SSH keys

From SciNet Users Documentation
Revision as of 21:14, 16 May 2019 by Nolta (talk | contribs)
Jump to: navigation, search

SSH has an alternative to passwords to authenticate your login; you can generate a key file on a trusted machine and tell a remote machine to trust logins from a machine that presents that key. This can be both convenient and secure, and may be necessary for some tasks (such as connecting directly to compute nodes to use some visualization packages). Here we describe how to setup keys for logging into SciNet.

SSH Keys and SciNet

In addition to using passwords to authenticate users, one can use cryptographically secure keys to guarantee that a login request is coming from a trusted account on a remote machine, and automatically allow such requests. Done properly, this is as secure as requiring a password, but can be more convenient, and is necessary for some operations.

Using SSH keys

How SSH keys work

SSH relies on public key cryptography for its encryption. These cryptosystems have a private key, which must be kept secret, and a public key, which may be disseminated freely. In these systems, anyone may use the public key to encode a message; but only the owner of the private key can decode the message. This can also be used to verify identities; if someone is claiming to be Alice, the owner of some private key, Bob can send Alice a message encoded with Alice's well-known public key. If the person claiming to be Alice can then tell Bob what the message really was, then that person at the very least has access to Alice's private key.

To use keys for authentication, you need to:

  • Generate a key pair (private and public)
  • Copy the public key to a remote site, and add it to the list of authorized keys
  • Ensure permissions are set properly
  • Test to make sure it works

Generating an SSH key pair

The first stage is to create an SSH key pair. On Linux & MacOS, this is done using the ssh-keygen command:

ssh-keygen -t ed25519

If that doesn't work, try:

ssh-keygen -t rsa -b 4096

This will prompt you for two pieces of information: where to save the key, and a passphrase for the key. The passphrase is like a password, but rather than letting you in to some particular account, it allows you to use the key you've generated to log into other systems.

The default location to save the private key is in ${HOME}/.ssh/id_type (where type is ed25519 for an Ed25519 key or rsa for an RSA key); unless you have some specific reason for placing it elsewhere, use this option. The public key will be id_type.pub in the same directory.

Your passphrase can be any string, and of any length. It is best not to make it the same as any of your passwords.

A sample session of generating a key would go like this:

$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/USERNAME/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/USERNAME/.ssh/id_ed25519.
Your public key has been saved in /home/USERNAME/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:EajOndriRmLpl1qKg03FDhnc0EzRaApdBTygEbpQZrA USERNAME@HOSTNAME
The key's randomart image is:
+--[ED25519 256]--+
|+=*X=*...        |
|oB+ O o  .       |
|E. * o  .        |
|..+ +    .       |
|.  B . .S        |
|  = = o          |
|.= o.+           |
|o.oo* .          |
|..o=..           |
+----[SHA256]-----+


Don't Use Passphraseless Keys!

If you do not specify a passphrase, you will have a completely "exposed" private key. This is a terrible idea. If you then use this key for anything it means that anyone who sits down at your desk, or anyone who borrows or steals your laptop, can login to anywhere you use that key (good guesses could come from just looking at your history) without needing any password, and could do anything they wanted with your account or data. Don't use passphraseless keys.

Copying the Public Key to SciNet

Now that you have this SSH "identity", you use the public (not the private) key for access to remote machines. The public key must added (as a single line) to your $HOME/.ssh/authorized_keys file on Niagara.

First copy your public key to SciNet:

scp ~/.ssh/id_ed25519.pub SCINET_USERNAME@niagara.scinet.utoronto.ca:newkey

Then login to SciNet and append the contents of ~/newkey to ~/.ssh/authorized_keys:

$ ssh SCINET_USERNAME@niagara.scinet.utoronto.ca
...
$ cat ~/newkey >> ~/.ssh/authorized_keys

~/.ssh Directory Permissions

Note that SSH is very fussy about file permissions; your ~/.ssh directory must only be accessible by you, and your various key files must not be writable (or in some cases, readable) by anyone else. Sometimes users accidentally reset file permissions while editing these files, and problems happen. If you look at the ~/.ssh directory itself, it should not be accessible by anyone else:

$ ls -ld ~/.ssh
drwx------ 2 USERNAME GROUPNAME 7 Aug  9 15:43 /home/.../.ssh

and authorized_keys must not be writable:

$ ls -l ~/.ssh/authorized_keys 
-rw------- 1 USERNAME GROUPNAME 1213 May 29  2009 /home/.../.ssh/authorized_keys

To fix your permissions, use the following command:

chmod -R go= ~/.ssh/

Testing Your Key

Now you should be able to login to the remote system (say, SciNet):

$ ssh USERNAME@niagara.scinet.utoronto.ca
Enter passphrase for key '/home/USERNAME/.ssh/id_ed25519': 
Last login: Tue Aug 17 11:24:48 2010 from HOSTNAME
[...]
nia-login07-$

If this doesn't work, you should be able to login using your password, and investigate the problem.

If you get the message below you may need to logout of your gnome session and log back in since ssh-agent needs to be restarted with the new passphrase ssh key.

$ ssh USERNAME@niagara.scinet.utoronto.ca
Agent admitted failure to sign using the key.

(Optional) Using ssh-agent to Remember Your Key

But now you've just replaced having to type a password for login with having to type a passphrase for your key; what have you gained?

It turns out that there's an automated way to manage ssh "identities", using the ssh-agent command, which should automatically be running on newer Linux or macOS machines. You can add keys to this agent for the duration of your login using the ssh-add command:

$ ssh-add
Enter passphrase for /home/USERNAME/.ssh/id_ed25519: 
Identity added: /home/USERNAME/.ssh/id_ed25519 (/home/USERNAME/.ssh/id_ed25519)

and then logins will not require the passphrase, as ssh-agent will provide access to the key.

When you log out of your home computer, the ssh agent will close, and next time you log in, you will have to ssh-add your key. You can also set a timeout of (say) an hour by using ssh-add -t 3600. This minimizes the number of times you have to type your passphrase, while still maintaining some degree of key security.


Multiple SSH keys

It's recommended to have different ssh keys for each service, specific role, or domain. For example, to have separate keys for niagara and graham, first generate two new keys:

$ ssh-keygen -t ed25519 -f ~/.ssh/id_niagara  -C "Key for Niagara"
...
$ ssh-keygen -t ed25519 -f ~/.ssh/id_graham   -C "Key for Graham"
...

Make sure to use different file names for each key. Next, modify your ~/.ssh/config file, adding IdentityFile directives:

Host niagara
  User myusername
  Hostname niagara.scinet.utoronto.ca
  IdentityFile ~/.ssh/id_niagara

Host graham
  User myusername
  Hostname graham.computecanada.ca
  IdentityFile ~/.ssh/id_graham

Now when you login with the shortcuts

$ ssh niagara

or

$ ssh graham

different keys will be used.