SSH Keys
About
SSH keys are a secure method to login to a remote Linux system such as the HPC clusters ALICE and SHARK.
By using keys for authentication it is not necessary to use your account password when you login to the cluster. As such, they are an example of password-less login.
In this section, we provide a short description on how to generate an ssh key that you can use with ALICE and SHARK.
SSH keys always consist of a pair:
a private key which is only for you and remains on your local workstation
a public key which will be transferred to the cluster (or any remote system that you want to connect to using keys)
Never ever share the private key
You should protect your private with a so-called passphrase when you create the key. You will have to enter the passphrase every time that you use the key because ssh needs to decode it. This way, your private key is protected in case it gets stolen.
Working with SSH keys on Linux, MacOS and Windows Subsystem for Linux (WSL)
On Linux (including Windows Subsystem for Linux) and MacOS, ssh
and related commands are usually provided by the OpenSSH package (OpenSSH (External Link))
Where are the keys stored?
By default OpenSSH stores new keys and looks for a key when making an ssh connection in:
/home/<username>/.ssh
If the directory does not exist, you can create it in a command line terminal like this:
mkdir $HOME/.ssh
chmod 700 $HOME/.ssh
The last step makes sure that the directory is only accessible for your user which is preferred for ssh
.
Different types of keys
OpenSSH supports different types of keys and each type of key supports a different key length. The rule-of-thumb is that the longer the key the more secure it is, but too long keys also impact the performance.
Discussing the different types is not our intention here which is why we will focus on the following two:
RSA:
The default RSA key length is 3072 bits though we would recommend to go to 4096. A key length of 2048 or lower is considered as not secure.
RSA is the default key type for OpenSSH.
ED25519
ED25519 has a fixed length of 256 bits. You should not compare this length with the key length for RSA as it is a different type of key. In general, ED25519 keys are much faster than RSA keys and are thus preferable.
Creating a key
In the following, we will create keys for the two types mentioned in the previous section
Start by opening a command line terminal on your computer.
Run
ssh-keygen
to start generating a key
For generating an RSA key with a length of 4096, type the following
ssh-keygen -t rsa -b 4096
where
option
-t
specifies the type of keyoption
-b
specifies the length of the key.
You can add a comment to the key by adding -C "<mycomment>"
to the command and replacing <mycomment>
by the actual comment that you want to provide.
For generating an ED25519 key, type the following
Again, you can add a comment to the key by adding -C "<mycomment>"
to the command.
After running the command,
ssh-keygen
you will see the following output (here for ed25519):
Here, ssh-keygen ask you where to store the key. You can either confirm the default name of the key by hitting enter or adjust it. The latter is useful for when you are working with multiple keys.
For example,
Next,
ssh-keygen
will ask you if you want to protect your private key with a passphrase. The passphrase is optional, but if your private key gets stolen it cannot be used without a passphrase. It is also means that every time that you want to use your key, you need to enter your key unless your use something likessh-agent
to keep the private key in memory (see below).
The recommendations for length and complexity of passwords also apply to passphrases.
You can change your passphrase later on, but if you forget it, you will have to generate a new key pair for use with the HPC cluster.
Whether you enter a passphrase or not, you will be asked to confirm it once more. If you did not provide a passphrase, you can just leave it empty
Lastly,
ssh-keygen
will generate the key and show you where the key is stored:
In this example, we set the name of the key to id_ed25519_shark
. If you followed the example for ALICE, your key might be named id_ed25519_alice
.
The first file (without a file ending) is your private key. The second file (with the file ending .pub
) is your public key which you can put on the remote host.
Changing the passphrase
If you provided a passphrase for your private key, you can change it in a command line window like this:
Here, we used ~
as an alias for your home directory.
You will be asked to enter a new passphrase and confirm it once more.
Adding your key to ssh-agent
By adding your key to ssh-agent
, your ssh key will be stored encrypted in memory and you do not have to type in your passphrase every time you connect to the cluster.
This step is completely optional and no required for using the key. If you are new to Linux or ssh keys, feel free to skip it and get used to using keys first.
Open a command line terminal
Check that
ssh-agent
is running, e.g.,
If it is not running, start
ssh-agent
in the background
The output should look like this:
Add your ssh key
Creating an SSH key on Windows
From Windows 10 and higher, the most common two options for generating ssh keys on Windows are
Windows’ own OpenSSH client which is installed by default
Using PuTTY
Note that OpenSSH and PuTTY use different key formats, so you cannot use an OpenSSH-generate key with a program that uses only PuTTY-based ssh keys without converting the key to the PuTTY format. However, PuTTY-generated ssh keys work with other ssh clients on Windows such as WinSCP.
