SSH keys allow for a secure method of logging into a server without the need to type a password each time a connection is established.
Introduction
The process involves creating a key pair on the client machine, consisting of a public key and a private key. These keys take the form of long character strings saved in files. The public key is placed on the remote host the user wishes to access, such as the login node of a supercomputer. When the user wants to log in, the SSH client on the local user machine presents the private key to the remote server. If the public and secret keys match, access is granted. The main benefit is avoiding the need to type a password each time the user wants to establish a connection.
Generating SSH key pairs using ssh-keygen
The theory behind public-key cryptography is complicated, as is the algorithm used to generate a key pair. Luckily, the ssh-keygen
command implements it and it is easy to use. This section shows how to generate a SSH key pair.
Linux/macOS
On a local Linux or macOS machine, open a terminal and execute the following command:
$ ssh-keygen -t ecdsa -b 521 -f ~/.ssh/pawsey_ecdsa_key
Windows
On a Windows machine, type powershell
in the search tool to open a PowerShell command-line shell. Once in the PowerShell window, execute the following command:
$ ssh-keygen -t ecdsa -b 521 -f $env:USERPROFILE/.ssh/pawsey_ecdsa_key
These methods of executing the ssh-keygen
command will generate a new SSH key pair named pawsey_ecdsa_key
in your ~/.ssh
or $env:USERPROFILE
directory.
As an additional layer of security, you are prompted to choose and type a passphrase to protect the private key from being used by whoever gets access to it.
The passphrase is not your Pawsey password
This is a passphrase for the use of the ssh-key and, for security reasons, should be different from the Pawsey password.
Terminal 1 shows an example execution of ssh-keygen
.
Generating public/private ecdsa key pair. Enter passphrase (empty for no passphrase): [Type a passphrase] Enter same passphrase again: [Type the passphrase again]
Pawsey strongly recommends users protecting their private keys with a passphrase.
Pawsey strongly recommends users protecting their private keys with a passphrase. Otherwise, should someone gain access to the private key, he or she could log in to systems impersonating the legitimate owner of the key. The passphrase is only used to unlock the private key, and it is never transmitted. Also, there are programs, called SSH agents, that can securely manage SSH keys and passphrases, eliminating the requirement of entering a passphrase each time a user logs into a system (see below for more details).
Once a user entered a passphrase, a confirmation is displayed. It is similar to the one shown in terminal 2.
Your identification has been saved in /home/<user>/.ssh/pawsey_ecdsa_key. Your public key has been saved in /home/<user>/.ssh/pawsey_ecdsa_key.pub. The key fingerprint is: SHA256:K8R/F6+nBeDNpRskOfl/FnwpTPiWI3WBPpbeHTMU8uk dip008@apple-kf The key's randomart image is: +---[ECDSA 521]---+ | ..o.| | o..o.o| | *.oo++ | | . . O=B=+.| | o S ..@BoE*| | . . . oOo.+| | . o . o + o| | . . . o.o | | oo | +----[SHA256]-----+
The user now has a public key, the pawsey_ecdsa_key.pub
file, and a private key, the pawsey_ecdsa_key
file. Terminal 3 shows how to list the generated files on Linux; terminal 4 does the equivalent on Windows.
$ ls ~/.ssh pawsey_ecdsa_key pawsey_ecdsa_key.pub
$ dir $env:USERPROFILE\.ssh Directory: C:\Users\[username]\.ssh Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 15/04/2021 9:40 AM 1766 pawsey_ecdsa_key -a---- 15/04/2021 9:40 AM 402 pawsey_ecdsa_key.pub
After generating the keys and specifying a passphrase, you need to add them to the SSH agent, ssh-agent
.
Adding the private key to the SSH agent
ssh-agent
is a program that manages SSH private keys, particularly those protected by a passphrase. Once a user let ssh-agent
manage a passphrase-protected private key, he or she will not have to type the passphrase when ssh
or scp
access it to log into a remote host.
Linux
First, start the ssh-agent
daemon to run in the background on your local machine. From the terminal, enter the following command.
$ eval "$(ssh-agent -s)"
It will respond with an agent PID.
In most flavours of Linux, add the key to the agent by using the ssh-add
command:
$ ssh-add ~/.ssh/pawsey_ecdsa_key
macOS
First, start the ssh-agent
to run in the background. From Terminal, enter the following command.
$ eval "$(ssh-agent -s)"
Next, modify the ~/.ssh/config
file to automatically load keys into the SSH agent and store passphrases in the Keychain. To do this, add the lines shown in listing 1 to the ~/.ssh/config
file on the local machine:
Host * AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/pawsey_ecdsa_key
Finally, add the key to the SSH agent by using the additional option -K
. (The -K option is specific to the macOS version of ssh-add
.)
