$seoHelper.renderFullSimple($sitemeshPage,"{2} - {3}")
Page tree
Skip to end of metadata
Go to start of metadata

Contents

Overview

SSH key pairs are useful for providing secure, no-password access to servers.  SSH keys can also be deployed to handle remote, no-password connections to other server resources such as HPCC, unattended file backups, etc.

The general process of key generation and deployment is as follows:

  1. Generate the key pair, consisting of a public key which you distribute, and a private key which you keep securely on your workstation. Use a password to secure your private key.
  2. Distribute the public key to remote server accounts.
  3. If using multiple keys for different hosts, setup a configuration file on your workstation to specify which key to use for which host
  4. Remotely connect to the server using your key. Enter the key password the first time, and save this on your workstation "keyring"
  5. Future connections to the remote host will not require entering a password

Key Generation and Deployment (Mac/Linux)

To generate your key pair, open a terminal on your Mac and enter:

ssh-keygen -t rsa -b 2048

You will then be prompted to answer several questions:

ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/someUser/.ssh/id_rsa): /Users/someUser/.ssh/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/someUser/id_rsa.rsa.
Your public key has been saved in /Users/someUser/id_rsa.pub.
The key fingerprint is:
a6:8e:ea:54:79:a1:d6:07:10:d6:50:fa:0b:95:30:e5 someUser@Some-Users-MacBook-Pro.local
The key's randomart image is:
+--[ RSA 2048]----+
|    B*o          |
|   . *..         |
|    . E          |
|     * o         |
|    * + S        |
|   o o =         |
|  .   o          |
| .   o           |
| .o.. .          |
+-----------------+

This will create two (2) files:

  1. id_rsa.pub - Your public key
  2. id_rsa - Your private key

By default, these will be placed in your "~/.ssh" directory, unless you specify a different location (not recommended).

When you reach the "create a passphrase" dialogue. Enter a pass phrase at least 8 characters that you can remember (PLEASE WRITE THIS DOWN IF NECESSARY). You will need this passphrase when you deploy your key for the first time.

Key Deployment (Mac/Linux)

For servers where you do not yet have an account (e.g. a lab server) send your PUBLIC KEY ONLY to the systems administrator, who will establish your account and install your key.

For servers where you already have an account, but for which you would like secure, no-password access (e.g., the HPCC), follow the following procedure:

  1. Transfer your public key to your remote account
  2. Log into your remote account using your account password
  3. Navigate to your ~/.ssh directory and add your public key:

    cd ~/.ssh
    cat ~/id_rsa.pub >> authorized_keys
  4. Make sure your permissions are set correctly for your .ssh directory and all its contents:

    -rw-r--r-- 1 staff 1410 May 15 11:25 config
    -rw------- 1 staff 1743 Jan 23 2013 id_rsa
    -rw-r--r-- 1 staff 396 Jan 23 2013 id_rsa.pub
    -rw-r--r-- 1 staff  820 Jul 29  2013 authorized_keys
    -rw-r--r-- 1 staff 44209 May 19 11:39 known_hosts
  5. Logout of the remote host and login again using your key:

    ssh -A someUser@remote.host.com
  6. You will be prompted for your key password the first time you use it.  On a Mac, this key should be saved seamlessly inside your key ring
  7. Future logins should not require a password from this machine

The Config File (Mac/Linux)

If you have different keys that you use for different hosts, you may benefit from using a config file.  The general form of the file is something like the following:

Host poaceae
	HostName poaceae.plantbiology.msu.edu
	User  someUser
	Port  57632
	IdentityFile ~/.ssh/id_another_rsa
Host gateway
	HostName  gateway.hpcc.msu.edu
	User  someUser
	IdentityFile ~/.ssh/id_rsa


IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_another_rsa

Notice that in the case of the host "poaceae", we can identify an alternate SSH port here (other than the default port 22).  Now, we could login to that server by simply using:

ssh poaceae

This should use the correct key and connect to the proper port.

Connecting from Mac or Linux

Once your public key has been added to the server, you may login using the following:

It the example above, "-p 12345" corresponds to the SSH Port number provided to you by the systems administrator for the server you are connecting to.  If the default Port "22" is used, it will not be necessary for you to add this to your connection command.

The "-A" flag allows your login credentials to be "forwarded" to other servers.  That is, if you login to "serverA" using your SSH key, and you also have an account on "serverB" you can SSH directly into "serverB" without entering a password.  If you do not include the "-A" flag, you will not be able to do this.

The first time you login to the server with your newly installed public key, you will be asked for a password.  THIS IS THE PASSWORD YOU USED FOR YOUR SSH KEY!  If you are on a Mac (most of the lab), once you enter this key for the first time, it will be saved automatically in your "Key Chain", and you will not have to enter this password on that machine again.  Future logins will not require any password at all.  However it is important to set the key up using a password, since it protects your key from misuse if you ever lose control over it.  If you move to a new machine (and transfer your private key), you will need to repeat this procedure to get the key password saved in your new Key Chain.

If you have a problem, please contact the Systems Administrator.

Windows Instructions

Key Generation

To use SSH, and Key access on a Windows client machine, you'll first need to install a SSH client on your PC. The client we'll be using is called “PuTTY.”

You can download PuTTY here:

http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

You will also want to download Pageant:

http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe

And PuTTYgen:

http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe

Download, and install the PuTTY client, as well as PuTTYgen and Pageant. 

After everything is installed, start PuTTYGen. This application will generate a key for you. 

  1. Under "Parameters", make sure SSH-2 RSA is checked
  2. Enter "2048" for the number of bits
  3. Add a "Comment" if desired
  4. Click the "Generate" button

Once the key has been generated, click the "Save public key" and "Save private key" buttons.  Note where the key pair is saved, and the name used.

IMPORTANT: Highlight the text in the box labeled "Public key for pasting into OpenSSH" and copy it.  Save this text to a text file. This is the public key you will need to send to the systems administrator.

Login from Windows

After the systems administrator has added your key to the server, you will need to setup PuTTY and Pageant.  Start Pageant:

Pageant will automatically minimize to your system tray, locate it and right click to Add Key:

Click "Add Key" and locate the key pair you created using "PuTTYgen":

After you select the key, you will be asked to enter the password you used when creating the key under PuTTYgen:

Once the key has been added successfully, you should see it in the list:

 

As long as Pageant is running, this key will now be available whenever you login to a server using PuTTY

Now you will need to start PuTTY:

  1. Select the "Auth" category in the lefthand menu
  2. Browse for the location of the private key you created and saved under "PuTTYgen"
  3. Check the box for "Allow Agent Forwarding"
  4. Check the box for "Attempt authentication using Pageant"
  5. Check the box for "Attempt 'keyboard-interactive' auth (SSH-2)"

 

Now go back to the "Session" entry under the lefthand window:

Just enter the address of the server in the “Host Name (or IP Address)” field that was provided by the systems administrator.  Under "Port", add the appropriate SSH port (also provided by the administrator).  Save the Session and give it a meaningful name.  Then click "Open" and a Windows command prompt window will open. Enter your username, and hit return. It should log you on automatically without asking you for a password.

More Information