SSH Keys

About

SSH keys are a secure method to login to a remote Linux system such as the HPC clusters ALICE and SHARK.

By using keys for authentication it is not necessary to use your account password when you login to the cluster. As such, they are an example of password-less login.

In this section, we provide a short description on how to generate an ssh key that you can use with ALICE and SHARK.

SSH keys always consist of a pair:

  • a private key which is only for you and remains on your local workstation

  • a public key which will be transferred to the cluster (or any remote system that you want to connect to using keys)

Never ever share the private key

You should protect your private with a so-called passphrase when you create the key. You will have to enter the passphrase every time that you use the key because ssh needs to decode it. This way, your private key is protected in case it gets stolen.

Working with SSH keys on Linux, MacOS and Windows Subsystem for Linux (WSL)

On Linux (including Windows Subsystem for Linux) and MacOS, ssh and related commands are usually provided by the OpenSSH package (OpenSSH (External Link))

Where are the keys stored?

By default OpenSSH stores new keys and looks for a key when making an ssh connection in:

/home/<username>/.ssh

If the directory does not exist, you can create it in a command line terminal like this:

mkdir $HOME/.ssh chmod 700 $HOME/.ssh

The last step makes sure that the directory is only accessible for your user which is preferred for ssh.

Different types of keys

OpenSSH supports different types of keys and each type of key supports a different key length. The rule-of-thumb is that the longer the key the more secure it is, but too long keys also impact the performance.

Discussing the different types is not our intention here which is why we will focus on the following two:

  • RSA:

    • The default RSA key length is 3072 bits though we would recommend to go to 4096. A key length of 2048 or lower is considered as not secure.

    • RSA is the default key type for OpenSSH.

  • ED25519

    • ED25519 has a fixed length of 256 bits. You should not compare this length with the key length for RSA as it is a different type of key. In general, ED25519 keys are much faster than RSA keys and are thus preferable.

Creating a key

In the following, we will create keys for the two types mentioned in the previous section

  1. Start by opening a command line terminal on your computer.

  2. Run ssh-keygen to start generating a key

For generating an RSA key with a length of 4096, type the following

ssh-keygen -t rsa -b 4096

where

  • option -t specifies the type of key

  • option -b specifies the length of the key.

You can add a comment to the key by adding -C "<mycomment>" to the command and replacing <mycomment> by the actual comment that you want to provide.

For generating an ED25519 key, type the following

ssh-keygen -t ed25519

Again, you can add a comment to the key by adding -C "<mycomment>" to the command.

  1. After running the command, ssh-keygen you will see the following output (here for ed25519):

Generating public/private ed25519 key pair. Enter file in which to save the key (/home/<myusername>/.ssh/id_ed25519):

Here, ssh-keygen ask you where to store the key. You can either confirm the default name of the key by hitting enter or adjust it. The latter is useful for when you are working with multiple keys.

For example,

# for SHARK Enter file in which to save the key (/home/<myusername>/.ssh/id_ed25519): /home/<myusername>/.ssh/id_ed25519_shark # for ALICE Enter file in which to save the key (/home/<myusername>/.ssh/id_ed25519): /home/<myusername>/.ssh/id_ed25519_alice
  1. Next, ssh-keygen will ask you if you want to protect your private key with a passphrase. The passphrase is optional, but if your private key gets stolen it cannot be used without a passphrase. It is also means that every time that you want to use your key, you need to enter your key unless your use something like ssh-agent to keep the private key in memory (see below).

Enter passphrase (empty for no passphrase):

The recommendations for length and complexity of passwords also apply to passphrases.

You can change your passphrase later on, but if you forget it, you will have to generate a new key pair for use with the HPC cluster.

  1. Whether you enter a passphrase or not, you will be asked to confirm it once more. If you did not provide a passphrase, you can just leave it empty

Enter same passphrase again:
  1. Lastly, ssh-keygen will generate the key and show you where the key is stored:

Your identification has been saved in /home/<myusername>/.ssh/id_ed25519_shark. Your public key has been saved in /home/<myusername>/.ssh/id_ed25519_shark.pub. The key fingerprint is: ... The key's randomart image is: ...

In this example, we set the name of the key to id_ed25519_shark. If you followed the example for ALICE, your key might be named id_ed25519_alice.

The first file (without a file ending) is your private key. The second file (with the file ending .pub) is your public key which you can put on the remote host.

Changing the passphrase

If you provided a passphrase for your private key, you can change it in a command line window like this:

# using the SHARK example ssh-keygen -p -f ~/.ssh/id_ed25519_shark # using the ALICE example ssh-keygen -p -f ~/.ssh/id_ed25519_alice

Here, we used ~ as an alias for your home directory.

You will be asked to enter a new passphrase and confirm it once more.

Adding your key to ssh-agent

By adding your key to ssh-agent, your ssh key will be stored encrypted in memory and you do not have to type in your passphrase every time you connect to the cluster.

This step is completely optional and no required for using the key. If you are new to Linux or ssh keys, feel free to skip it and get used to using keys first.

