Actions

Difference between revisions of "Ssh keys"

From ALICE Documentation

(Setup PuTTY to use key based login)
(Alternative public key copy)
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
It is possible to setup ssh using keys only.  
+
__FORCETOC__
===Setup Linux ssh for key based login===
+
 
 +
It is possible to setup ssh login using keys only, therefore avoiding the need to type in your password for every login.  
 +
==Linux: setup ssh for key based login==
 
We need to create a private/public key set to allow passwordless login via ssh. To do this run the sshkey-ge command:
 
We need to create a private/public key set to allow passwordless login via ssh. To do this run the sshkey-ge command:
 
   $ ssh-keygen -t rsa
 
   $ ssh-keygen -t rsa
Line 28: Line 30:
 
   -rw-r--r-- 1 testuser1 users  415 Jul  8 19:50 id_rsa.pub
 
   -rw-r--r-- 1 testuser1 users  415 Jul  8 19:50 id_rsa.pub
  
The id_rsa.pub file we need to transfer to the remote host. For this we can use the ssh-copy-id tool:
+
The file id_rsa.pub must be transferred to the remote host. For this we can use ssh-copy-id:
 
   $ ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote-host
 
   $ ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote-host
  
Line 42: Line 44:
 
   username@remote-host's password:
 
   username@remote-host's password:
  
Type in in your password to actually start the file copy.
+
Type your password to actually start the file copy.
 
   Number of key(s) added: 1
 
   Number of key(s) added: 1
  
Line 50: Line 52:
 
The passwordless ssh login is now in place.
 
The passwordless ssh login is now in place.
  
====Alternative public key copy====
+
===Alternative public key copy===
It may be the case that ssh-copy-id is not available with your version of OpenSSH. In that case you need to copy the information yourself. This can be done following the below pocedure.
+
It may be that ssh-copy-id is not available with your version of OpenSSH. In that case you need to copy the information yourself. This can be done following the below procedure.
  
It is possible to copy the public key directly to the remote host. The command below pipes the content of the public key through the ssh login to the remote host. On the remote host we first create the .ssh directory (if not there) and than append the public key content to the athorized_keys file, all in one command:
+
It is possible to copy the public key directly to the remote host. The command below pipes the content of the public key through the ssh login to the remote host. On the remote host we first create the .ssh directory (if not there) and then append the public key content to the authorized_keys file, all in one command:
 
   cat ~/.ssh/id_rsa.pub | ssh username@remote-host "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"
 
   cat ~/.ssh/id_rsa.pub | ssh username@remote-host "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"
 +
where username@remote-host can also me replaced by the logical name you have defined while configuring the ssh gateway jump (e.g. hpc1).
  
 
After successful execution of above command you can login to remote-host without specifying a password.
 
After successful execution of above command you can login to remote-host without specifying a password.
  
===Setup PuTTY to use key based login===
+
==Windows: setup PuTTY to use key based login==
 
Before we can use key based login, we first need to create a private/public key set. This is done by the program PuTTYgen. Open this program:
 
Before we can use key based login, we first need to create a private/public key set. This is done by the program PuTTYgen. Open this program:
 
[[File:putty6.PNG|none|thumb]]
 
[[File:putty6.PNG|none|thumb]]
Line 65: Line 68:
 
Make sure to use sensible file names for the two key files. The private key is automatically appended with the .ppk extension, while the public key does not need an extension.
 
Make sure to use sensible file names for the two key files. The private key is automatically appended with the .ppk extension, while the public key does not need an extension.
 
[[File:putty8.PNG|none|thumb]]
 
[[File:putty8.PNG|none|thumb]]
To make PuTTY aware of the private key, go to SSH - AUTH and use the Browse button to select the file in whuch you have previously saved the private key (usually extension .ppk).
+
To make PuTTY aware of the private key, go to tab SSH / AUTH and use the Browse button to select the file in which you have previously saved the private key (usually extension .ppk).
 
[[File:putty9.PNG|none|thumb]]
 
[[File:putty9.PNG|none|thumb]]
Finnaly, we need to tell PuTTY to use a particular account name for accessing the public key (which we still need to upload). So go to SSH - DATA and fill in your ULCN account name in the 'Auto-login username' box.
+
Finally, we need to tell PuTTY to use a particular account name for accessing the public key (which we still need to upload). So go to tab Connection / DATA and fill in your ULCN account name in the 'Auto-login username' box.
 
