Page History

...

When creating a key you are prompted for a passphrase to protect your private key. This passphrase is important — it should be a strong passphrase (at least 9 12 characters; not all letters or numbers). Pick something you will remember because there is no way to recover a key if you forget the password.

1. With Terminal still open, copy and paste the text below. -C adds a comment — you can use specify your email , name, and /or the date.
Use a very strong passphrase. For more information see Working with SSH key passphrases.

...

To install your public key on a server for authentication, use a command like “scp id_rsa.pub SERVER:.ssh/authorized_keys” (this copies the key). Alternatively you could log in with your password and use a text editor like vi to create the $HOME/.ssh/authorized_keys file. Afterwards ssh $SERVER should prompt for your key’s encryption passphrase rather than your UNIX password on $SERVER. If it doesn’t work, use your account password to login and check permissions (ls -la ~/.ssh). Make sure that there are no line breaks in the key. Each key should be one single line. If you still have problems contact hpc-request@cbio.mskcc.org.contactImage Added

Workstation Global Configuration

...

Then select the complete contents of the text area at the top of the window, which should start with ‘ssh-rsa'; make sure to get the entire public key, which is likely to extend below the bottom of the text area, and paste this into your New HPC account request. Optionally, create a new plain text file in Notepad and save it as C:\keys\id_rsa.pub.

Launch PuTTYLaunch PuTTY, create a new configuration, and save it. The new configuration should include username@hostname (like doej@hal.cbiolike joe7@lilac.mskcc.org) in the server field.

Assuming you will not use pageant, at least initially, from the left-side menu, select SSH:Auth, and specify your .ppk file at bottom-right.

...

ssh-agent remembers the passphrase so you not need to type it every time you connect or to the server. Note that IdentityFile and IdentitiesOnly prevent use of ssh-agent.

Mac: Apple Keychain

When you access an encrypted ssh private key in Mac OS X 10.11 “El Capitan” and earlier, Mac OS X prompts you to save its passphrase (encrypted) in the Apple keychain. From then on your private key will be automatically decrypted and available on request. When this is working, "ssh-add -lL" should show at least one key available on your Mac or Linux system. After you "ssh -A" to another host with agent forwarding, "ssh-add -lL" should show the same key(s) available as on your local desktop.

...

You should be able to manually add your private key passphrase to the Apple Keychain with "ssh-add -K --apple-use-keychain ~/.ssh/id_rsa" (, assuming ~/.ssh/id_rsa is your private key )on a current version of macOS; for older versions you may need  "ssh-add -K ~/.ssh/id_rsa" instead. You only need to do this once per key.

...

An ssh agent loads (encrypted) keys from disk, decrypts them in memory, and makes the keys available to ssh clients such as ssh, sftp, and scp. OpenSSH’s ssh-agent caches keys, and ssh-add controls ssh-agent. To load keys from disk, use a command such as ssh-add -t 540 private-key, which will read private-key, prompt for the passphrase to decrypt it, make the key available to ssh client programs for 9 hours, and then clear it from memory.  ssh"ssh-add -l lists L" lists all loaded keys.

ssh-agent is intended to run as a parent process, spawning shells or an X11 session as child processes. The children automatically inherit access to the parent agent via environment variables. This is inconvenient for configurations without a single parent process for each user. ssh ‘keychains’ such as Gentoo keychain work by sharing a single ssh-agent across multiple processes.

...

PuTTY‘s pageant handles the whole login session. See above.

ssh Authentication Forwarding

...

For people who ssh into into one computer such as xbioas the HPC SSH bastion host, xbio.mskcc.org, and from there to another computer such as lilac or luna.mskcc.org, authentication forwarding enables the intermediary computer (xbio) to use ssh-agent on the original client (Mac or PC) to authenticate to the remote server (lilac). For example I ssh from teriyaki to xbioI ssh from teriyaki to xbio, and then from xbio to lilacto lilac. Even though I don’t keep my private key on lilac,  teriyaki teriyaki authenticates my connection to lilac to lilac (through xbiothrough xbio) so I don’t need my private key on xbioon xbio.

For Mac: First add your private key passphrase to the Apple Keychain with "ssh-add -K --apple-use-keychain ~/.ssh/id_rsa". Then enable authentication forwarding to xbio by adding the following to ~/.ssh/config on your Mac:

...

For Windows: See the Windows section above.

Copying Keys

Email messages are scanned and stored in multiple places, so do not email private keys. You can use scp or a thumb drive to copy them to a new Mac, but don't leave private keys on a thumb drive any longer than necessary -- they are easy to lose or steal.

The easiest option is to copy the entire ~/.ssh directory. It contains private and public keys, ssh configuration, and the known_hosts file. The ~/.ssh directory is normally hidden in the macOS Finder, but you can make it appear with the Terminal command open ~/.ssh or "Go to Folder..." in the Finder's Go menu.

Additional Information

Read the manual pages on your workstation or a server: man ssh. If you have any issues, please contact hpc-request@cbio.mskcc.orgcontactImage Added