General Documentation

LSF Primer

Lilac Cluster Guide

Juno Cluster Guide

Cloud Resources

Backup Policy on server/node local drives

File lists

Versions Compared

Old Version 9

changes.mady.by.user Chris Pepper

Saved on

compared with

New Version Current

changes.mady.by.user Chris Pepper

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When creating a key you are prompted for a passphrase to protect your private key. This passphrase is important — it should be a strong passphrase (at least 9 12 characters; not all letters or numbers). Pick something you will remember because there is no way to recover a key if you forget the password.

1. With Terminal still open, copy and paste the text below. -C adds a comment — you can use specify your email , name, and /or the date.
Use a very strong passphrase. For more information see Working with SSH key passphrases.

...

2. We suggest keeping the default settings as they are, so when you’re prompted to “Enter a file in which to save the key”, just press Enter to continue.

# Enter file in which to save the key (/Users/YOU/.ssh/id_rsa): [Press enter]

3. You’ll be asked to enter a passphrase.

# Enter passphrase: [Type a passphrase]
# Enter same passphrase again: [Type passphrase again]

4. After you enter a passphrase, you’ll be given the fingerprint, or id, of your ssh key. It will look something like this:

# Your identification has been saved in /Users/you/.ssh/id_rsa.
# Your public key has been saved in /Users/you/.ssh/id_rsa.pub.
# The fingerprint is:
# 01:0f:f4:3b:ca:85:d6:17:a1:7d:f0:68:9d:f0:a2:db your_email@example.com
  • DO NOT email us your fingerprint (in green above)
  • Now you should have the following files (and perhaps more) in $HOME/.ssh:
pepper@teriyaki:~$ ls -l .ssh/
-rw-------   1 pepper  staff  1743 Dec 12  2008 .ssh/id_rsa
-rw-r--r--   1 pepper  staff   402 Dec 23  2008 .ssh/id_rsa.pub

5. Show your public key with the command:

cat ~/.ssh/id_rsa.pub 

6. Public Key Installation for New Accounts

  • If you are requesting a new account, paste your public key file id_rsa.pub into the account request form and we will install it for you:
 lski1907:.ssh perixj$ more id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTma3hCuHD866j0Lq40NsuelvECBz+zdyM8AKXWREjsheHzd9vVsL2BAmJbKhLa6BfRgQgeeeynzampaX2rTblBlesiZTtPqlMXtZV57PSjoWUXCGWxivgbJrLkeVMdeh81ZYAPiMMYUm3CR25oRP6AcnnpsSvkUBiyU1sRu5jIsC7JDazPKJFi44UIeSoQOUHoFnKENpIgF5cL8Y1c50mV+zBbUds3FaGi4Vv6xsYcvxgAsmyYj1U9CrxWyG8RP4c++NT+5hTVqj4KxmvQJASjYAkpIu23m2Fb4DL6Kbmd8PsnWtYcJ5SsRpdrFyP6ne4nsFC5SphATpKHDHgI2MBCCrq+p4hMYS/6Umb4FhLyQaLWe+qj1zXRyhLiyiRzPe0BkbcjbhqXOh2M3zWtGACudOGRFG2uXGrZ4KoUGaiuSq+BxYffHEVPkIJfMzOotd3PYxtlBgDw5MLBiLLKP+hzdix04ce6jjKEjBYMy5VlB4kqMOBzSdKtDSS5VbYc+gczgOMjYig5fJaMBLemxWZmLQaLlkoHgVWCm8rsPPK7CQys8Mq+z3Q27VmW4tYhpJAARtFxMLofKs/owm9/ThGCZm5Qlr3LUfnIjm4nHyunzlswTNa6uiGHLR/sAxBc05y5NGkcMsJ8f7Cxb2WxDSjK34i+gOywv6cOKqP9ILjiP== juancerixn@gmail.com

WARNING: Your private key file (id_rsa) is effectively a password, so be careful with it! Private keys should be kept secure, and should not be stored on insecure machines (or any multi-user machines, if possible). Check with our system administrators if you need to use a key in batch jobs.

...

To install your public key on a server for authentication, use a command like “scp id_rsa.pub SERVER:.ssh/authorized_keys” (this copies the key). Alternatively you could log in with your password and use a text editor like vi to create the $HOME/.ssh/authorized_keys file. Afterwards ssh $SERVER should prompt for your key’s encryption passphrase rather than your UNIX password on $SERVER. If it doesn’t work, use your account password to login and check permissions (ls -la ~/.ssh). Make sure that there are no line breaks in the key. Each key should be one single line. If you still have problems contact hpc-request@cbio.mskcc.org.contactImage Added

Workstation Global Configuration

...

Windows
Anchor
windows
windows

On Windows 10, you can use Microsoft's OpenSSH. Alternatively download and run the PuTTY MSI installer; if you cannot run the installer on your PC, you can simply download the .ziparchivezip archive. This gives you PuTTY, pscp, psftp, PuTTYgen, and pageant (you do not need PuTTYtel).

