SSH keys (i.e. saving your fingers) - mackeylab/home GitHub Wiki

What are SSH keys?

SSH is an authentication system. An SSH key is an access credential in the SSH protocol. Its function is similar to that of user names and passwords, but the keys are primarily used for automated processes and for implementing single sign-on without having to type in passwords.

Functionally SSH keys resemble passwords. They grant access and control who can access what. You can use them to avoid typing in your password each time you access a cluster or push/pull from Github.

How does it work?

It consists of a public & private keypair, where the private key is typically named something like id_rsa and the public key is id_rsa.pub. The private key stays on the system you're logging in from (your local computer, in this case), and the public key goes somewhere on the system you logging in to (the CfN cluster, in this case). SSH protocol matches them up and authenticates them. The gory details are below in the Setting it up section below.

Think of the private key like a password. If anyone gets access to your private key and the password you encrypted it with, they can potentially log onto any system you have access to.

Setting it up

Generate a key

  1. Open Terminal.

  2. Generate a new SSH key locally with ssh-keygen -t rsa -b 4096

This creates a new ssh key. (Using the RSA algorithm and a 4096-bit key, for those interested)

Generating public/private rsa key pair.

If you already have a local public/private keypair (a id_rsa and id_rsa.pub in ~/.ssh/, for example, that you're using to authenticate to Github), you can use those, too.

  1. When you're prompted to "Enter a file in which to save the key," press Enter. This accepts the default file location.

Enter a file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]

  1. At the prompt, hit Enter again for no passphase.
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]

Github has good documentation on ssh keys.

Adding your key to the cluster

  1. Add the public key to the ~/.ssh/authorized_keys file on the cluster. You can do this manually, or you can copy id_rsa.pub over to the cluster somewhere, and then cat id_rsa.pub >> ~/.ssh/authorized_keys. If you've already got an id_rsa.pub on the cluster to push/pull from Github, don't overwrite it!

  2. Permissions for SSH keys are finicky. Modify your permissions on authorized_keys by running chmod 640 ~/.ssh/authorized_keys.

  3. Modify your permissions on the ~/.ssh folder by running chmod 700 ~/.ssh.

Modifying your local configuration file

  1. Create a file ~/.ssh/config locally if it does not already exist, with touch ~/.ssh/config.

  2. Add an entry for the cluster to this file.

Host chead
  User username
  IdentityFile ~/.ssh/id_rsa
  ForwardX11Trusted yes

The ForwardX11Trusted is the equivalent of the -Y flag when using ssh.

  1. Make sure your local permissions are correct. Modify the ~/.ssh directory to have 770 permission with chmod 700 ~/.ssh, and files within with chmod 600 ~/.ssh/*.

  2. If you're on Mac and you want your Keychain to automatically save passphrases, etc, add the following to the top of your configuration file:

AddKeysToAgent yes
UseKeychain yes

Host *
 IdentityFile ~/.ssh/id_rsa

Logging into the cluster

You're done!

Now, you should be able to log into the cluster by typing ssh chead without inputting your password. I've aliased chead in my ~/.bash_profile with the command below, so that literally all I have to type is chead. See Useful bash_profile tips & tricks for more of these.

alias chead="ssh chead"

Using SSH Keys with Github

Instructions on how to use SSH keys to avoid typing your password each time you push to Github are here.

You'll want to skip generating a new key, and simply use your existing id_rsa.pub on your local computer in ~/.ssh/id_rsa.pub to connect to Github, by putting it into your Github SSH keys as here. You will need to add Github as a host in your ~/.ssh/config file, with the text below. You may also need to reconfigure your repos to work with SSH keys, that is, pointing them to [email protected]:your_repo_name instead of https://github.com/your_repo_name.

  User [email protected]
  Hostname ssh.github.com
  Port 443
  IdentityFile ~/.ssh/id_rsa

Example configuration file

AddKeysToAgent yes
UseKeychain yes

Host *
 IdentityFile ~/.ssh/id_rsa

Host github.com
  User [email protected]
  Hostname ssh.github.com
  Port 443
  IdentityFile ~/.ssh/id_rsa

Host chead
  User utooley
  IdentityFile ~/.ssh/id_rsa
  ForwardX11Trusted yes

Host cbica
  User tooleyu
  Hostname cbica-cluster.uphs.upenn.edu
  IdentityFile ~/.ssh/id_rsa