Page History

...

Unix-based systems such as OS X and Linux distributions come with at least the client version of OpenSSH pre-installed. Windows is different — see below

Manual Key Generation: ssh-keygen

To use public key authentication, which is stronger than UNIX passwords, first use “ssh-keygen -t rsa -b 4096” to generate a personal 4096-bit private & public key pair. You can name your keys with your name and their date of creation.

...

Private keys must not be readable by any other account aside from the super-user, so mode 600 is suggested. Public keys and their parent directories (including /home and $HOME) must not be writable by other users. Keys with insecure permissions are silently ignored.

Manual Public Key Installation

If you already have an account, your $HOME/.ssh/authorized_keys file should contain one or more public keys, one per line. The private keys which match these keys provide access to this account (private keys do not need to be on a server to ssh into it). id_rsa is the default ssh version 2 private key; it should be present on your workstation. The ssh command first tries any keys available in an agent, then ~/.ssh/id_rsa if present, and finally falls back to password authentication.

To install your public key on a server for authentication, use a command like “scp id_rsa.pub SERVER:.ssh/authorized_keys” (this copies the key). Alternatively you could log in with your password and use a text editor like vi to create the $HOME/.ssh/authorized_keys file. Afterwards ssh $SERVER should prompt for your key’s encryption passphrase rather than your UNIX password on $SERVER. If it doesn’t work, use your account password to login and check permissions (ls -la ~/.ssh). Make sure that there are no line breaks in the key. Each key should be one single line. If you still have problems contact hpc-request@cbio.mskcc.org.

Workstation Global Configuration

You can configure ssh globally on your desktop or laptop. Most OpenSSH configuration is in sshd_config & ssh_config; the files are in /etc under Mac OS X, or /etc/ssh under Linux. User configuration goes in ~/.ssh/config (ssh) & ~/.ssh/authorized_keys (sshd).

...

You can also do this on per user basis with an ssh config file $HOME/.ssh/config

Windows

Anchor
windows windows

On Windows, download and run the PuTTY MSI installer; if you cannot run the installer on your PC, you can simply download the .ziparchive. This gives you PuTTY, pscp, psftp, PuTTYgen, and pageant (you do not need PuTTYtel).

...

Scroll back to Session at the top of the left-side menu, and Save your configuration. Now you can double-click it in PuTTY to connect. Once the system administrators have created your account and installed your public key, double-clicking your saved configuration in PuTTYshould connect you to the server, after prompting for the passphrase you used to encrypt your .ppk file.

pageant

If you find yourself entering your encryption passphrase too often, you can use pageant to cache your private key.

...

To load a key into pageant at login, put a shortcut to it into your personal Startup folder. You can open the Startup folder from the Start bar:Windows menu:All Programs:(Right-click) Startup:Open.

Authentication Forwarding

To use authentication forwarding on Windows, so you can ssh to into a server, and then ssh *again,* from there to a second server (this works best with pageant):

1. Open PuTTY.
2. Load the PuTTY session (configuration).
3. Check the authentication forwarding box in PuTTY:SSH:Auth.
4. Save the PuTTY session (configuration).

Agents

ssh-agent remembers the passphrase so you not need to type it every time you connect or to the server.

Mac: Apple Keychain

When you access an encrypted ssh private key in Mac OS X 10.11 “El Capitan” and earlier, Mac OS X prompts you to save its passphrase (encrypted) in the Apple keychain. From then on your private key will be automatically decrypted and available on request.

...

   ForwardAgent yes
   Protocol 2
   AddKeysToAgent yes
   UseKeychain yes

Linux/UNIX: ssh-agent & ssh-add

An ssh agent loads (encrypted) keys from disk, decrypts them in memory, and makes the keys available to ssh clients such as ssh, sftp, and scp. OpenSSH’s ssh-agent caches keys, and ssh-add controls ssh-agent. To load keys from disk, use a command such as ssh-add -t 540 private-key, which will read private-key, prompt for the passphrase to decrypt it, make the key available to ssh client programs for 9 hours, and then clear it from memory. ssh-add -l lists all loaded keys.

ssh-agent is intended to run as a parent process, spawning shells or an X11 session as child processes. The children automatically inherit access to the parent agent via environment variables. This is inconvenient for configurations without a single parent process for each user. ssh ‘keychains’ such as Gentoo keychain work by sharing a single ssh-agent across multiple processes.

Windows: pageant

PuTTY‘s pageant handles the whole login session. See above.

ssh Authentication Forwarding

For people who ssh into one computer such as a cluster head node, and from there to additional computers such as compute nodes, ssh authentication forwarding enables the intermediate computer to connect back to an ssh agent on the original client, providing authentication to the remote server. For example, I ssh from teriyaki to luna, and then to s01. Even though I don’t keep my private key on luna, teriyaki can authenticate my connection to s01 through luna, so no passphrase is required, and I don’t need a copy of my private key on luna.

...

Additional keys can be loaded on intermediate machines, which has useful implications for working at another machine if you have sshaccess to your workstation.

Additional Information

Read the manual pages on your workstation or a server: man ssh. If you have any issues, please contact hpc-request@cbio.mskcc.org

...