You are here
- Why Use SSH Keys
- SSH Keys in Linux / Mac
- SSH Keys in Windows
- SSH Keys Using NX
- Optional: Multi-hop Connections (Connect to HPC Systems With One Command)
Why Use SSH Keys
When connecting through the login.msi.umn.edu server it may be preferable to use SSH keys. SSH keys provide a more secure form of remote communication. SSH keys also make it possible to securely connect to systems behind login.msi.umn.edu without having to type in one's MSI password multiple times.
Below are instructions for how to setup SSH keys for Linux and Windows systems. These instructions assume your local computer has its own SSH client and agent, as is the case on Macintosh and Linux computers. Windows does not include SSH, and installing SSH and agents on Windows is outside the scope of these instructions. There are seperate instructions for using SSH agents in conjunction with the MSI NX server.
These instructions use the following conventions:
- localuser refers to the account on your computer
- local refers to your computer
- login.msi.umn.edu refers to any one of the MSI login nodes.
- resource.msi.umn.edu refers to any one of the systems behind the MSI login nodes such as Itasca, Cascade etc.
- msiuser refers to your MSI username.
With that in mind:
- [localuser@local] $ refers to commands run on your computer
- [email@example.com] $ refers to commands to be run on any one of the MSI login nodes
- [firstname.lastname@example.org] $ refers to commands to be run on your destination behind the login nodes
SSH Keys in Linux / Mac
Step 1: Generate the SSH Keys
There are two types of SSH key encryptions named DSA and RSA. RSA allows for larger keys and is what we recommend. Generate your ssh keys using the ssh-keygen command as shown below. You will be prompted to choose a passphrase for the keys. Please be sure to enter a passphrase. This is the password that will protect your keys. It can be a sentence with spaces between the words. Be sure to use a combination of lower and upper case letters, numbers and punctuation marks.
[localuser@local] $ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter your passphrase here
Enter same passphrase again:
The key's randomart image is:
+---[ RSA 2048]---+ | o. | | . . .. zvxc | | o .o. cv | | E +o..zxcv | | 12 3S*+ . c | | 2 34 .= zx | | 1 .o+ . | | 12 34 . | | vxc vz xcv | +-----------------+
[localuser @local] $
The random art image can be used to visually identify and confirm that you are connecting to the right system.
Step 2: Copy the public key to the remote system
The following SCP command wraps onto the next line. Be sure to copy it in its entirety for the command to work. You must copy your *.pub file to login.msi.umn.edu:
[localuser@local] $ scp ~/.ssh/id_rsa.pub email@example.com:.ssh/temp.pub
Connect via SSH to login.msi.umn.edu and then stage the public key for use:
[firstname.lastname@example.org] $ cat ~/.ssh/temp.pub >> .ssh/authorized_keys
[email@example.com] $ chmod 600 .ssh/authorized_keys && rm .ssh/temp.pub
Now try logging into the machine, with the command: ssh login.msi.umn.edu and look at the file: .ssh/authorized_keys to make sure this hasn't added extra keys that you weren't expecting. (For example, the last line in the file should have a localuser@local entry that looks familiar.)
Connecting with SSH from your computer to login.msi.umn.edu will now ask for a passphrase instead of a password:
[localuser@local] $ ssh login.msi.umn.edu
Enter passphrase for key '/home/localuser/.ssh/id_rsa':
Step 3: Activate the ssh agent on you local computer
Back on your local computer you will now need to set up the SSH agent. The SSH agent will remember your passphrase and forward your key on, securely, to systems behind login.msi.umn.edu.
Newer Linux distributions automatically start the SSH agent. You can test to see if the agent is available by running the ssh-add command. If you get an error then you will need to set up the SSH agent:
[localuser@local] $ ssh-add
Could not open a connection to your authentication agent.
