Working with SSH keys on Linux, MacOS and Windows Subsystem for Linux (WSL)
On Linux (including Windows Subsystem for Linux) and MacOS, ssh
and related commands are usually provided by the OpenSSH package (OpenSSH (External Link))
Where are the keys stored?
By default OpenSSH stores new keys and looks for a key when making an ssh connection in:
Code Block |
---|
/home/<username>/.ssh |
If the directory does not exist, you can create it in a command line terminal like this:
Code Block |
---|
mkdir $HOME/.ssh chmod 700 $HOME/.ssh |
The last step makes sure that the directory is only accessible for your user which is preferred for ssh
.
Different types of keys
OpenSSH supports different types of keys and each type of key supports a different key length. The rule-of-thumb is that the longer the key the more secure it is, but too long keys also impact the performance.
Discussing the different types is not our intention here which is why we will focus on the following two:
RSA:
The default RSA key length is 3072 bits though we would recommend to go to 4096. A key length of 2048 or lower is considered as not secure.
RSA is the default key type for OpenSSH.
ED25519
ED25519 has a fixed length of 256 bits. You should not compare this length with the key length for RSA as it is a different type of key. In general, ED25519 keys are much faster than RSA keys and are thus preferable.
Creating a key
In the following, we will create keys for the two types mentioned in the previous section
Start by opening a command line terminal on your computer.
Run
ssh-keygen
to start generating a key
For generating an RSA key with a length of 4096, type the following
Code Block |
---|
ssh-keygen -t rsa -b 4096 |
where
option
-t
specifies the type of keyoption
-b
specifies the length of the key.
You can add a comment to the key by adding -C "<mycomment>"
to the command and replacing <mycomment>
by the actual comment that you want to provide.
For generating an ED25519 key, type the following
Code Block |
---|
ssh-keygen -t ed25519 |
Again, you can add a comment to the key by adding -C "<mycomment>"
to the command.
After running the command,
ssh-keygen
you will see the following output (here for ed25519):
Code Block |
---|
Generating public/private ed25519 key pair. Enter file in which to save the key (/home/<myusername>/.ssh/id_ed25519): |
Here, ssh-keygen ask you where to store the key. You can either confirm the default name of the key by hitting enter or adjust it. The latter is useful for when you are working with multiple keys.
For example,
Code Block |
---|
# for SHARK Enter file in which to save the key (/home/<myusername>/.ssh/id_ed25519): /home/<myusername>/.ssh/id_ed25519_shark # for ALICE Enter file in which to save the key (/home/<myusername>/.ssh/id_ed25519): /home/<myusername>/.ssh/id_ed25519_alice |
Next,
ssh-keygen
will ask you if you want to protect your private key with a passphrase. The passphrase is optional, but if your private key gets stolen it cannot be used without a passphrase. It is also means that every time that you want to use your key, you need to enter your key unless your use something likessh-agent
to keep the private key in memory (see below).
Code Block |
---|
Enter passphrase (empty for no passphrase): |
The recommendations for length and complexity of passwords also apply to passphrases.
You can change your passphrase later on, but if you forget it, you will have to generate a new key pair for use with the HPC cluster.
Whether you enter a passphrase or not, you will be asked to confirm it once more. If you did not provide a passphrase, you can just leave it empty
Code Block |
---|
Enter same passphrase again: |
Lastly,
ssh-keygen
will generate the key and show you where the key is stored:
Code Block |
---|
Your identification has been saved in /home/<myusername>/.ssh/id_ed25519_shark. Your public key has been saved in /home/<myusername>/.ssh/id_ed25519_shark.pub. The key fingerprint is: ... The key's randomart image is: ... |
In this example, we set the name of the key to id_ed25519_shark
. If you followed the example for ALICE, your key might be named id_ed25519_alice
.
The first file (without a file ending) is your private key. The second file (with the file ending .pub
) is your public key which you can put on the remote host.
Changing the passphrase
If you provided a passphrase for your private key, you can change it in a command line window like this:
Code Block |
---|
# using the SHARK example ssh-keygen -p -f ~/.ssh/id_ed25519_shark # using the ALICE example ssh-keygen -p -f ~/.ssh/id_ed25519_alice |
Here, we used ~
as an alias for your home directory.
You will be asked to enter a new passphrase and confirm it once more.
Adding your key to ssh-agent
By adding your key to ssh-agent
, your ssh key will be stored encrypted in memory and you do not have to type in your passphrase every time you connect to the cluster.
This step is completely optional and no required for using the key. If you are new to Linux or ssh keys, feel free to skip it and get used to using keys first.
Open a command line terminal
Check that
ssh-agent
is running, e.g.,
Code Block |
---|
ps -fC ssh-agent |
If it is not running, start
ssh-agent
in the background
Code Block |
---|
eval "$(ssh-agent -s)" |
The output should look like this:
Code Block |
---|
> Agent pid <some_number> |
Add your ssh key
Code Block |
---|
# if you used the example name for SHARK ssh-add ~/.ssh/id_ed25519_shark # if you used the example name for ALICE ssh-add ~/.ssh/id_ed25519_alice |
Creating an SSH key on Windows
From Windows 10 and higher, the most common two options for generating ssh keys on Windows are
Windows’ own OpenSSH client which is installed by default
Using PuTTY
Note that OpenSSH and PuTTY use different key formats, so you cannot use an OpenSSH-generate key with a program that uses only PuTTY-based ssh keys without converting the key to the PuTTY format. However, PuTTY-generated ssh keys work with other ssh clients on Windows such as WinSCP.
Using Windows OpenSSH client
Here, we will use PowerShell instead of the Windows Command Line, because we can use some Linux-like commands in PowerShell.
Where the keys are stored?
