SSH Keys - nthu-ioa/cluster GitHub Wiki

An ssh key is much more secure than using a password alone. If you use ssh-agent, you can also avoid having to type a password at all. We strongly recommend you connect to the cluster with an ssh key.

Instructions to set up your SSH key

On your local machine:

ssh-keygen -t rsa and follow the instructions. Please don't leave the passphrase empty! The passphrase can be the same as your fomalhaut account login password, but it will be more secure if its different (a good passphrase is an easy-to-remember phrase made up of multiple letters, numbers, symbols and spaces, e.g. "4000 angstrom break!").

After this you should have a file ~/.ssh/id_rsa.pub on your machine.

The following one-line command on your local machine adds the contents of your ~/.ssh/id_rsa.pub file to a file called ~/.ssh/authorized_keys in your fomalhaut home directory.

cat ~/.ssh/id_rsa.pub | ssh [USERNAME]@fomalhaut.astr.nthu.edu.tw "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 644 ~/.ssh/authorized_keys"

You will be asked for your original password (not the passphrase you just created), because your key has not been set up when you first run this command. You should be asked for the passphrase starting from the next time you log in, after running the command.

If you have several machines that you use to access the cluster, you can follow the steps above for each of them. Alternatively, you can copy the id_rsa file (not id_rsa.pub) to "~/.ssh" on all the machines you log in from (although this is not good security practice).

Note that ~/.ssh/config must have restricted write permissions: chmod 644.

Other useful information

ssh-agent

ssh-agent can remember your passphrase until you log out of your local machine, so you don't have to type it every time you connect. Starting ssh-agent uses a strange syntax:

eval "$(ssh-agent -s)"

Once you've started ssh agent, you need to add your key. It will ask for your passphrase.

ssh-add ~/.ssh/id_rsa

After this, you won't be asked for the passphrase when you connect to fomalhaut.

Mac-OS

If you use a mac, you will need to add this to your ~/.ssh/config

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa

And call ssh-add with a -K option:

ssh-add -K ~/.ssh/id_rsa

Internal SSH keys on cluster

Creating an internal ssh key on fomalhaut with an empty passphrase lets you move between the different nodes on the cluster without typing a password. This is necessary for multi-step ssh tunnels (for example, if you're using your laptop to access a jupyter session on one of the memory nodes).

Follow the instructions below. The procedure is similar to that above, but easier, because all the nodes on the cluster see the same home directory, so there is no need for the scp step.

:warning: Only use this key inside the cluster. If you want to use ssh keys to connect from fomalhaut to other machines outside, generate a new key with a passphrase. :warning:

First generate a new key with an empty passphrase on fomalhaut:

cd ~/.ssh
ssh-keygen -t rsa -f cluster_internal_rsa -N ''
cat cluster_internal_rsa.pub >> authorized_keys

:warning: If you are setting up this internal key before following the instructions above to create your external key, you will also need to set the correct access permissions on the authorized key file now: chmod 644 ~/.ssh/authorized_keys.

Then in ~/.ssh/config on fomalhaut, add the following entry (substituting your_username):

Host c?? g?? m??
    User your_username
    IdentitiesOnly yes
    IdentityFile ~/.ssh/cluster_internal_rsa
    ForwardX11 yes
    ForwardX11Trusted yes

Remember, ~/.ssh/config must have restricted write permissions: chmod 644 config.

Now ssh c01 (for example) should succeed without asking for a password.