If you see that, then start the SSH agent manually:
[localuser@local] $ eval $(ssh-agent)
Agent pid 1235455
Use ssh-add to add your passphrase to the SSH agent for the current login session:
[localuser @local] $ ssh-add
Enter passphrase for /home/localuser/.ssh/id_rsa:
[localuser @local] $
You can now SSH to login.msi.umn.edu and any server behind it without having to type a password:
[localuser@local] $ ssh firstname.lastname@example.org
[email@example.com] $ ssh firstname.lastname@example.org
You can also do this in one step:
[localuser@local] $ ssh -t email@example.com ssh firstname.lastname@example.org
SSH Keys in Windows
On Windows, keys can be generated with PuTTYgen.
- Download puttygen.exe and launch the program.
- Select "SSH-2 RSA"
- Enter 1024 in the "Number of bits in a generated key" field.
- Click "Generate"
- Enter a passphrase for your new key.
- Save both the public key and private key on your hard drive.
- Keep this window open so you have access to the "Public key for pasting into OpenSSH authorized_keys file" as you'll need this later.
- SSH to login.msi.umn.edu with PuTTY.
- Use a text editor (such as 'vi', 'emacs', or 'pico') to open the file "~/.ssh/authorized_keys"
- On a new line, paste in the key you generated with puttygen.exe. Note that the key must be on only one line (you can check by displaying line numbers: use ":set nu" in vi, "Ctrl-C" to show current line number in pico, or "M-x linum-mode" in emacs)
You'll need to use pageant to store the key.
- Download the program and launch it.
- A tray icon will appear for pageant. Right click and select "View Keys".
- Select "Add Key" and choose the key previously generated. You will need to enter the passphrase.
If you want to automatically launch pageant with your key:
- Right click your desktop and select "New > Shortcut"
- Enter the path to pageant.exe followed by the path to your key file, for example:
"C:\Program Files (x86)\PuTTY\pageant.exe" C:\users\joe\key.ppk
Note you will need to use quotes if either path contains spaces
- When you click this shortcut, pageant will automatically load the key you specified.
SSH Keys Using NX
Besides SSH to login.msi.umn.edu, another popular method of remote access to MSI systems is via NX to nx.msi.umn.edu. Once an NX session is established, you must use SSH to connect to the actual compute resources at MSI. Therefore, an SSH agent may be desirable to reduce the number of times you must type your password. To set this up:
- Establish an NX session to nx.msi.umn.edu.
- Use the default .ssh/id_rsa file, and set a passphrase.
- You will be prompted for your regular login password.
- You will be prompted for the passphrase you set on the key above.
Replace itasca with whichever MSI resource you are connecting to. To have the agent start automatically when you start an NX session, create a file in your home directory named .bash_profile (not .bashrc) with these lines:
if [[ -n "$NX_ROOT" ]]; then eval $(ssh-agent) ssh-add fi
Each time you log in via NX, you will also be prompted to enter your SSH key passphrase to unlock the key.
Optional: Multi-hop Connections (Connect to HPC Systems With One Command)
It is possible to configure SSH keys to allow multi-hop connections using a single command. The method for doing this on Linux and Mac systems is outlined below.
In order to allow multi-hop connections a config file needs to be made on the local computer. To begin create a file named config within the .ssh directory on the local computer. This file will specify the name of each host being connected to via multiple hops. An example config file is shown below:
ProxyCommand ssh email@example.com nc itasca.msi.umn.edu 22
ProxyCommand ssh firstname.lastname@example.org nc lab.msi.umn.edu 22
In this example config file two systems are defined (itasca and lab). To connect to one of them you can type ssh hostname (eg. ssh itasca) from the command line on your local system. The username used in the config file needs to correspond to your MSI username. To function correctly the config file needs to have access permission 600 (chmod 600 .ssh/config).
This config file would allow you to connect to the Itasca and Lab systems, via an intermediate connection to the login node (see the above diagram). SSH keys would be used to verify your identity.