Using SSH keys in Linux/en: Difference between revisions

<languages />

''Parent page: [[SSH]]''

Before creating a new key pair, check to see if you already have one. If you do, but can't remember where you've used it, it's better to create a fresh one, since you shouldn't install a key of unknown security.

Key pairs are typically located in the <code>.ssh/</code> directory in your /home directory. By default, a key is named with an "id_" prefix, followed by the key type ("rsa", "dsa", "ed25519"), and the public key also has a ".pub" suffix.  So a common example is <code>id_rsa</code> and <code>id_rsa.pub</code>. A good practice is to give it a name that is meaningful to you and identify on which system the key is used.

If you do need a new key, you can generate it with the <code>ssh-keygen</code> command:  

<source lang="console">

[name@yourLaptop]$  ssh-keygen -t ed25519

(This example explicitly asks for a 4-kbit RSA key, which is a reasonable choice.)

The output will be similar to the following:

<source lang="console">

Generating public/private rsa key pair.

</source>

When prompted, enter a passphrase. If you already have key pairs saved with the default names, you should enter a different file name for the new keys to avoid overwriting existing key pairs.  

More details on best practices can be found [[SSH_Keys#Best_practices_for_key_pairs| here]].

==Creating a key pair backed by a hardware security key==

Some sites now support the use of SSH keys backed by a hardware security key (e.g. YubiKey). If you need one of these keys, you can generate it with the <code>ssh-keygen</code> command:  

You will be prompted to both enter a passphrase and activate a hardware security key as part of the key creation process.

We encourage all users to leverage the new CCDB feature to install their SSH public key. This will make the key available to all our clusters.

Grab the content of your public key (called ''id_rsa.pub'' in the above case) and upload it to CCDB as per step 3 of [[SSH_Keys#Using_CCDB|these instructions]].

   

The simplest, safest way to install a key to a remote system is by using the <code>ssh-copy-id</code> command:

<source lang="console">

This assumes that the new keypair is named "mynewkey" and "mynewkey.pub", and that your username on the remote machine is the same as your local username.

If necessary, you can do this "manually" - in fact, <code>ssh-copy-id</code> isn't doing anything very magical.  It's simply connecting to the remote machine, and placing the public key into <code>.ssh/authorized_keys</code> in your /home directory there.  The main benefit from using <code>ssh-copy-id</code> is that it will create files and directories if necessary, and will ensure that the permissions on them are correct.  You can do it entirely yourself by copying the public key file to the remote server, then:

<source lang="bash">

Note that debugging the remote conditions may not be obvious without the help of the remote machine's system administrators.

<li>Finally, test the new key by sshing to the remote machine from the local machine with

<source lang="console">[name@yourLaptop]$ ssh -i /path/to/your/privatekey USERNAME@ADDRESS</source>

:*<code>ADDRESS</code> is the address of the remote machine.

If you have administrative access on the server and created the account for other users, they should test the connection out themselves and not disclose their private key.

</li>

</ol>

Having successfully created a key pair and installed the public key on a cluster, you can now log in using the key pair. While this is a better solution than using a password to connect to our clusters, it still requires you to type in a passphrase, needed to unlock your private key, every time that you want to log in to a cluster. There is however the <code>ssh-agent</code> program, which stores your private key in memory on your local computer and provides it whenever another program on this computer needs it for authentification. This means that you only need to unlock the private key once, after which you can log in to a remote cluster many times without having to type in the passphrase again.  

You can start the <code>ssh-agent</code> program using the command

{{Command|eval `ssh-agent`

Assuming you installed your key pair in one of the standard locations, the <code>ssh-add</code> command should be able to find it, though if necessary you can explicitly add the full path to the private key as an argument to <code>ssh-add</code>. Using the <code>ssh-add -l</code> option will show which private keys currently accessible to the <code>ssh-agent</code>.  

While using <code>ssh-agent</code> will allow automatically negotiate the key exchange between your personal computer and the cluster, if you need to use your private key on the cluster itself, for example when interacting with a remote GitHub repository, you will need to enable ''agent forwarding''. To enable this on the [[Béluga/en|Béluga]] cluster, you can add the following lines to your <code>$HOME/.ssh/config</code> file on your personal computer,

{{File

Note that you should never use the line <code>Host *</code> for agent forwarding in your SSH configuration file.

The method below is still available, but we encourage all users to [[Using_SSH_keys_in_Linux#Installing via CCDB|install keys via CCDB]].

If for some reasons you still want to upload the public key locally on a specific cluster, the steps are described below.

Note that many contemporary Linux distributions as well as macOS now offer graphical "keychain managers" that can easily be configured to also manage your SSH key pair, so that logging in on your local computer is enough to store the private key in memory and have the operating system automatically provide it to the SSH client during login on a remote cluster. You will  

then be able to log in to our clusters without ever typing in any kind of passphrase.   

[[Category:Connecting]]