  1. Open a command line terminal

  2. Check that ssh-agent is running, e.g.,

ps -fC ssh-agent
  1. If it is not running, start ssh-agent in the background

eval "$(ssh-agent -s)"

The output should look like this:

> Agent pid <some_number>
  1. Add your ssh key

# if you used the example name for SHARK ssh-add ~/.ssh/id_ed25519_shark # if you used the example name for ALICE ssh-add ~/.ssh/id_ed25519_alice

Creating an SSH key on Windows

From Windows 10 and higher, the most common two options for generating ssh keys on Windows are

  • Windows’ own OpenSSH client which is installed by default

  • Using PuTTY

Note that OpenSSH and PuTTY use different key formats, so you cannot use an OpenSSH-generate key with a program that uses only PuTTY-based ssh keys without converting the key to the PuTTY format. However, PuTTY-generated ssh keys work with other ssh clients on Windows such as WinSCP.

Using Windows OpenSSH client

Here, we will use PowerShell instead of the Windows Command Line, because we can use some Linux-like commands in PowerShell.

Where the keys are stored?

By default OpenSSH on Windows looks for keys when making an ssh connection in a user's home directory for example:

C:\Users\<username>\.ssh

If the directory does not exist, you can create it in PowerShell like this:

mkdir ~\.ssh

Of course, you are free to define a different location for your keys.

Creating a key

Creating an ssh key on Windows' OpenSSH client works the same way as on Linux. Here, we will create just one type of key as an example.

  1. Open up PowerShell from the Windows start menu.

  2. Create a key. Here, we will only focus on ed25519. If you want to create an rsa-based key, see the previous section for the command

    ssh-keygen -t ed25519

    Again, you can add a comment to the key by adding -C "<mycomment>" to the command.

  3. After running the command, ssh-keygen you will see the following output (here for ed25519):

  4. Generating public/private ed25519 key pair. Enter file in which to save the key (C:\<myusername>/.ssh/id_ed25519):

    Here, ssh-keygen ask you where to store the key. You can either confirm the default name of the key by hitting enter or adjust it. The latter is useful for when you are working with multiple keys.
    Note how the path changes from using backslashes to slashes. This is related to OpenSSH.

    For example,

    # for SHARK Enter file in which to save the key (C:\<myusername>/.ssh/id_ed25519): C:\<myusername>/.ssh/id_ed25519_shark # for ALICE Enter file in which to save the key (C:\<myusername>/.ssh/id_ed25519): C:\<myusername>/.ssh/id_ed25519_alice
  5. Next, ssh-keygen will ask you if you want to protect your private key with a passphrase. The passphrase is optional, but if your private key gets stolen it cannot be used without a passphrase. It is also means that every time that you want to use your key, you need to enter your key unless your use something like ssh-agent to keep the private key in memory (see below).
    The recommendations for length and complexity of passwords also apply to passphrases. You can change your passphrase later on, but if you forget it, you will have to generate a new key pair for use with the HPC cluster.

    Enter passphrase (empty for no passphrase):
  6. Whether you enter a passphrase or not, you will be asked to confirm it once more

    Enter same passphrase again:
  7. Lastly, ssh-keygen will generate the key and show you where the key is stored:

    Your identification has been saved in /home/<myusername>/.ssh/id_ed25519_shark. Your public key has been saved in /home/<myusername>/.ssh/id_ed25519_shark.pub. The key fingerprint is: ... The key's randomart image is: ...

    In this example, we set the name of the key to id_ed25519_shark. If you followed the example for ALICE, your key might be named id_ed25519_alice.

    The first file (without a file ending) is your private key. The second file (with the file ending .pub) is your public key which you can put on the remote host.

The Windows ssh key agent

Windows also has a built-in ssh key agent. However, we do not recommend to use it as it basically creates a copy of the key. Also, if you are a LEI user and on managed PC, you will not be able to use it.

Using PuTTY

Here is an example of how to generate an RSA-based ssh key with PuTTY. Note that you PuTTY-generated ssh keys need to be converted to work with OpenSSH, but they work with other clients such as “WinSCP”

  1. Open PUTTYGEN

  2. A Window should have opened up. In the section “Parameters”, select option RSA for “Type of key to generate” and set the length to 4096

  3. Then, click on the button “Generate” and follow the instructions to help PuTTYGEN create the key

  4. After the key has been created, save the public and private key using the corresponding buttons next to “Save the generated key”,. For example for ALICE:

    # name of private key id_rsa_putty_alice # name of public key id_rsa_putty_alice.ppk

The PuTTY ssh key agent

PuTTY comes with its own ssh agent. By adding your key to the PuTTY ssh agent, your ssh key will be stored encrypted in memory and you do not have to type in your passphrase every time you connect to the cluster.

This step is completely optional and not required for using the key. If you are new to ssh keys, feel free to skip it and get used to using keys first.

  1. Start PAGEANT.EXE to start the ssh agent. No window will open because the agent will directly run in the background.

  2. Find the PAGEANT icon in your system tray and right-click on it.

  3. In the pop-menu select “Add Key”

  4. In the file browser that has opened, find the key that you want to add. If you set a passphrase, you will asked to enter it.

If you want PuTTY to start with the key loaded, you can either create a shortcut in your start menu and edit the “Target” path or open up PowerShell/CMD and run something like this:

"C:\path\to\PuTTY\pageant.exe" C:\USERS\<username>\.ssh\id_rsa_alice.ppk C:\USERS\<username>\.ssh\id_rsa_shark.ppk

where you need to adjust the path to PuTTY and your keys accordingly.

With PuTTY 0.77 or later, you can use the PuTTY Pageant as an SSH agent for the command-line/PowerShell version of ssh by adding the parameter --openssh-config <path>. See https://the.earth.li/%7Esgtatham/putty/0.78/htmldoc/Chapter9.html#pageant-cmdline-openssh for details.