Skip to end of metadata
Go to start of metadata

SEAS Computing has migrated all HPC hardware to FAS Research Computing (FASRC). New users should obtain a FAS RC account by visiting https://rc.fas.harvard.edu. The following information is for accessing legacy systems that will eventually be phased out.

 This page documents the steps needed to set up password-less SSH access to SEAS compute resources.

Summary

Your SSH private key will be created on your own client system, not on a shared server. You will then add the corresponding public key to the ~/.ssh/authorized_keys file using login.seas.harvard.edu or by emailing your pubilc key to ithelp@harvard.edu.

Table of Contents

Motivation

Security has become increasingly important for Internet-connected hosts here at SEAS. In order to adequately access servers SEAS Computing requires the use of ssh keys for remote access to hosts.

SSH is extremely useful

SSH is a very important tool for working in networked environments, and is a sort of "swiss army knife" of network connectivity. Understanding the basics will make many more options for accessing remote hosts and resources available.

Checking SSH Configuration (Linux and OS X)

SSH may already be setup and configured on your computer.  "laptop $" indicates your personal computer command (terminal) prompt.  Enter the commands after the prompt.

Check for SSH Agent and Keys

which should return a line with "SSH_AUTH_SOCK=..." and possibly other SSH environment variables.  Following this, see if your private keys are added:

which should list one or more private keys.

If the "env" command doesn't return anything, then run:

If it says "The agent has no identities." then you can add them with:

SSH Aliases


We recommend you put an entry in your laptop ~/.ssh/config file as follows:

Host login login.seas
    HostName        login.seas.harvard.edu
    User            YOUR_SEAS_USERNAME
    ForwardAgent    yes Host loginx
    HostName        login.seas.harvard.edu     User            YOUR_SEAS_USERNAME     ForwardAgent    yes     ForwardX11      yes

and then in your SEAS home directory ~/.ssh/config:

 

This will allow you to use "aliases" to quickly connect:

HowTo: MacOS X, Linux, Unix, and CygWin on Windows

On MacOS X, Linux, and other Unixes (and also CygWin on windows. etc.) the OpenSSH tools are usually available from the command line, and thus the commands are very similar.

In the following we use login.seas.harvard.edu to install an ssh public key

Do not create the key pair on login.seas . Create it on your own secure system and transfer only the public key.

Creating an SSH Key Pair

To begin, we need to create a public/private key pair. We'll want to use an rsa key with at least 2048 bit encryption. On Linux systems, MacOSX systems, and Windows systems using Cygwin, from a terminal window on your client (laptop or desktop), enter:

The optional  "keyname" refers to the filename of the private key; the corresponding public key file will be named "keyname.pub".

By default, ssh-keygen will use the names id_rsa and id_rsa.pub; ssh automatically looks for keys of this name. If you already have an id_rsa key, you might want to specify a different filename.

Next you'll be prompted to enter a passphrase. This can be more than a password, it can be an entire sentence, part of a lyric to a song, a haiku, whatever. What it shouldn't be is the same as your unix password, or empty. Either comprises a security risk.

You SSH key passphrase should not be:

  1. Empty
  2. Less than 8 characters
  3. Your Unix password

Once you've completed the key generation process, move these created files into your ~/.ssh directory on your client computer; the typical location for ssh keys:

Setting Up SSH Key Authentication

Now that you have a valid ssh key pair, you need to tell the server about this key pair. To do this, we add the public key to the "authorized_keys" file in a special file in your home directory on the server. For clarity, we'll demonstrate use the SEAS login server to set this up.

Since you don't have a key in place yet, you'll need to use password-based authentication. Because passwords are a greater security risk, you must be connected through the FAS VPN before attempting the following steps. Find VPN instructions at
http://www.fas-it.fas.harvard.edu/fas-vpn.

To begin, we need to setup your home directory for the file. Login using the VPN connection and a password, and create the proper ~/.ssh/ directory, and an empty authorized_keys file:

Once done, you have a properly setup authorized_keys file. Now you need to add your key to it.

You can also copy and paste the public key into the authorized_keys file using a text editor, but if you do this, you must insure that are no carriage returns in the key. The key should all be on one line.

With these commands, you've accomplished the following steps:

  1. Transferred the public key to your home directory on the server (i.e. to login.seas.harvard.edu and, thanks to the shared file system, to all SEAS HPC machines);
  2. Logged into the server, and added the public key to the special file ~/.ssh/authorized_keys;
  3. Made sure that this file had the correct permissions, so that only you can read it.