Using Windows OpenSSH client
Here, we will use PowerShell instead of the Windows Command Line, because we can use some Linux-like commands in PowerShell.
Where the keys are stored?
By default OpenSSH on Windows looks for keys when making an ssh connection in a user's home directory for example:
If the directory does not exist, you can create it in PowerShell like this:
Of course, you are free to define a different location for your keys.
Creating a key
Creating an ssh key on Windows' OpenSSH client works the same way as on Linux. Here, we will create just one type of key as an example.
Open up PowerShell from the Windows start menu.
Create a key. Here, we will only focus on ed25519. If you want to create an rsa-based key, see the previous section for the command
Again, you can add a comment to the key by adding
-C "<mycomment>"
to the command.After running the command,
ssh-keygen
you will see the following output (here for ed25519):Here,
ssh-keygen
ask you where to store the key. You can either confirm the default name of the key by hitting enter or adjust it. The latter is useful for when you are working with multiple keys.
Note how the path changes from using backslashes to slashes. This is related to OpenSSH.For example,
Next,
ssh-keygen
will ask you if you want to protect your private key with a passphrase. The passphrase is optional, but if your private key gets stolen it cannot be used without a passphrase. It is also means that every time that you want to use your key, you need to enter your key unless your use something likessh-agent
to keep the private key in memory (see below).
The recommendations for length and complexity of passwords also apply to passphrases. You can change your passphrase later on, but if you forget it, you will have to generate a new key pair for use with the HPC cluster.Whether you enter a passphrase or not, you will be asked to confirm it once more
Lastly,
ssh-keygen
will generate the key and show you where the key is stored:In this example, we set the name of the key to
id_ed25519_shark
. If you followed the example for ALICE, your key might be namedid_ed25519_alice
.The first file (without a file ending) is your private key. The second file (with the file ending
.pub
) is your public key which you can put on the remote host.
The Windows ssh key agent
Windows also has a built-in ssh key agent. However, we do not recommend to use it as it basically creates a copy of the key. Also, if you are a LEI user and on managed PC, you will not be able to use it.
Using PuTTY
Here is an example of how to generate an RSA-based ssh key with PuTTY. Note that you PuTTY-generated ssh keys need to be converted to work with OpenSSH, but they work with other clients such as “WinSCP”
Open PUTTYGEN
A Window should have opened up. In the section “Parameters”, select option RSA for “Type of key to generate” and set the length to 4096
Then, click on the button “Generate” and follow the instructions to help PuTTYGEN create the key
After the key has been created, save the public and private key using the corresponding buttons next to “Save the generated key”,. You may want to set a passphrase for the private key. For example for ALICE:
The PuTTY ssh key agent
PuTTY comes with its own ssh agent. By adding your key to the PuTTY ssh agent, your ssh key will be stored encrypted in memory and you do not have to type in your passphrase every time you connect to the cluster.
This step is completely optional and not required for using the key. If you are new to ssh keys, feel free to skip it and get used to using keys first.
Start
PAGEANT.EXE
to start the ssh agent. No window will open because the agent will directly run in the background.Find the PAGEANT icon in your system tray and right-click on it.
In the pop-menu select “Add Key”
In the file browser that has opened, find the key that you want to add. If you set a passphrase, you will asked to enter it.
If you want PuTTY to start with the key loaded, you can either create a shortcut in your start menu and edit the “Target” path or open up PowerShell/CMD and run something like this:
where you need to adjust the path to PuTTY and your keys accordingly.
With PuTTY 0.77 or later, you can use the PuTTY Pageant as an SSH agent for the command-line/PowerShell version of ssh
by adding the parameter --openssh-config <path>
. See https://the.earth.li/%7Esgtatham/putty/0.78/htmldoc/Chapter9.html#pageant-cmdline-openssh for details.
Using MobaXTerm
You can also use MobaXTerm to generate ssh keys. The procedure and interface is somewhat similar to PuTTY.
Start MobaXTerm and select “MobaKeyGen” from the menu “Tools”
A Window should have opened up. In the section “Parameters”, select option RSA for “Type of key to generate” and set the length to 4096.
Then, click on the button “Generate” and follow the instructions to help create the key
After the key has been created, save the public and private key using the corresponding buttons next to “Save the generated key”,. For example for ALICE:
When saving the private key, you can specify a passphrase to encrypt and protect the key. This will provide extra security for your key. If you do, you will have to encrypt the key using the passphrase every time you use it or use an ssh agent like the internal “MobAgent” to store the encrypted key in memory.