Alliance Doc

SSH Keys: Difference between revisions

Page Discussion

SSH Keys (view source)

Revision as of 14:09, 19 March 2021

883 bytes removed ,  3 years ago
no edit summary
No edit summary
No edit summary
Line 48: Line 48:


== Installing your key == <!--T:17-->
== Installing your key == <!--T:17-->
=== Using CCDB ===
To install the key, you must make the target/destination system aware of the public part of your key.
To install the key, you must make the target/destination system aware of the public part of your key.
On ComputeCanada, we have recently (March 2021) added a convenient way to do this.  You should visit:
On Compute Canada, we have recently (March 2021) added a convenient way to do this.  You should visit:


  <!--T:18-->
  <!--T:18-->
Line 68: Line 71:


<!--T:22-->
<!--T:22-->
Sometimes, you may encounter a key that is in an alternate format - for instance, as generated by some SSH clients.
Sometimes, you may encounter a key that is in an alternate format.
for instance, this is a public key in PEM format:
For instance, this is a public key in PEM format:
  -----BEGIN RSA PUBLIC KEY-----
  -----BEGIN RSA PUBLIC KEY-----
  MIIBCgKCAQEAxFm+Fbs+szeV2Vg2T5ufg8az0jD9DD/A0iNLKef2/0gPULn1ebFQ
  MIIBCgKCAQEAxFm+Fbs+szeV2Vg2T5ufg8az0jD9DD/A0iNLKef2/0gPULn1ebFQ
Line 80: Line 83:


<!--T:23-->
<!--T:23-->
and this is the same key in RFC4716 format:
Public keys in RFC4716 or PKCS8 formats will look similar to PEM, with small variations in the header and footer lines.
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQDEWb4Vuz6zN5XZWDZPm5+DxrPSMP0MP8DSI0sp5/
b/SA9QufV5sVBK9DC2zlkZzNr23qXt9Io5vPwWIDBef6Z2ZevHHd9Ah6lZrYV4I1tOSIpN
Ok2YRHAfS/dFHcOkl3xymDmN0lsg2WoNQ92pfFkM8jJm4dsRhSJKtvW/nOxxV2BWqEliL0
46ISPt084unWSjqztNKBjx6MaduZQv+CX791+Ew0p2EtcxdYHK5wXXnvut8DPeo+fgkxas
blMIfsmPw2kjEWGRX1CPLjQyXzXIOoyVu4T0JRnNWEBN7wx0i9xdRB6PzKV12Y2cBeZ9MP
BR3lwn9VIxop6roaN39cOb
---- END SSH2 PUBLIC KEY ----
and finally in PKCS8
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFm+Fbs+szeV2Vg2T5uf
g8az0jD9DD/A0iNLKef2/0gPULn1ebFQSvQwts5ZGcza9t6l7fSKObz8FiAwXn+m
dmXrxx3fQIepWa2FeCNbTkiKTTpNmERwH0v3RR3DpJd8cpg5jdJbINlqDUPdqXxZ
DPIyZuHbEYUiSrb1v5zscVdgVqhJYi9OOiEj7dPOLp1ko6s7TSgY8ejGnbmUL/gl
+/dfhMNKdhLXMXWByucF1577rfAz3qPn4JMWrG5TCH7Jj8NpIxFhkV9Qjy40Ml81
yDqMlbuE9CUZzVhATe8MdIvcXUQej8ylddmNnAXmfTDwUd5cJ/VSMaKeq6Gjd/XD
mwIDAQAB
-----END PUBLIC KEY-----
   
   
This method of installing an ssh key makes the key available to all systems.  This is convenient, and is often desired.
=== Using the authorized_keys file ===
There may be circumstances in which you want to install a key on a specific system.  You can do this by making the key
 
appear in a file in your home directory on that system.  For instance, to install a key that only works on Cedar,
The CCDB method described above makes your public key available on all Compute Canada HPC systems.  This is convenient, and is often desired.
you can install your public key in the .ssh/authorized_keys file on Cedar.  Since your home directory is shared by
 
all nodes on a particular system, this will permit login to any of Cedar's login nodes (but not automatically to any
However, there may be circumstances in which you want to install a key only on a specific system.  You can do this by adding the key
of the other clusters).  On systems with OpenSSH, the "ssh-copy-id" command is a convenient way to properly install
to a file in your home directory on that system.  For instance, to install a key that only works on Cedar,
keys into your authorized_keys file:
copy your public key into the file <code>~/.ssh/authorized_keys</code> on Cedar.   
This will allow you to log in to any of Cedar's login nodes using PK.   
On our systems (or any other with OpenSSH) the <code>ssh-copy-id</code> command is the most convenient way to do this:
   ssh-copy-id -i computecanada-key username@cedar.computecanada.ca  
   ssh-copy-id -i computecanada-key username@cedar.computecanada.ca  


<!--T:24-->
<!--T:24-->
The authorized_keys mechanism is standard, and almost universally used on the internet.  It is however somewhat fragile:
The <code>authorized_keys</code> mechanism is standard, and almost universally used on the internet.  It is however somewhat fragile:
specifically, SSH is quite picky about the permissions on the authorized_keys file, as well as your home directory and the .ssh subdirectory.
Specifically, SSH is quite picky about the permissions on the <code>authorized_keys</code> file, as well as your home directory and the <code>.ssh</code> subdirectory.
this is described further in [[Using_SSH_keys_in_Linux|using SSH keys in Linux]].
This is described further in [[Using_SSH_keys_in_Linux|using SSH keys in Linux]].


== Advanced Key Usage == <!--T:25-->
== Advanced Key Usage == <!--T:25-->
Rdickson
Bureaucrats, cc_docs_admin, cc_staff
2,879

edits

Retrieved from "https://docs.alliancecan.ca/wiki/Special:MobileDiff/97305"