When using ssh key authentication, permissions can be tricky. It's good to make sure of the following permissions settings:

  • Your ~/.ssh/authorized_keys file has "rw" permission only for you, and no one else (i.e. chmod 600)
  • Your ~/.ssh/ directory has "rwx" permissions only for you (i.e. chmod 700)
  • Your home directory has write access only for you (try the command "ls -ld ~username")

Logging In Using SSH Keys

Now that you've created your key pair, and told the server that this key pair is trusted (by putting it into the authorized_keys file), you can try logging in.

From the command prompt, you will use ssh as normal.  If you have specified a name other than id-rsa for the keyname, you'll need to specify the private keyname to use with the option "-i", and enter the passphrase when prompted. Here we use login.seas.harvard.edu, but this should now work with any SEAS UNIX server that you can log into, including HPC hosts:

If you are prompted for your unix login password, something has gone wrong.

Note that the prompt refers to a "passphrase for key ..." and NOT a password. If you are prompted for your unix login password, then something has gone wrong. Try adding the option "-v" or even "-vv" when you run ssh for verbose debugging information of the authentication process.

  • If you are not prompted for a passphrase at all, the server knows nothing about your public key or you did not configure a passphrase; check to make sure that you installed your public key correctly on the server
  • If you are prompted for the passphrase, but then are prompted for a password as well, check the permissions on the server. If the problem persists, try regenerating a new key pair and replace the old with the new pair.

If all goes well, and the keys are installed correctly, you'll be able to log in without entering your unix password. Note that the same "-i" option, and key pair, can be used with other OpenSSH programs such as "scp" and "sftp" to do ssh key authentication to the server.

Connecting between remote systems

A key pair allows you to connect from your laptop or desktop to any server that has the public key installed.  If you want to connect between 2 remote servers containing your public key, either to log in or to transfer files, you can do so using ssh agent forwarding using only the private key on your laptop or desktop.  Simply connect using the '-A' switch to the ssh command (e.g. ssh -A yourname@remote.machinename).  Please also see the section below regarding ssh agent and agent forwarding.

To set up an ssh agent on your local machine, so that you need to enter your passphrase only once, refer to the section below.

HowTo: Windows

For Windows, there are a variety of applications available that support ssh with key pairs, in general each has its own approach, implementation, and documentation.

For the sake of brevity, we encourage users to use one of three options:

  1. MobaXterm for any windows user with needs for terminal connections, the best tool, it includes scp and X11 services.
  2. install CygWin, and follow the directions above.
  3. Use the freely available PuTTY client (including Pageant, and PuttyGen), along with WinSCP for file transfers.

In either case, use login.seas.harvard.edu to install your public key, but after that you can log directly into the desired host.

For further details, please see here .

MobaXterm

Provides a full suite for those connecting to linux systems. No need to translate keys, it comes with a great GUI and all the services that one usually needs: ssh-agent, scp and X11 integrated.

CygWin

CygWin provides a complete Linux compatibility environment under Windows, and as such is a very useful tool for Windows users working with Linux/UNIX machines as well. In addition, it offers a free X11 server.

PuTTY

PuTTY is a freely available ssh client that supports public key authentication, and also provides its own ssh-agent called "Pageant" agent (see the next section below). The specific documentation on using PuTTY to do passwordless public key authentication is available in the PuTTY docs here: Chapter 8:Usingpublic keys forSSHauthentication,
followed by the the next chapter on using Pageant.

In addition, the secure file transfer program WinSCP uses Pageant to manage ssh keys as well.

Other resources for PuTTY include:

The puTTYgen command can be used to create a private/public key pair on the Windows system.  The private key can be installed into puTTY and the public key can be installed on the remote host following the procedure outlined above.  Note that a proper public OpenSSH key begins with "ssh-rsa" separated by a space from the rest of the key and concludes with a comment following the rest of the key, separated by a space.  If the public key generated by puTTYgen places a comment first (such as "rsa-key-20101005"), edit the file using a text editor to obtain the correct form.  Please also see this.

SSH technology

For a more technical general discussion on SSH technology, please see here.

Storing Your SSH Keys

For a discussion how to automate and store the SSH key handling for e.g. server to server connecticity, please see the instructions on SSH agent forwarding .

Additional Resources

The following are links to documentation, tutorials and HowTos on SSH

General

Windows Tools

SSHAgent and Keychain

Port Forwarding

  File Modified
File keychain SSH keychain script for automated handling of agent forwarding Feb 11, 2010 by seppo