$ ssh-add -K ~/.ssh/pawsey_ecdsa_key
Windows
For Windows PowerShell, to add your key to the ssh-agent
, ensure the OpenSSH Authentication Agent status is running:
$ Get-Service ssh-agent Status Name DisplayName ------ ---- ----------- Running ssh-agent OpenSSH Authentication Agent
If the ssh-agent
is disabled, the following steps are required to start the service:
Open the Services dialog, click Start, type services and select the Services app.
Figure 1. Windows Services application
- Within the Services (Local) list, scroll to
OpenSSH Authentication Agent
. Right-click
OpenSSH Authentication Agent
and then select Properties:Figure 2. OpenSSH Authentication Agent menu dialog
In the properties dialog, select Startup Type:
Automatic
:
Figure 3. OpenSSH Authentication Agent properties- Click OK.
- If the service is not running, click Start the service.
Next, add your private key to the ssh-agent
and enter your passphrase as entered when generating the key pair:
$ ssh-add $env:USERPROFILE\.ssh\pawsey_ecdsa_key Enter passphrase for C:\Users\[username]\.ssh\pawsey_ecdsa_key: Identity added: C:\Users\[username]\.ssh\pawsey_ecdsa_key (C:\Users\[username]\.ssh\pawsey_ecdsa_key)
Copy your public key to the server
Once the key pair has been generated, the user has to copy the public key to a precise location on the remote server to be accessed.
Linux/macOS
For Linux and macOS, there are two methods.
Method 1
On the user's local machine, execute the command
$ ssh-copy-id -i ~/.ssh/pawsey_ecdsa_key.pub <username>@<remotehost>
Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed.
If the command establishes the correct connection to the host, then it will ask for your password to accept and finalise the copy.
Method 2
We will use a combination of SSH and the Linux cat
command to paste the key contents to the server. You can use the following command.
Ensure that >>
is used in the cat >> ~/.ssh/authorized_keys
part of the command. If the authorized_keys
file already exists on the server, the contents will be appended to the file. If the user were to accidentally use > with the command, all the currently existing contents in the authorized_keys
file will be replaced.
$ cat ~/.ssh/pawsey_ecdsa_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed.
The command performs the following:
- Prints the output of the local public key
~/.ssh/pawsey_ecdsa_key.pub
- Redirects the output to the remote host.
- Creates a hidden directory in your home directory (
~/.ssh
) on the remote host if not already existing - Pastes the contents of the public key into the file
~/.ssh/authorized_keys
, located on the Setonix login node
Windows
Within the PowerShell terminal, the user executes the following command to copy the public key contents to the server's authorized_keys
file.
Ensure that >>
is used in the cat >> ~/.ssh/authorized_keys
part of the command. If the authorized_keys
file already exists on the server, the contents will be appended to the file. If the user were to accidentally use > with the command, all the currently existing contents in the authorized_keys
file will be replaced.
$ type $env:USERPROFILE\.ssh\pawsey_ecdsa_key.pub | ssh <username>@<remotehost> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Where <username> is the user's Pawsey username and <remotehost> is the hostname of the remote host to be accessed. The command performs the following:
- Prints the output of the local public key
$env:USERPROFILE\.ssh\pawsey_ecdsa_key.pub
- Redirects the output to the remote host.
- Creates a hidden directory in your home directory (
~/.ssh
) on the remote host if not already existing - Pastes the contents of the public key into the file
~/.ssh/authorized_keys
, located on the Setonix login node
Note that /home
is shared among all Pawsey systems, so this single command will set up SSH keys for each Pawsey system for which you have access.
Currently, the Windows implementation of the OpenSSH client does not have the ssh-copy-id
command available.
Final remarks
All the methods indicated above will register the public key into the file /home/<user>/.ssh/authorized_key
s, located on the Setonix login node.
Note that /home
is shared among all Pawsey systems, so any of these methods will set up, at once, the SSH keys for all the Pawsey system for which you have access.
After setting up the ssh-key and the ssh-agent, access to Pawsey systems will not ask for your password, but use the ssh-key instead:
$ ssh username@setonix.pawsey.org.au Last login: Mon Jan 10 11:07:13 2022 from 130.116.145.55 ############################################################################## # Pawsey Supercomputing Centre # # Empowering cutting-edge research for Australia's future # # # # This service is for authorised clients only. # # It is a criminal offence to: # # - Obtain access to data without permission # # - Damage, delete, alter or insert data without permission # # # ############################################################################## . . . =============================================================================== By using Pawsey facilities you agree to the Conditions of use available at https://support.pawsey.org.au/documentation/display/US/Conditions+of+Use =============================================================================== username@setonix-1:~> hostname setonix-1