SSH Keys/fr: Difference between revisions

Jump to navigation Jump to search
Updating to match new version of source page
(Updating to match new version of source page)
(Updating to match new version of source page)
Line 47: Line 47:


== Installing your key ==
== Installing your key ==
=== Using CCDB ===
To install the key, you must make the target/destination system aware of the public part of your key.
To install the key, you must make the target/destination system aware of the public part of your key.
On ComputeCanada, we have recently added a convenient new way to do this.  You should visit:
On Compute Canada, we have recently (March 2021) added a convenient way to do this.  You should visit:


  https://ccdb.computecanada.ca/ssh_authorized_keys
  https://ccdb.computecanada.ca/ssh_authorized_keys
Line 62: Line 65:
OpenStack (cloud systems) do not read your key from CCDB as shown in the link above.
OpenStack (cloud systems) do not read your key from CCDB as shown in the link above.


Sometimes, you may encounter a key that is in an alternate format - for instance, as generated by some SSH clients.
Sometimes, you may encounter a key that is in an alternate format.
for instance, this is a public key in PEM format:
For instance, this is a public key in PEM format:
  -----BEGIN RSA PUBLIC KEY-----
  -----BEGIN RSA PUBLIC KEY-----
  MIIBCgKCAQEAxFm+Fbs+szeV2Vg2T5ufg8az0jD9DD/A0iNLKef2/0gPULn1ebFQ
  MIIBCgKCAQEAxFm+Fbs+szeV2Vg2T5ufg8az0jD9DD/A0iNLKef2/0gPULn1ebFQ
Line 73: Line 76:
  -----END RSA PUBLIC KEY-----
  -----END RSA PUBLIC KEY-----


and this is the same key in RFC4716 format:
Public keys in RFC4716 or PKCS8 formats will look similar to PEM, with small variations in the header and footer lines.
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQDEWb4Vuz6zN5XZWDZPm5+DxrPSMP0MP8DSI0sp5/
b/SA9QufV5sVBK9DC2zlkZzNr23qXt9Io5vPwWIDBef6Z2ZevHHd9Ah6lZrYV4I1tOSIpN
Ok2YRHAfS/dFHcOkl3xymDmN0lsg2WoNQ92pfFkM8jJm4dsRhSJKtvW/nOxxV2BWqEliL0
46ISPt084unWSjqztNKBjx6MaduZQv+CX791+Ew0p2EtcxdYHK5wXXnvut8DPeo+fgkxas
blMIfsmPw2kjEWGRX1CPLjQyXzXIOoyVu4T0JRnNWEBN7wx0i9xdRB6PzKV12Y2cBeZ9MP
BR3lwn9VIxop6roaN39cOb
---- END SSH2 PUBLIC KEY ----
and finally in PKCS8
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFm+Fbs+szeV2Vg2T5uf
g8az0jD9DD/A0iNLKef2/0gPULn1ebFQSvQwts5ZGcza9t6l7fSKObz8FiAwXn+m
dmXrxx3fQIepWa2FeCNbTkiKTTpNmERwH0v3RR3DpJd8cpg5jdJbINlqDUPdqXxZ
DPIyZuHbEYUiSrb1v5zscVdgVqhJYi9OOiEj7dPOLp1ko6s7TSgY8ejGnbmUL/gl
+/dfhMNKdhLXMXWByucF1577rfAz3qPn4JMWrG5TCH7Jj8NpIxFhkV9Qjy40Ml81
yDqMlbuE9CUZzVhATe8MdIvcXUQej8ylddmNnAXmfTDwUd5cJ/VSMaKeq6Gjd/XD
mwIDAQAB
-----END PUBLIC KEY-----
   
   
This method of installing an ssh key makes the key available to all systems.  This is convenient, and is often desired.
=== Using the authorized_keys file ===
There may be circumstances in which you want to install a key on a specific system.  You can do this by making the key
 
appear in a file in your home directory on that system.  For instance, to install a key that only works on Cedar,
The CCDB method described above makes your public key available on all Compute Canada HPC systems.  This is convenient, and is often desired.
you can install your public key in the .ssh/authorized_keys file on Cedar.  Since your home directory is shared by
 
all nodes on a particular system, this will permit login to any of Cedar's login nodes (but not automatically to any
However, there may be circumstances in which you want to install a key only on a specific system.  You can do this by adding the key
of the other clusters).  On systems with OpenSSH, the "ssh-copy-id" command is a convenient way to properly install
to a file in your home directory on that system.  For instance, to install a key that only works on Cedar,
keys into your authorized_keys file:
copy your public key into the file <code>~/.ssh/authorized_keys</code> on Cedar.   
This will allow you to log in to any of Cedar's login nodes using PK.   
On our systems (or any other with OpenSSH) the <code>ssh-copy-id</code> command is the most convenient way to do this:
   ssh-copy-id -i computecanada-key username@cedar.computecanada.ca  
   ssh-copy-id -i computecanada-key username@cedar.computecanada.ca  


The authorized_keys mechanism is standard, and almost universally used on the internet.  It is however somewhat fragile:
The <code>authorized_keys</code> mechanism is standard, and almost universally used on the internet.  It is however somewhat fragile:
specifically, SSH is quite picky about the permissions on the authorized_keys file, as well as your home directory and the .ssh subdirectory.
Specifically, SSH is quite picky about the permissions on the <code>authorized_keys</code> file, as well as your home directory and the <code>.ssh</code> subdirectory.
this is described further in [[Using_SSH_keys_in_Linux|using SSH keys in Linux]].
This is described further in [[Using_SSH_keys_in_Linux|using SSH keys in Linux]].


== Advanced Key Usage ==
== Advanced Key Usage ==
Line 111: Line 98:
Although it's important to secure your private key by encrypting it with the passphrase, it is inconvenient to have to enter your  
Although it's important to secure your private key by encrypting it with the passphrase, it is inconvenient to have to enter your  
passphrase every time you use the key.  Rather than leaving the private key unencrypted, we strongly suggest using an SSH key agent.
passphrase every time you use the key.  Rather than leaving the private key unencrypted, we strongly suggest using an SSH key agent.
This allows you to type the passphrase when starting up the agent, after which the agent supplies the private key for new connections.
You type the passphrase when starting up the agent, after which the agent supplies the private key for new connections.
This really just avoids storing the unencrypted private key permanently on storage, where it might be stolen or copied.
This avoids storing the unencrypted private key on permanent storage, where it is more vulnerable to being stolen or copied.
 
== Advanced Key Generation ==
== Advanced Key Generation ==
ssh-keygen shown above is using defaults, which are OK, but may not be ideal.   
ssh-keygen shown above is using defaults, which are OK, but may not be ideal.   
38,760

edits

Navigation menu