Why Use SSH Keys
When connecting to either mesabi, mangi, or agate front-end servers, it may be preferable to use SSH keys. SSH keys provide a more secure form of remote communication. SSH keys also make it possible to securely connect to systems without having to type in one's MSI password multiple times.
Below are instructions for how to setup SSH keys for Linux and Windows systems. These instructions assume your local computer has its own SSH client and agent, which is a solid assumption except if you are running an older Windows OS. All Windows 10 and beyond have ssh available via the command line.
These instructions use the following conventions:
- localuser refers to the account on your computer
- local refers to your computer
- msiuser refers to your MSI username.
With that in mind:
- [localuser@local] $ refers to commands run on your computer
- [msiuser@(mesabi/mangi).msi.umn.edu] $ refers to commands to be run on any one of the MSI login nodes
SSH Keys in Linux / Mac
Step 1: Generate the SSH Keys
Generate your ssh keys using the ssh-keygen command as shown below. You will be prompted to choose a passphrase for the keys. Please be sure to enter a passphrase. This is the password that will protect your keys. It can be a sentence with spaces between the words. Be sure to use a combination of lower and upper case letters, numbers and punctuation marks.
[localuser@local] $ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter your passphrase here
Enter same passphrase again:
The key's randomart image is:
+---[ RSA 2048]---+ | o. | | . . .. zvxc | | o .o. cv | | E +o..zxcv | | 12 3S*+ . c | | 2 34 .= zx | | 1 .o+ . | | 12 34 . | | vxc vz xcv | +-----------------+
[localuser @local] $
The random art image can be used to visually identify and confirm that you are connecting to the right system.
Step 2: Copy the public key to the remote system
The following SCP command wraps onto the next line. Be sure to copy it in its entirety for the command to work. You must copy your *.pub file to agate.msi.umn.edu:
[localuser@local] $ scp ~/.ssh/id_rsa.pub email@example.com:.ssh/temp.pub
Connect via SSH to agate.msi.umn.edu and then stage the public key for use:
[firstname.lastname@example.org] $ cat ~/.ssh/temp.pub >> .ssh/authorized_keys
[email@example.com] $ chmod 600 .ssh/authorized_keys && rm .ssh/temp.pub
Now try logging into the machine, with the command: ssh agate.msi.umn.edu and look at the file: .ssh/authorized_keys to make sure this hasn't added extra keys that you weren't expecting. (For example, the last line in the file should have a localuser@local entry that looks familiar.)
Connecting with SSH from your computer to agate.msi.umn.edu will now ask for a passphrase instead of a password:
[localuser@local] $ ssh agate.msi.umn.edu
Enter passphrase for key '/home/localuser/.ssh/id_rsa':
Step 3: Activate the SSH agent on your local computer
You will now need to set up the SSH agent on your local computer. The SSH agent will remember your passphrase and forward your key on, securely, to systems behind agate.msi.umn.edu.
Newer Linux distributions automatically start the SSH agent. You can test to see if the agent is available by running the ssh-add command. If you get an error then you will need to set up the SSH agent:
[localuser@local] $ ssh-add
Could not open a connection to your authentication agent.
If you see that, then start the SSH agent manually:
[localuser@local] $ eval $(ssh-agent)
Agent pid 1235455
This will set up the agent only for the current login session (until you logout).
Use ssh-add to add your passphrase to the SSH agent for the current login session:
[localuser @local] $ ssh-add
Enter passphrase for /home/localuser/.ssh/id_rsa:
[localuser @local] $
You can now SSH to mesabi.msi.umn.edu without having to type a password:
[localuser@local] $ ssh -A firstname.lastname@example.org
Note that the -A argument is required to enable agent forwarding at every ssh-connection you make, except the last. You may wish to create an alias in your .bashrc that handles this automatically:
alias ssh='ssh -A'
SSH Keys in PuTTY for Windows older OS
On Windows, keys can be generated with PuTTYgen.
- Download puttygen.exe and launch the program.
- Select "SSH-2 RSA"
- Enter 2048 in the "Number of bits in a generated key" field.
- Click "Generate"
- Enter a passphrase for your new key.
- Save both the public key and private key on your hard drive.
- Keep this window open so you have access to the "Public key for pasting into OpenSSH authorized_keys file" as you'll need this later.
- SSH to agate.msi.umn.edu with PuTTY.
- Use a text editor (such as 'vi', 'emacs', or 'pico') to open the file "~/.ssh/authorized_keys"
- On a new line, paste in the key you generated with puttygen.exe. Note that the key must be on only one line (you can check by displaying line numbers: use ":set nu" in vi, "Ctrl-C" to show current line number in pico, or "M-x linum-mode" in emacs)
You'll need to use pageant to store the key.
- Download the program and launch it.
- A tray icon will appear for pageant. Right click and select "View Keys".
- Select "Add Key" and choose the key previously generated. You will need to enter the passphrase.
If you want to automatically launch pageant with your key:
- Right click your desktop and select "New > Shortcut"
- Enter the path to pageant.exe followed by the path to your key file, for example:
"C:\Program Files (x86)\PuTTY\pageant.exe" C:\users\joe\key.ppk
Note you will need to use quotes if either path contains spaces
- When you click this shortcut, pageant will automatically load the key you specified.