General Documentation
- Welcome FAQ
- Secure Shell SSH
- Available Software
- Installing Software
- Guidelines and Policies
- Glossary
- Grant Support
- Sharing Data
- Containers & Singularity
- UserGroup Presentations
- Jupyter Notebook Usage
LSF Primer
Lilac Cluster Guide
Juno Cluster Guide
Cloud Resources
Backup Policy on server/node local drives
File lists
Page History
...
When creating a key you are prompted for a passphrase to protect your private key. This passphrase is important — it should be a strong passphrase (at least 9 12 characters; not all letters or numbers). Pick something you will remember because there is no way to recover a key if you forget the password.
...
Then select the complete contents of the text area at the top of the window, which should start with ‘ssh-rsa'; make sure to get the entire public key, which is likely to extend below the bottom of the text area, and paste this into your New HPC account request. Optionally, create a new plain text file in Notepad and save it as C:\keys\id_rsa.pub.
Launch PuTTYLaunch PuTTY, create a new configuration, and save it. The new configuration should include username@hostname (like doej@hal.cbiolike joe7@lilac.mskcc.org) in the server field.
Assuming you will not use pageant, at least initially, from the left-side menu, select SSH:Auth, and specify your .ppk file at bottom-right.
...
ssh-agent remembers the passphrase so you not need to type it every time you connect or to the server. Note that IdentityFile and IdentitiesOnly prevent use of ssh-agent.
Mac: Apple Keychain
When you access an encrypted ssh private key in Mac OS X 10.11 “El Capitan” and earlier, Mac OS X prompts you to save its passphrase (encrypted) in the Apple keychain. From then on your private key will be automatically decrypted and available on request. When this is working, "ssh-add -lL" should show at least one key available on your Mac or Linux system. After you "ssh -A" to another host with agent forwarding, "ssh-add -lL" should show the same key(s) available as on your local desktop.
...
You should be able to manually add your private key passphrase to the Apple Keychain with "ssh-add -K -apple-use-keychain ~/.ssh/id_rsa" (, assuming ~/.ssh/id_rsa is your private key )on a current version of macOS; for older versions you may need "ssh-add -K ~/.ssh/id_rsa" instead. You only need to do this once per key.
...
An ssh agent loads (encrypted) keys from disk, decrypts them in memory, and makes the keys available to ssh clients such as ssh, sftp, and scp. OpenSSH’s ssh-agent caches keys, and ssh-add controls ssh-agent. To load keys from disk, use a command such as ssh-add -t 540 private-key, which will read private-key, prompt for the passphrase to decrypt it, make the key available to ssh client programs for 9 hours, and then clear it from memory. ssh"ssh-add -l lists L" lists all loaded keys.
ssh-agent is intended to run as a parent process, spawning shells or an X11 session as child processes. The children automatically inherit access to the parent agent via environment variables. This is inconvenient for configurations without a single parent process for each user. ssh ‘keychains’ such as Gentoo keychain work by sharing a single ssh-agent across multiple processes.
...
PuTTY‘s pageant handles the whole login session. See above.
ssh Authentication Forwarding
...
For people who ssh
into into one computer such as xbioas the HPC SSH bastion host, xbio.mskcc.org, and from there to another computer such as lilac or luna.mskcc.org, authentication forwarding enables the intermediary computer (xbio) to use ssh-agent on the original client (Mac or PC) to authenticate to the remote server (lilac). For example I ssh from teriyaki to xbioI ssh from teriyaki to xbio, and then from xbio to lilacto lilac. Even though I don’t keep my private key on lilac, teriyaki teriyaki authenticates my connection to lilac to lilac (through xbiothrough xbio) so I don’t need my private key on xbioon xbio.
For Mac: First add your private key passphrase to the Apple Keychain with "ssh-add -K --apple-use-keychain ~/.ssh/id_rsa
". Then enable authentication forwarding to xbio by adding the following to ~/.ssh/config
on your Mac:
...