[[File:putty11.PNG|none|thumb]]
 
[[File:putty11.PNG|none|thumb]]
 
After all these changes, make sure to save the setting: go to Session and click the Save button.
 
After all these changes, make sure to save the setting: go to Session and click the Save button.
Line 78: Line 81:
  
 
This procedure can be used for the second login profile (to log in onto the ALICE login node).
 
This procedure can be used for the second login profile (to log in onto the ALICE login node).
 +
 +
==MAC: setup ssh for key based login==
 +
The procedure is very similar to the Linux procedure. So we first need to build a public/private keypair using the ssh-keygen utility:
 +
[[File:Macterm3.png|none|thumb]]
 +
For both question about passphrase, just hit enter (we will not be using passphrases). This will also have generated two files in your personal .ssh directory:
 +
[[File:Macterm4.png|none|thumb]]
 +
The file id_rsa.pub must be transferred to the remote host. For this we can use ssh-copy-id:
 +
  $ ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote-host
 +
 +
This may produce the following message:
 +
  /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_rsa.pub"
 +
  The authenticity of host 'remote-host (123.123.123.123)' can't be established.
 +
  ECDSA key fingerprint is SHA256:tygMarTe3SOjTcY9HzldKThxQzsTeiYHg5JmjB2bxeg.
 +
  Are you sure you want to continue connecting (yes/no)? yes
 +
 +
Having confirmed the access key to remote-host, the copy operation will commence:
 +
  /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
 +
  /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
 +
  username@remote-host's password:
 +
 +
Type your password to actually start the file copy.
 +
  Number of key(s) added: 1
 +
 +
  Now try logging into the machine, with:  "ssh 'username@remote-host'"
 +
  and check to make sure that only the key(s) you wanted were added.
 +
 +
The passwordless ssh login is now in place.
 +
 +
===Alternative public key copy===
 +
It may be that ssh-copy-id is not available with your version of OpenSSH. In that case you need to copy the information yourself. This can be done following the below procedure.
 +
 +
It is possible to copy the public key directly to the remote host. The command below pipes the content of the public key through the ssh login to the remote host. On the remote host we first create the .ssh directory (if not there) and then append the public key content to the authorized_keys file, all in one command:
 +
  cat ~/.ssh/id_rsa.pub | ssh username@remote-host "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"
 +
where username@remote-host can also me replaced by the logical name you have defined while configuring the ssh gateway jump (e.g. hpc1).
 +
 +
After successful execution of above command you can login to remote-host without specifying a password.

Latest revision as of 12:55, 10 July 2019


It is possible to setup ssh login using keys only, therefore avoiding the need to type in your password for every login.

Linux: setup ssh for key based login

We need to create a private/public key set to allow passwordless login via ssh. To do this run the sshkey-ge command:

 $ ssh-keygen -t rsa
 Generating public/private rsa key pair.
 Enter file in which to save the key (/home/testuser1/.ssh/id_rsa): 
 Enter passphrase (empty for no passphrase): 
 Enter same passphrase again: 
 Your identification has been saved in /home/testuser1/.ssh/id_rsa.
 Your public key has been saved in /home/testuser1/.ssh/id_rsa.pub.
 The key fingerprint is:
 SHA256:IZI+N1vdFIggRJnoy3+KiDa7l2VYIJNxrndHvHHKX5s testuser1@bree.strw.leidenuniv.nl
 The key's randomart image is:
 +---[RSA 2048]----+
 | .o=+o.. . ..    |
 | ++.oo. . .  .   |
 | .o.+ .+..  .    |
 |  o. oo.=o o     |
 | o o=.o=S ...    |
 |  +..=.+. . o    |
 |   .+ .  . E     |
 |.+ +. .          |
 |+o* .o           |
 +----[SHA256]-----+

For both question about passphrase, just hit enter (we will not be using passphrases). This will also have generated two files in your personal .ssh directory:

 $ ls -ltr id_rsa*
 -rw------- 1 testuser1 users 1843 Jul  8 19:50 id_rsa
 -rw-r--r-- 1 testuser1 users  415 Jul  8 19:50 id_rsa.pub

The file id_rsa.pub must be transferred to the remote host. For this we can use ssh-copy-id:

 $ ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote-host

This may produce the following message:

 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_rsa.pub"
 The authenticity of host 'remote-host (123.123.123.123)' can't be established.
 ECDSA key fingerprint is SHA256:tygMarTe3SOjTcY9HzldKThxQzsTeiYHg5JmjB2bxeg.
 Are you sure you want to continue connecting (yes/no)? yes

Having confirmed the access key to remote-host, the copy operation will commence:

 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
 /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
 username@remote-host's password:

Type your password to actually start the file copy.

