User Tools

Site Tools


support:general:security:ssh

Secure SHell

Overview

Public key authentication requires the generation of a key pair which contains a private key and a public key.

Your private key should be:

  • kept confidential
  • copied to any machine you sit in front of and want to login from.
  • never sent by email
  • never sent to anyone else, including a system administrator (who should never ask)
  • copied or used only on trustworthy machines
  • if compromised or lost anyone trusting the public key should be notified as soon as possible.
  • Never be shared with another user

The public key should be:

  • Installed on any machine you want to be able to login to
  • Can be emailed, shared, and/or published
  • Should ideally be emailed as an attachment (to avoid formatting issues)

For a successful login the client must have access to the private key and the server must be configured to trust the matching public key. To avoid typing the passphrase per login use ssh-agent or the macOS keychain.

Setup

SSH is an encrypted protocol and since we require the use of SSH key there is an initial setup process. That process requires you to generate a public and private key pair.

Passphrases

Passphrases are not required, but are highly recommended for SSH private keys. If you forget the passphrase, you will not be able to use the private key, so pick something you will remember. It should be noted that using an empty passphrase is only advised on private, well protected systems, like a laptop will full disk encryption.

Helpful external links regarding passphrases:

Key Encryption Sizes

For RSA we recommend using a key size of 2048 or 4096.

Generating a Key Pair

Linux and macOS

macOS and almost all Linux distributions include OpenSSH client tools by default. You can use a tool ssh-keygen to generate SSH key pairs like so:

  $ ssh-keygen 
  Generating public/private rsa key pair.
  Enter file in which to save the key (/home/MyUser/.ssh/id_rsa):  **ACCEPT DEFAULT UNLESS YOU KNOW EXACTLY WHAT YOU ARE DOING.**
  Enter passphrase (empty for no passphrase):
  Enter same passphrase again:
  Your identification has been saved in ~/.ssh/id_rsa.
  Your public key has been saved in ~/.ssh/id_rsa.pub.
  The key fingerprint is:
  a-long-hex-string user@host

ssh-keygen will generate two files: the private key (usually named id_rsa), and the public key (usually named id_rsa.pub) in the .ssh/ directory under your home directory. The file with the .pub extension is your public key and should be sent for HPC access. The file without an extension is your private key and must be kept secret.

Windows

We recommend MobaXterm as the most straight forward SSH client.

To Generate SSH keys:

Launch MobaXterm, click the Start local terminal button .

Now you have a bash prompt that functions almost exactly like the equivalent Linux or macOS prompt, so you can run ssh-keygen as in the Linux and macOS section.

The ssh-keygen command will generate the two files that make up an ssh key pair for you, id_rsa (the private portion) and id_rsa.pub (the public portion). By default, both files will be saved to C:\Users\WindowsLoginName\Documents\MobaXterm\home\.ssh\.

Protect your private key file, id_rsa. Choose a strong passphrase when creating it, keep the file safe, and never share it with anyone.

When requesting an account on a cluster, submit the file id_rsa.pub as your public key.

To import an existing SSH key pair:

Copy the files to C:\Users\WindowsLoginName\Documents\MobaXterm\home\.ssh\.

To backup your SSH key pair:

Copy the contents of C:\Users\WindowsLoginName\Documents\MobaXterm\home\.ssh\ to a secure location.

X11

MobaXterm provides a local X server for Windows to use software with a graphical interface running on the cluster.

Advanced

Windows 7: If you need to export the private ssh key generated with PuTTYgen, here are the messy steps. (Since you are most likely needing to use the key on a Linux system its highly recommended to generate the ssh keys under Linux and import the private ssh key with PuTTYgen to Windows. Much easier!)

You will need to have putty-tools installed on a Linux system.

On the Windows system, open PuTTYgen and load your ppk ssh key.

Under the Conversions tab in PuTTYgen choose 'Export ssh.com key'.

Copy this file to the Linux system with putty-tools installed. Change the permissions of the key to be owner read-only

chmod 600 private-key-file

Assuming the private key file you copied over is named ssh2private:

puttygen ssh2private -O private-openssh -o privateLinux

you will be prompted for the key's passphrase, if it has one.

Copy the newly created privateLinux file to your .ssh directory.

scp privateLinux ~/.ssh

chmod 600 ~/.ssh/privateLinux

Assuming you already have another private ssh key in this location using the default name id_rsa, you will need to create ~/.ssh/config or specify the private key on the ssh command line.

  host hpc1
  Hostname hpc1.cse.ucdavis.edu
  User smith
  IdentityFile ~/.ssh/privateLinux

Then,

ssh hpc1

is the same as the command:

ssh -l smith -i ~/.ssh/privateLinux hpc1.cse.ucdavis.edu

If you do not have a ~/.ssh directory already, you may create it with

ssh-keygen -t rsa

In this case you will want to rename the private key you created to id_rsa so you need not create the ~/.ssh/config file to specify which ssh key to use, id_rsa is the default names SSH uses.

