SSH key pairs are useful for providing secure, no-password access to servers. SSH keys can also be deployed to handle remote, no-password connections to other server resources such as HPCC, unattended file backups, etc.
The general process of key generation and deployment is as follows:
- Generate the key pair, consisting of a public key which you distribute, and a private key which you keep securely on your workstation. Use a password to secure your private key.
- Distribute the public key to remote server accounts.
- If using multiple keys for different hosts, setup a configuration file on your workstation to specify which key to use for which host
- Remotely connect to the server using your key. Enter the key password the first time, and save this on your workstation "keyring"
- Future connections to the remote host will not require entering a password
Key Generation and Deployment (Mac/Linux)
To generate your key pair, open a terminal on your Mac and enter:
You will then be prompted to answer several questions:
This will create two (2) files:
- id_rsa.pub - Your public key
- id_rsa - Your private key
By default, these will be placed in your "~/.ssh" directory, unless you specify a different location (not recommended).
When you reach the "create a passphrase" dialogue. Enter a pass phrase at least 8 characters that you can remember (PLEASE WRITE THIS DOWN IF NECESSARY). You will need this passphrase when you deploy your key for the first time.
Key Deployment (Mac/Linux)
For servers where you do not yet have an account (e.g. a lab server) send your PUBLIC KEY ONLY to the systems administrator, who will establish your account and install your key.
For servers where you already have an account, but for which you would like secure, no-password access (e.g., the HPCC), follow the following procedure:
- Transfer your public key to your remote account
- Log into your remote account using your account password
Navigate to your ~/.ssh directory and add your public key:
Make sure your permissions are set correctly for your .ssh directory and all its contents:
Logout of the remote host and login again using your key:
- You will be prompted for your key password the first time you use it. On a Mac, this key should be saved seamlessly inside your key ring
- Future logins should not require a password from this machine
The Config File (Mac/Linux)
If you have different keys that you use for different hosts, you may benefit from using a config file. The general form of the file is something like the following:
Notice that in the case of the host "poaceae", we can identify an alternate SSH port here (other than the default port 22). Now, we could login to that server by simply using:
This should use the correct key and connect to the proper port.
Connecting from Mac or Linux
Once your public key has been added to the server, you may login using the following:
It the example above, "-p 12345" corresponds to the SSH Port number provided to you by the systems administrator for the server you are connecting to. If the default Port "22" is used, it will not be necessary for you to add this to your connection command.
The "-A" flag allows your login credentials to be "forwarded" to other servers. That is, if you login to "serverA" using your SSH key, and you also have an account on "serverB" you can SSH directly into "serverB" without entering a password. If you do not include the "-A" flag, you will not be able to do this.
The first time you login to the server with your newly installed public key, you will be asked for a password. THIS IS THE PASSWORD YOU USED FOR YOUR SSH KEY! If you are on a Mac (most of the lab), once you enter this key for the first time, it will be saved automatically in your "Key Chain", and you will not have to enter this password on that machine again. Future logins will not require any password at all. However it is important to set the key up using a password, since it protects your key from misuse if you ever lose control over it. If you move to a new machine (and transfer your private key), you will need to repeat this procedure to get the key password saved in your new Key Chain.
If you have a problem, please contact the Systems Administrator.
To use SSH, and Key access on a Windows client machine, you'll first need to install a SSH client on your PC. The client we'll be using is called “PuTTY.”
You can download PuTTY here:
You will also want to download Pageant:
Download, and install the PuTTY client, as well as PuTTYgen and Pageant.
After everything is installed, start PuTTYGen. This application will generate a key for you.
Once the key has been generated, click the "Save public key" and "Save private key" buttons. Note where the key pair is saved, and the name used.
IMPORTANT: Highlight the text in the box labeled "Public key for pasting into OpenSSH" and copy it. Save this text to a text file. This is the public key you will need to send to the systems administrator.
Login from Windows
After the systems administrator has added your key to the server, you will need to setup PuTTY and Pageant. Start Pageant:
Pageant will automatically minimize to your system tray, locate it and right click to Add Key:
Click "Add Key" and locate the key pair you created using "PuTTYgen":
After you select the key, you will be asked to enter the password you used when creating the key under PuTTYgen:
Once the key has been added successfully, you should see it in the list:
As long as Pageant is running, this key will now be available whenever you login to a server using PuTTY
Now you will need to start PuTTY:
Now go back to the "Session" entry under the lefthand window:
Just enter the address of the server in the “Host Name (or IP Address)” field that was provided by the systems administrator. Under "Port", add the appropriate SSH port (also provided by the administrator). Save the Session and give it a meaningful name. Then click "Open" and a Windows command prompt window will open. Enter your username, and hit return. It should log you on automatically without asking you for a password.