 Number of key(s) added: 1
 Now try logging into the machine, with:   "ssh 'username@remote-host'"
 and check to make sure that only the key(s) you wanted were added.

The passwordless ssh login is now in place.

Alternative public key copy

It may be that ssh-copy-id is not available with your version of OpenSSH. In that case you need to copy the information yourself. This can be done following the below procedure.

It is possible to copy the public key directly to the remote host. The command below pipes the content of the public key through the ssh login to the remote host. On the remote host we first create the .ssh directory (if not there) and then append the public key content to the authorized_keys file, all in one command:

 cat ~/.ssh/id_rsa.pub | ssh username@remote-host "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"

where username@remote-host can also me replaced by the logical name you have defined while configuring the ssh gateway jump (e.g. hpc1).

After successful execution of above command you can login to remote-host without specifying a password.

Windows: setup PuTTY to use key based login

Before we can use key based login, we first need to create a private/public key set. This is done by the program PuTTYgen. Open this program:

Putty6.PNG

and hit the 'Generate'key. You will have to move your mouse around as this will help randomness in the creation of the key pair. Once the keys have been created you need to save each key in its own file.

Putty7.PNG

Make sure to use sensible file names for the two key files. The private key is automatically appended with the .ppk extension, while the public key does not need an extension.

Putty8.PNG

To make PuTTY aware of the private key, go to tab SSH / AUTH and use the Browse button to select the file in which you have previously saved the private key (usually extension .ppk).

Putty9.PNG

Finally, we need to tell PuTTY to use a particular account name for accessing the public key (which we still need to upload). So go to tab Connection / DATA and fill in your ULCN account name in the 'Auto-login username' box.

Putty11.PNG

After all these changes, make sure to save the setting: go to Session and click the Save button.

We still need to copy the public key to the server. Use Wordpad to open your public key file and select the text part. In this case from 'AAA' to '=='. Use CTRL-C to copy.

Putty10.PNG

Open the login session to the server (you still have to provide your password), then go to the .ssh directory and edit the authorized_keys file using an editor (e.g. vi) and paste in the copied text from the public file. Make sure the pasted text is one line! Perpend that line with ssh-rsa (the default key type from puttygen) and save the file.

Putty12.PNG

Once the authorized_key file is saved, you can login without typing your password.

This procedure can be used for the second login profile (to log in onto the ALICE login node).

MAC: setup ssh for key based login

The procedure is very similar to the Linux procedure. So we first need to build a public/private keypair using the ssh-keygen utility:

Macterm3.png

For both question about passphrase, just hit enter (we will not be using passphrases). This will also have generated two files in your personal .ssh directory:

Macterm4.png

The file id_rsa.pub must be transferred to the remote host. For this we can use ssh-copy-id:

 $ ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote-host

This may produce the following message:

 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_rsa.pub"
 The authenticity of host 'remote-host (123.123.123.123)' can't be established.
 ECDSA key fingerprint is SHA256:tygMarTe3SOjTcY9HzldKThxQzsTeiYHg5JmjB2bxeg.
 Are you sure you want to continue connecting (yes/no)? yes

Having confirmed the access key to remote-host, the copy operation will commence:

 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
 /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
 username@remote-host's password:

Type your password to actually start the file copy.

 Number of key(s) added: 1
 Now try logging into the machine, with:   "ssh 'username@remote-host'"
 and check to make sure that only the key(s) you wanted were added.

The passwordless ssh login is now in place.

Alternative public key copy

It may be that ssh-copy-id is not available with your version of OpenSSH. In that case you need to copy the information yourself. This can be done following the below procedure.

It is possible to copy the public key directly to the remote host. The command below pipes the content of the public key through the ssh login to the remote host. On the remote host we first create the .ssh directory (if not there) and then append the public key content to the authorized_keys file, all in one command:

 cat ~/.ssh/id_rsa.pub | ssh username@remote-host "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"

where username@remote-host can also me replaced by the logical name you have defined while configuring the ssh gateway jump (e.g. hpc1).

After successful execution of above command you can login to remote-host without specifying a password.