Using SSH

There are a few things to keep in mind when using SSH.

File System Permissions

You should keep your keys secure from other users on the system. Your private and public keys both should be only readable/writable by you: chmod 600 ~/.ssh/id_[rd]sa*. You should also note that nobody other than root should have writeable access to either your home: chmod go-w ~ or the .ssh directory in your home: chmod 700 ~/.ssh. If these permissions allow others to read or write these directories or files, public key authentication will fail.

Using Different Usernames

SSH has some handy configuration options that you can use to make it easier to get to a remote system. You can add these configuration options to a special file called: ~/.ssh/config.

Changing the default name of your ssh key is strongly discouraged. If you do change the default name for the ssh key, you will need to create file named “config” in ~/.ssh naming the ssh private key.

Host kaos
HostName kaos.ucdavis.edu
User tlknight
IdentityFile ~/.ssh/kaos

Now, this command

ssh kaos

is equivalent to this command

ssh -i ~/.ssh/kaos -l tlknight kaos.ucdavis.edu

There are many more options also. You can get them all by looking at the manual page (man ssh_config).

Moving and Copying Keys

We only store one ssh public key per person. The public key can be shared with anyone in the world (thus the name public). Only you should have access to your private key. Keep this very close. Since many people use more than one workstation/laptop you might need to copy your key pair (both your private and public key) to another machine. There are some security implications to doing this. Here are a couple to keep in mind:

  • Make sure you trust every workstation that has your private key. These machines need to be kept up-to-date, be physically secure (ie locked rooms, screensavers, etc), and have trusted administrators.
  • Make sure you move your private key over a secure medium/channel. You can use a medium to physically walk the key from one place to another, encrypted email, SSH, etc. Do not use FTP, unencrypted email (most email is unencrypted), HTTP, etc.
  • Make sure your permissions are set properly on the new machine. Here are some guidelines:
    • ~/.ssh : 700 or 500 (only you should be able to read/write here)
    • ~/.ssh/id_rsa and ~/.ssh/id_dsa : 600 or 400 (this is your private key, protect it)
    • ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa.pub : no restrictions (this is your public key)

Here is the process using a USB thumb drive:

  1. Copy your private key (typically ~/.ssh/id_rsa or ~/.ssh/id_dsa) to a USB stick from your old workstation.
  2. Copy your public key (typically ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub) to a USB stick from your old workstation.
  3. Carry the USB stick to your new workstation.
  4. Make the ~/.ssh directory on the new workstation if it doesn't exist.
  5. Change the permissions of the ~/.ssh directory to 700.
  6. Copy your private key from the USB stick to your ~/.ssh directory.
  7. Change the permissions of the private key to be either 600 or 400.
  8. Copy your public key from the USB stick to your ~/.ssh directory.
  9. Test your key by connecting to a remote host.
  10. Remove the private and public key from the USB stick.

The process is generally the same if you use an encrypted channel (like SSH). Again, do not use email.

Transfering files to/from a server.

To copy an input file from your desktop to a server:

desktop:~> cd runs/run12/
desktop:~/runs/run12> ls
input1  input2  input3
desktop:~/runs/run12> scp input1 username@server.dept.ucd.edu:
input1                                        100% 1024KB   1.0MB/s   00:00    
desktop:~/runs/run12> 

Or a few files:

Desktop:~/runs/run12> scp input* username@server.dept.ucd.edu:
input1                                        100% 1024KB   1.0MB/s   00:00    
input2                                        100% 1024KB   1.0MB/s   00:00    
input3                                        100% 1024KB   1.0MB/s   00:00    

Or an entire directory tree:

desktop:~/runs/run12> cd ~/src
desktop:~/src> scp -r simulation-2.3/ username@server.dept.ucd.edu:src
HISTORY                                       100%    0     0.0KB/s   00:00    
input.c                                       100%    0     0.0KB/s   00:00    
timestep.c                                    100%    0     0.0KB/s   00:00    
README                                        100%    0     0.0KB/s   00:00    
output.c                                      100%    0     0.0KB/s   00:00    
solve.c                                       100%    0     0.0KB/s   00:00    
Makefile                                      100%    0     0.0KB/s   00:00    
desktop:~/src> 
support/general/security/ssh.txt · Last modified: 2021/07/02 10:10 by omen