By default OpenSSH on Windows looks for keys when making an ssh connection in a user's home directory for example:
Code Block |
---|
C:\Users\<username>\.ssh |
If the directory does not exist, you can create it in PowerShell like this:
Code Block |
---|
mkdir ~\.ssh |
Of course, you are free to define a different location for your keys.
Creating a key
Creating an ssh key on Windows' OpenSSH client works the same way as on Linux. Here, we will create just one type of key as an example.
Open up PowerShell from the Windows start menu.
Create a key. Here, we will only focus on ed25519. If you want to create an rsa-based key, see the previous section for the command
Code Block ssh-keygen -t ed25519
Again, you can add a comment to the key by adding
-C "<mycomment>"
to the command.After running the command,
ssh-keygen
you will see the following output (here for ed25519):Code Block Generating public/private ed25519 key pair. Enter file in which to save the key (C:\<myusername>/.ssh/id_ed25519):
Here,
ssh-keygen
ask you where to store the key. You can either confirm the default name of the key by hitting enter or adjust it. The latter is useful for when you are working with multiple keys.
Note how the path changes from using backslashes to slashes. This is related to OpenSSH.For example,
Code Block # for SHARK Enter file in which to save the key (C:\<myusername>/.ssh/id_ed25519): C:\<myusername>/.ssh/id_ed25519_shark # for ALICE Enter file in which to save the key (C:\<myusername>/.ssh/id_ed25519): C:\<myusername>/.ssh/id_ed25519_alice
Next,
ssh-keygen
will ask you if you want to protect your private key with a passphrase. The passphrase is optional, but if your private key gets stolen it cannot be used without a passphrase. It is also means that every time that you want to use your key, you need to enter your key unless your use something likessh-agent
to keep the private key in memory (see below).
The recommendations for length and complexity of passwords also apply to passphrases. You can change your passphrase later on, but if you forget it, you will have to generate a new key pair for use with the HPC cluster.Code Block Enter passphrase (empty for no passphrase):
Whether you enter a passphrase or not, you will be asked to confirm it once more
Code Block Enter same passphrase again:
Lastly,
ssh-keygen
will generate the key and show you where the key is stored:Code Block Your identification has been saved in /home/<myusername>/.ssh/id_ed25519_shark. Your public key has been saved in /home/<myusername>/.ssh/id_ed25519_shark.pub. The key fingerprint is: ... The key's randomart image is: ...
In this example, we set the name of the key to
id_ed25519_shark
. If you followed the example for ALICE, your key might be namedid_ed25519_alice
.The first file (without a file ending) is your private key. The second file (with the file ending
.pub
) is your public key which you can put on the remote host.
The Windows ssh key agent
Windows also has a built-in ssh key agent. However, we do not recommend to use it as it basically creates a copy of the key. Also, if you are a LEI user and on managed PC, you will not be able to use it.
Using PuTTY
Here is an example of how to generate an RSA-based ssh key with PuTTY. Note that you PuTTY-generated ssh keys need to be converted to work with OpenSSH, but they work with other clients such as “WinSCP”
Open PUTTYGEN
A Window should have opened up. In the section “Parameters”, select option RSA for “Type of key to generate” and set the length to 4096
Then, click on the button “Generate” and follow the instructions to help PuTTYGEN create the key
After the key has been created, save the public and private key using the corresponding buttons next to “Save the generated key”,. You may want to set a passphrase for the private key. For example for ALICE:
Code Block # name of private key id_rsa_putty_alice # name of public key id_rsa_putty_alice.ppk
The PuTTY ssh key agent
PuTTY comes with its own ssh agent. By adding your key to the PuTTY ssh agent, your ssh key will be stored encrypted in memory and you do not have to type in your passphrase every time you connect to the cluster.
This step is completely optional and not required for using the key. If you are new to ssh keys, feel free to skip it and get used to using keys first.
Start
PAGEANT.EXE
to start the ssh agent. No window will open because the agent will directly run in the background.Find the PAGEANT icon in your system tray and right-click on it.
In the pop-menu select “Add Key”
In the file browser that has opened, find the key that you want to add. If you set a passphrase, you will asked to enter it.
If you want PuTTY to start with the key loaded, you can either create a shortcut in your start menu and edit the “Target” path or open up PowerShell/CMD and run something like this:
Code Block |
---|
"C:\path\to\PuTTY\pageant.exe" C:\USERS\<username>\.ssh\id_rsa_alice.ppk C:\USERS\<username>\.ssh\id_rsa_shark.ppk |
where you need to adjust the path to PuTTY and your keys accordingly.
With PuTTY 0.77 or later, you can use the PuTTY Pageant as an SSH agent for the command-line/PowerShell version of ssh
by adding the parameter --openssh-config <path>
. See https://the.earth.li/%7Esgtatham/putty/0.78/htmldoc/Chapter9.html#pageant-cmdline-openssh for details.
Using MobaXTerm
You can also use MobaXTerm to generate ssh keys. The procedure and interface is somewhat similar to PuTTY.
Start MobaXTerm and select “MobaKeyGen” from the menu “Tools”
A Window should have opened up. In the section “Parameters”, select option RSA for “Type of key to generate” and set the length to 4096.
Then, click on the button “Generate” and follow the instructions to help create the key
After the key has been created, save the public and private key using the corresponding buttons next to “Save the generated key”,. For example for ALICE:
Code Block # name of private key id_rsa_mobaxterm_alice # name of public key id_rsa_mobaxterm_alice.ppk
When saving the private key, you can specify a passphrase to encrypt and protect the key. This will provide extra security for your key. If you do, you will have to encrypt the key using the passphrase every time you use it or use an ssh agent like the internal “MobAgent” to store the encrypted key in memory.