote host.

Linux

First, start the ssh-agent daemon to run in the background on your local machine. From the terminal, enter the following command.

$ eval "$(ssh-agent -s)"

It will respond with an agent PID.

In most flavours of Linux, add the key to the agent by using the ssh-add command:

$ ssh-add ~/.ssh/pawsey_ecdsa_key

macOS

First, start the ssh-agent to run in the background. From Terminal, enter the following command.

$ eval "$(ssh-agent -s)"

Next, modify the ~/.ssh/config file to automatically load keys into the SSH agent and store passphrases in the Keychain. To do this, add the lines shown in listing 1 to the ~/.ssh/config file on the local machine:

Listing 1. Store passphrases in the Keychain.
Host *
 AddKeysToAgent yes
 UseKeychain yes
 IdentityFile ~/.ssh/pawsey_ecdsa_key

Finally, add the key to the SSH agent by using the additional option -K. (The -K option is specific to the macOS version of ssh-add.)

$ ssh-add -K ~/.ssh/pawsey_ecdsa_key

Windows

For Windows PowerShell, to add your key to the ssh-agent, ensure the OpenSSH Authentication Agent status is running:

Terminal 5. Check the status of the SSH Agent
$ Get-Service ssh-agent

Status	 Name			DisplayName
------   ----			-----------
Running  ssh-agent		OpenSSH Authentication Agent

If the ssh-agent is disabled, the following steps are required to start the service:

  1. Open the Services dialog, click Start, type services and select the Services app.

    Figure 1. Windows Services application

  2. Within the Services (Local) list, scroll to OpenSSH Authentication Agent.
  3. Right-click OpenSSH Authentication Agent and then select Properties:

    Figure 2. OpenSSH Authentication Agent menu dialog

  4. In the properties dialog, select Startup Type: Automatic:


    Figure 3. OpenSSH Authentication Agent properties

  5. Click OK.

  6. If the service is not running, click Start the service.


Next, add your private key to the ssh-agent and enter your passphrase as entered when generating the key pair: 

Terminal 6. Add the private key to ssh-agent
$ ssh-add $env:USERPROFILE\.ssh\pawsey_ecdsa_key
Enter passphrase for C:\Users\[username]\.ssh\pawsey_ecdsa_key:
Identity added: C:\Users\[username]\.ssh\pawsey_ecdsa_key (C:\Users\[username]\.ssh\pawsey_ecdsa_key)

Copy your public key to the server

Once the key pair has been generated, the user has to copy the public key to a precise location on the remote server to be accessed. 

Linux/macOS

For Linux and macOS, there are two methods.

Method 1

On the user's local machine, execute the command

$ ssh-copy-id -i ~/.ssh/pawsey_ecdsa_key.pub <username>@<remotehost>

Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed.
If the command establishes the correct connection to the host, then it will ask for your password to accept and finalise the copy.

Method 2

We will use a combination of SSH and the Linux cat command to paste the key contents to the server. You can use the following command.

Ensure that >> is used in the cat >> ~/.ssh/authorized_keys part of the command. If the authorized_keys file already exists on the server, the contents will be appended to the file. If the user were to accidentally use > with the command, all the currently existing contents in the authorized_keys file will be replaced.

$ cat ~/.ssh/pawsey_ecdsa_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed.

The command performs the following:

  • Prints the output of the local public key ~/.ssh/pawsey_ecdsa_key.pub
  • Redirects the output to the remote host.
  • Creates a hidden directory in your home directory (~/.ssh) on the remote host if not already existing
  • Pastes the contents of the public key into the file ~/.ssh/authorized_keys, located on the Setonix login node

Windows

Within the PowerShell terminal, the user executes the following command to copy the public key contents to the server's authorized_keys file.

Ensure that >> is used in the cat >> ~/.ssh/authorized_keys part of the command. If the authorized_keys file already exists on the server, the contents will be appended to the file. If the user were to accidentally use > with the command, all the currently existing contents in the authorized_keys file will be replaced.

$ type $env:USERPROFILE\.ssh\pawsey_ecdsa_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed. The command performs the following:

  • Prints the output of the local public key $env:USERPROFILE\.ssh\pawsey_ecdsa_key.pub
  • Redirects the output to the remote host.
  • Creates a hidden directory in your home directory (~/.ssh) on the remote host if not already existing
  • Pastes the contents of the public key into the file ~/.ssh/authorized_keys, located on the Setonix login node

Note that /home is shared among all Pawsey systems, so this single command will set up SSH keys for each Pawsey system for which you have access.


Currently, the Windows implementation of the OpenSSH client does not have the ssh-copy-id command available.

Final remarks

All the methods indicated above will register the public key into the file /home/<user>/.ssh/authorized_keys, located on the Setonix login node.

Note that /home is shared among all Pawsey systems, so any of these methods will set up, at once, the SSH keys for all the Pawsey system for which you have access.

After setting up the ssh-key and the ssh-agent, access to Pawsey systems will not ask for your password, but use the ssh-key instead:

Terminal 7. Listing of the newly generated key pair files on Linux or macOS
$ ssh username@setonix.pawsey.org.au
Last login: Mon Jan 10 11:07:13 2022 from 130.116.145.55
##############################################################################
#                    Pawsey Supercomputing Centre                            #
#        Empowering cutting-edge research for Australia's future             #
#                                                                            #
#     This service is for authorised clients only.                           #
#     It is a criminal offence to:                                           #
#          - Obtain access to data without permission                        #
#          - Damage, delete, alter or insert data without permission         #
#                                                                            #
##############################################################################
.
.
.
===============================================================================
 By using Pawsey facilities you agree to the Conditions of use available at
 https://support.pawsey.org.au/documentation/display/US/Conditions+of+Use
 
===============================================================================
username@setonix-1:~> hostname
setonix-1

Related pages






  • No labels