...

Then select the complete contents of the text area at the top of the window, which should start with ‘ssh-rsa'; make sure to get the entire public key, which is likely to extend below the bottom of the text area, and paste this into your New HPC account request. Optionally, create a new plain text file in Notepad and save it as C:\keys\id_rsa.pub.

Launch PuTTYLaunch PuTTY, create a new configuration, and save it. The new configuration should include username@hostname (like doej@hal.cbiolike joe7@lilac.mskcc.org) in the server field.

Assuming you will not use pageant, at least initially, from the left-side menu, select SSH:Auth, and specify your .ppk file at bottom-right.

Scroll back to Session at the top of the left-side menu, and Save your configuration. Now you can double-click it in PuTTY to connect. Once the system administrators have created your account and installed your public key, double-clicking your saved configuration in PuTTYshould in PuTTY should connect you to the server, after prompting for the passphrase you used to encrypt your .ppk file.

...

ssh-agent remembers the passphrase so you not need to type it every time you connect or to the server. Note that IdentityFile and IdentitiesOnly prevent use of ssh-agent.

Mac: Apple Keychain

When you access an encrypted ssh private key in Mac OS X 10.11 “El Capitan” and earlier, Mac OS X prompts you to save its passphrase (encrypted) in the Apple keychain. From then on your private key will be automatically decrypted and available on request. When this is working, "ssh-add -lL" should show at least one key available on your Mac or Linux system. After you "ssh -A" to another host with agent forwarding, "ssh-add -lL" should show the same key(s) available as on your local desktop.

...

You should be able to manually add your private key passphrase to the Apple Keychain with "ssh-add --K apple-use-keychain ~/.ssh/id_rsa" (, assuming ~/.ssh/id_rsa is your private key )on a current version of macOS; for older versions you may need  "ssh-add -K ~/.ssh/id_rsa" instead. You only need to do this once per key.

...

An ssh agent loads (encrypted) keys from disk, decrypts them in memory, and makes the keys available to ssh clients such as ssh, sftp, and scp. OpenSSH’s ssh-agent caches keys, and ssh-add controls ssh-agent. To load keys from disk, use a command such as ssh-add -t 540 private-key, which will read private-key, prompt for the passphrase to decrypt it, make the key available to ssh client programs for 9 hours, and then clear it from memory.  ssh"ssh-add -l lists L" lists all loaded keys.

ssh-agent is intended to run as a parent process, spawning shells or an X11 session as child processes. The children automatically inherit access to the parent agent via environment variables. This is inconvenient for configurations without a single parent process for each user. ssh ‘keychains’ such as Gentoo keychain work by sharing a single ssh-agent across multiple processes.

...

ssh Authentication Forwarding

For people who ssh into who ssh into one computer such as a cluster head nodeas the HPC SSH bastion host, xbio.mskcc.org, and from there to additional computers another computer such as compute nodes, ssh authentication lilac.mskcc.org, authentication forwarding enables the intermediate intermediary computer to connect back to an ssh agent (xbio) to use ssh-agent on the original client , providing authentication (Mac or PC) to authenticate to the remote server (lilac). For example , I ssh from teriyaki to lunaI ssh from teriyaki to xbio, and then to s01from xbio to lilac. Even though I don’t keep my private key on luna, teriyaki can authenticate my connection to s01 through luna, so no passphrase is required, and on lilac, teriyaki authenticates my connection to lilac (through xbio) so I don’t need a copy of my private key on lunaon xbio.

For Mac: To enable authentication forwarding, use “ForwardAgent yes” in ~First add your private key passphrase to the Apple Keychain with "ssh-add --apple-use-keychain ~/.ssh/id_rsa". Then enable authentication forwarding to xbio by adding the following to ~/.ssh/config on your workstation, or use “ssh -A“.config on your Mac:

Host xbio.mskcc.org

  Port 2222

  ForwardAgent yes

Or use “ssh -p 2222 -A xbio.mskcc.org" each time. 

For Windows: Please see See the Windows section belowabove.Additional keys can be loaded on intermediate machines, which has useful implications for working at another machine if you have sshaccess to your workstation


Copying Keys

Email messages are scanned and stored in multiple places, so do not email private keys. You can use scp or a thumb drive to copy them to a new Mac, but don't leave private keys on a thumb drive any longer than necessary -- they are easy to lose or steal.

The easiest option is to copy the entire ~/.ssh directory. It contains private and public keys, ssh configuration, and the known_hosts file. The ~/.ssh directory is normally hidden in the macOS Finder, but you can make it appear with the Terminal command open ~/.ssh or "Go to Folder..." in the Finder's Go menu.


Additional Information

Read the manual pages on your workstation or a server: man  man ssh. If you have any issues, please contact hpc-request@cbio.mskcc.orgcontactImage Added