SSH Keys


Why Use SSH Keys

When connecting through the server it may be preferable to use SSH keys.  SSH keys provide a more secure form of remote communication.  SSH keys also make it possible to securely connect to systems behind without having to type in one's MSI password multiple times.

Below are instructions for how to setup SSH keys for Linux and Windows systems.  These instructions assume your local computer has its own SSH client and agent, as is the case on Macintosh and Linux computers. Windows does not include SSH, and installing SSH and agents on Windows is outside the scope of these instructions. There are seperate instructions for using SSH agents in conjunction with the MSI NX server.

These instructions use the following conventions:

  • localuser refers to the account on your computer
  • local refers to your computer
  • refers to any one of the MSI login nodes.
  • refers to any one of the systems behind the MSI login nodes such as Itasca, Cascade etc.
  • msiuser refers to your MSI username.

With that in mind:

  • [localuser@local] $ refers to commands run on your computer
  • [] $ refers to commands to be run on any one of the MSI login nodes
  • [] $ refers to commands to be run on your destination behind the login nodes


SSH Keys in Linux / Mac

Step 1: Generate the SSH Keys

There are two types of SSH key encryptions named DSA and RSA.  RSA allows for larger keys and is what we recommend.  Generate your ssh keys using the ssh-keygen command as shown below.  You will be prompted to choose a passphrase for the keys.  Please be sure to enter a passphrase. This is the password that will protect your keys. It can be a sentence with spaces between the words. Be sure to use a combination of lower and upper case letters, numbers and punctuation marks.

[localuser@local] $ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):

Enter your passphrase here
Enter same passphrase again:
The key's randomart image is:
    +---[ RSA 2048]---+ 
    |             o.  | 
    |  . .    .. zvxc | 
    |   o .o.     cv  | 
    | E     +o..zxcv  | 
    |  12   3S*+  . c | 
    |     2  34 .= zx | 
    |   1 .o+       . | 
    |   12 34 .       | 
    |      vxc vz xcv | 
[localuser @local] $

The random art image can be used to visually identify and confirm that you are connecting to the right system.

Step 2: Copy the public key to the remote system

The following SCP command wraps onto the next line. Be sure to copy it in its entirety for the command to work. You must copy your *.pub file to 

[localuser@local] $ scp ~/.ssh/

Connect via SSH to and then stage the public key for use: 

[] $ cat ~/.ssh/ >> .ssh/authorized_keys
[] $ chmod 600 .ssh/authorized_keys && rm .ssh/

Now try logging into the machine, with the command: ssh and look at the file: .ssh/authorized_keys to make sure this hasn't added extra keys that you weren't expecting. (For example, the last line in the file should have a localuser@local  entry that looks familiar.)

Connecting with SSH from your computer to will now ask for a passphrase instead of a password:

[localuser@local] $ ssh
Enter passphrase for key '/home/localuser/.ssh/id_rsa':

Step 3: Activate the ssh agent on you local computer

Back on your local computer you will now need to set up the SSH agent. The SSH agent will remember your passphrase and forward your key on, securely, to systems behind

Newer Linux distributions automatically start the SSH agent. You can test to see if the agent is available by running the ssh-add command. If you get an error then you will need to set up the SSH agent:

[localuser@local] $ ssh-add
Could not open a connection to your authentication agent.

If you see that, then start the SSH agent manually:

[localuser@local] $ eval $(ssh-agent)
Agent pid 1235455
[localuser@local] $

This will set up the agent only for the current login session (until you logout). 

Use ssh-add to add your passphrase to the SSH agent for the current login session:

[localuser @local] $ ssh-add
Enter passphrase for /home/localuser/.ssh/id_rsa:
[localuser @local] $

You can now SSH to and any server behind it without having to type a password:

[localuser@local] $ ssh
[] $ ssh
[] $

You can also do this in one step:

[localuser@local] $ ssh -t ssh
[] $

SSH Keys in Windows

On Windows, keys can be generated with PuTTYgen.

  • Download puttygen.exe and launch the program.
  • Select "SSH-2 RSA"
  • Enter 1024 in the "Number of bits in a generated key" field.
  • Click "Generate"
  • Enter a passphrase for your new key.
  • Save both the public key and private key on your hard drive.
  • Keep this window open so you have access to the "Public key for pasting into OpenSSH authorized_keys file" as you'll need this later.
  • SSH to with PuTTY.
  • Use a text editor (such as 'vi', 'emacs', or 'pico') to open the file "~/.ssh/authorized_keys"
  • On a new line, paste in the key you generated with puttygen.exe. Note that the key must be on only one line (you can check by displaying line numbers: use ":set nu" in vi, "Ctrl-C" to show current line number in pico, or "M-x linum-mode" in emacs)

You'll need to use pageant to store the key.

  • Download the program and launch it.
  • A tray icon will appear for pageant. Right click and select "View Keys".
  • Select "Add Key" and choose the key previously generated. You will need to enter the passphrase.


If you want to automatically launch pageant with your key:

  • Right click your desktop and select "New > Shortcut"
  • Enter the path to pageant.exe followed by the path to your key file, for example:
    "C:\Program Files (x86)\PuTTY\pageant.exe" C:\users\joe\key.ppk
    Note you will need to use quotes if either path contains spaces
  • When you click this shortcut, pageant will automatically load the key you specified.

SSH Keys Using NX

Besides SSH to, another popular method of remote access to MSI systems is via NX to Once an NX session is established, you must use SSH to connect to the actual compute resources at MSI. Therefore, an SSH agent may be desirable to reduce the number of times you must type your password. To set this up:

  1. Establish an NX session to
  2.             ssh-keygen
    • Use the default .ssh/id_rsa file, and set a passphrase.
  3.             ssh-copy-id itasca
    • You will be prompted for your regular login password.
  4.             eval $(ssh-agent)
  5.             ssh-add
    • You will be prompted for the passphrase you set on the key above.
  6.             ssh itasca

Replace itasca with whichever MSI resource you are connecting to. To have the agent start automatically when you start an NX session, create a file in your home directory named .bash_profile (not .bashrc) with these lines:

    if [[ -n "$NX_ROOT" ]]; then eval $(ssh-agent) ssh-add fi

Each time you log in via NX, you will also be prompted to enter your SSH key passphrase to unlock the key.


Optional: Multi-hop Connections (Connect to HPC Systems With One Command)

It is possible to configure SSH keys to allow multi-hop connections using a single command.  The method for doing this on Linux and Mac systems is outlined below.

In order to allow multi-hop connections a config file needs to be made on the local computer.  To begin create a file named config within the .ssh directory on the local computer.  This file will specify the name of each host being connected to via multiple hops.  An example config file is shown below:

 Host itasca
 ProxyCommand ssh nc 22
 User username

Host lab
 ProxyCommand ssh nc 22
 User username

In this example config file two systems are defined (itasca and lab). To connect to one of them you can type ssh hostname (eg. ssh itasca) from the command line on your local system.  The username used in the config file needs to correspond to your MSI username.  To function correctly the config file needs to have access permission 600 (chmod 600 .ssh/config).

This config file would allow you to connect to the Itasca and Lab systems, via an intermediate connection to the login node (see the above diagram).  SSH keys would be used to verify your identity.