Using SSH keys in Linux

From Alliance Doc
Revision as of 20:24, 17 October 2021 by Gauriaur (talk | contribs)
Jump to navigation Jump to search
Other languages:

Parent page: SSH

Creating a key pair[edit]

Before creating a new key pair, check to see if you already have one. If you do, but can't remember where you've used it, it's better to create a fresh one, since you shouldn't install a key of unknown security.

Key pairs are typically located in the .ssh/ directory in your home directory. By default, a key is named with an "id_" prefix, followed by the key type ("rsa", "dsa", "ed25519"), and the public key also has a ".pub" suffix. So a common example is id_rsa and id_rsa.pub. A good practice is to give it a name that

If you do need a new key, you can generate it with the ssh-keygen command:

[name@yourLaptop]$ ssh-keygen -b 4096 -t rsa

(this example explicitly asks for a 4-kbit RSA key, which is a reasonable choice.)

The output will be similar to the following:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
ef:87:b5:b1:4d:7e:69:95:3f:62:f5:0d:c0:7b:f1:5e username@hostname
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|           .     |
|            o .  |
|        S    o o.|
|         .  + +oE|
|          .o O.oB|
|         .. +oo+*|
|          ... o..|
+-----------------+

When prompted, enter a passphrase. If you already have key pairs saved with the default names, you may wish to enter a different file name for the new keys to avoid overwriting existing key pairs.

Installing the public part of the key[edit]

We encourage all users to leverage the new CCDB feature to install their SSH public key. Grab the content of your public key (called id_rsa.pub in our case) and upload it to CCDB as per instructions in SSH Keys Installing your key in the section "Using CCDB", STEP 3.

Alternatively, here is another way:

The simplest, safest way to install a key to a remote system is using the ssh-copy-id command:

ssh-copy-id -i mynewkey graham.computecanada.ca:

This assumes that the new keypair is named "mynewkey" and "mynewkey.pub", and that your username on the remote machine is the same as your local username.

If necessary, you can do this "manually" - in fact, ssh-copy-id isn't doing anything very magic. It's simply connecting to the remote machine, and placing the public key into .ssh/authorized_keys in your home directory there. The main benefit from using ssh-copy-id is that it will create files and directories if necessary, and will ensure that the permissions on them are correct. You can do it entirely yourself by copying the public key file to the remote server, then:

mkdir ~/.ssh
cat id_rsa.pub >> ~/.ssh/authorized_keys
chmod --recursive go-rwx ~/.ssh
chmod go-w ~

SSH is picky about permissions, on both the client and the server. SSH will fail if the following conditions are not met:

  • The private key file must not be accessible to others. chmod go-rwx id_rsa
  • Your remote home directory must not be writable by others chmod go-w ~
  • Same for your remote ~/.ssh and ~/.ssh/authorized_keys chmod --recursive go-rwx ~/.ssh

Note that debugging the remote conditions may not be obvious without the help of the remote machine's system administrators.

Connecting using a key pair[edit]

  • Finally test the new key by sshing to the remote machine from the local machine with
    [name@yourLaptop]$ ssh -i /home/ubuntu/.ssh/id_rsa USERNAME@ADDRESS
    

    where

    • /home/ubuntu/.ssh/id_rsa specifies your private key file;
    • USERNAME is the user name on the remote machine;
    • ADDRESS is the address of the remote machine.

    If you have administrative access on the server and created the account for other users, they should test the connection out themselves and not disclose their private key.

  • Using ssh-agent[edit]

    Having successfully created a key pair and installed the public key on a Compute Canada cluster, you can now login using the key pair. While this is a better solution than using a password to connect to our clusters, it still requires you to type in a passphrase, needed to unlock your private key, every time that you want to login to a cluster. There is however a program, ssh-agent, which stores your private key in memory on your local computer and provides it whenever another program on this computer needs it for authentification. This means that you only need to unlock the private key once, after which you can login to a remote cluster many times without having to type in the passphrase again.

    You can start the ssh-agent program using the command

    Question.png
    [name@server ~]$ eval `ssh-agent`
    

    After you have started the ssh-agent, which will run in the background while you are logged in at your local computer, you can add your key pair to those managed by the agent using the command

    Question.png
    [name@server ~]$ ssh-add
    

    Assuming you installed your key pair in one of the standard locations, the ssh-add command should be able to find it, though if necessary you can explicitly add the full path to the private key as an argument to ssh-add. Using the ssh-add -l option will show which private keys currently accessible to the ssh-agent.

    While using ssh-agent will allow automatically negotiate the key exchange between your personal computer and the cluster, if you need to use your private key on the cluster itself, for example when interacting with a remote GitHub repository, you will need to enable agent forwarding. To enable this on the Béluga cluster, you can add the following lines to your $HOME/.ssh/config file on your personal computer,

    File : config

    Host beluga.computecanada.ca
        ForwardAgent yes
    


    Note that you should never use the line Host * for agent forwarding in your SSH configuration file.

    Note that many contemporary Linux distributions as well as macOS now offer graphical "keychain managers" that can easily be configured to also manage your SSH key pair, so that logging in on your local computer is enough to store the private key in memory and have the operating system automatically provide it to the SSH client during login on a remote cluster. You will then be able to login to Compute Canada clusters without ever typing in any kind of passphrase.