Public key authentication requires the generation of a key pair which contains a private key and a public key.
Your private key should be:
The public key should be:
For a successful login the client must have access to the private key and the server must be configured to trust the matching public key. To avoid typing the passphrase per login use
ssh-agent or the macOS keychain.
SSH is an encrypted protocol and since we require the use of SSH key there is an initial setup process. That process requires you to generate a public and private key pair.
Passphrases are not required, but are highly recommended for SSH private keys. If you forget the passphrase, you will not be able to use the private key, so pick something you will remember. It should be noted that using an empty passphrase is only advised on private, well protected systems, like a laptop will full disk encryption.
Helpful external links regarding passphrases:
For RSA we recommend using a key size of 2048 or 4096.
macOS and almost all Linux distributions include OpenSSH client tools by default. You can use a tool
ssh-keygen to generate SSH key pairs like so:
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/MyUser/.ssh/id_rsa): **ACCEPT DEFAULT UNLESS YOU KNOW EXACTLY WHAT YOU ARE DOING.** Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ~/.ssh/id_rsa. Your public key has been saved in ~/.ssh/id_rsa.pub. The key fingerprint is: a-long-hex-string user@host
ssh-keygen will generate two files: the private key (usually named
id_rsa), and the public key (usually named
id_rsa.pub) in the
.ssh/ directory under your home directory. The file with the
.pub extension is your public key and should be sent for HPC access. The file without an extension is your private key and must be kept secret.
We recommend MobaXterm as the most straight forward SSH client.
Now you have a bash prompt that functions almost exactly like the equivalent Linux or macOS prompt, so you can run
ssh-keygen as in the Linux and macOS section.
ssh-keygen command will generate the two files that make up an ssh key pair for you,
id_rsa (the private portion) and
id_rsa.pub (the public portion). By default, both files will be saved to
Protect your private key file,
id_rsa. Choose a strong passphrase when creating it, keep the file safe, and never share it with anyone.
When requesting an account on a cluster, submit the file
id_rsa.pub as your public key.
Copy the files to
Copy the contents of
C:\Users\WindowsLoginName\Documents\MobaXterm\home\.ssh\ to a secure location.
MobaXterm provides a local X server for Windows to use software with a graphical interface running on the cluster.
Windows 7: If you need to export the private ssh key generated with PuTTYgen, here are the messy steps. (Since you are most likely needing to use the key on a Linux system its highly recommended to generate the ssh keys under Linux and import the private ssh key with PuTTYgen to Windows. Much easier!)
You will need to have putty-tools installed on a Linux system.
On the Windows system, open PuTTYgen and load your ppk ssh key.
Under the Conversions tab in PuTTYgen choose 'Export ssh.com key'.
Copy this file to the Linux system with putty-tools installed. Change the permissions of the key to be owner read-only
chmod 600 private-key-file
Assuming the private key file you copied over is named ssh2private:
puttygen ssh2private -O private-openssh -o privateLinux
you will be prompted for the key's passphrase, if it has one.
Copy the newly created privateLinux file to your .ssh directory.
scp privateLinux ~/.ssh
chmod 600 ~/.ssh/privateLinux
Assuming you already have another private ssh key in this location using the default name id_rsa, you will need to create ~/.ssh/config or specify the private key on the ssh command line.
host hpc1 Hostname hpc1.cse.ucdavis.edu User smith IdentityFile ~/.ssh/privateLinux
is the same as the command:
ssh -l smith -i ~/.ssh/privateLinux hpc1.cse.ucdavis.edu
If you do not have a ~/.ssh directory already, you may create it with
ssh-keygen -t rsa
In this case you will want to rename the private key you created to
id_rsa so you need not create the
~/.ssh/config file to specify which ssh key to use,
id_rsa is the default names SSH uses.
There are a few things to keep in mind when using SSH.
You should keep your keys secure from other users on the system. Your private and public keys both should be only readable/writable by you:
chmod 600 ~/.ssh/id_[rd]sa*. You should also note that nobody other than root should have writeable access to either your home:
chmod go-w ~ or the .ssh directory in your home:
chmod 700 ~/.ssh. If these permissions allow others to read or write these directories or files, public key authentication will fail.
SSH has some handy configuration options that you can use to make it easier to get to a remote system. You can add these configuration options to a special file called:
Changing the default name of your ssh key is strongly discouraged. If you do change the default name for the ssh key, you will need to create file named “config” in ~/.ssh naming the ssh private key.
Host kaos HostName kaos.ucdavis.edu User tlknight IdentityFile ~/.ssh/kaos
Now, this command
is equivalent to this command
ssh -i ~/.ssh/kaos -l tlknight kaos.ucdavis.edu
There are many more options also. You can get them all by looking at the manual page (
We only store one ssh public key per person. The public key can be shared with anyone in the world (thus the name public). Only you should have access to your private key. Keep this very close. Since many people use more than one workstation/laptop you might need to copy your key pair (both your private and public key) to another machine. There are some security implications to doing this. Here are a couple to keep in mind:
Here is the process using a USB thumb drive:
The process is generally the same if you use an encrypted channel (like SSH). Again, do not use email.
To copy an input file from your desktop to a server:
desktop:~> cd runs/run12/ desktop:~/runs/run12> ls input1 input2 input3 desktop:~/runs/run12> scp input1 firstname.lastname@example.org: input1 100% 1024KB 1.0MB/s 00:00 desktop:~/runs/run12>
Or a few files:
Desktop:~/runs/run12> scp input* email@example.com: input1 100% 1024KB 1.0MB/s 00:00 input2 100% 1024KB 1.0MB/s 00:00 input3 100% 1024KB 1.0MB/s 00:00
Or an entire directory tree:
desktop:~/runs/run12> cd ~/src desktop:~/src> scp -r simulation-2.3/ firstname.lastname@example.org:src HISTORY 100% 0 0.0KB/s 00:00 input.c 100% 0 0.0KB/s 00:00 timestep.c 100% 0 0.0KB/s 00:00 README 100% 0 0.0KB/s 00:00 output.c 100% 0 0.0KB/s 00:00 solve.c 100% 0 0.0KB/s 00:00 Makefile 100% 0 0.0KB/s 00:00 desktop:~/src>