Set up an SSH key pair
SSH key pairs provide a more secure alternative to username and password for logging into remote systems.
Motivation
An SSH key pair can be used as an additional layer of security to connect to your account on the CCB HPC cluster. Instead of typing your username and password, it is possible to log into your account on the CCB cluster using a pair of files; one file on your personal computer (the “private” key), one file on the CCB cluster (the “public” key). Together, those two files enable your personal computer and the cluster to identify themselves to each other.
Creating an SSH key pair
To create the SSH key pair, open a Terminal session on your personal computer (i.e., not logged into the CCB cluster), and type:
ssh-keygen -t ecdsa -b 521
In particular:
- The option
-t ecdsa
is important to specify the type of SSH key pair. - The option
-b 521
indicates the number of bits in the key; a minimum of 2048 is recommended, while larger values generally give additional strength to the key.
When prompted for a filename, do not type anything, and immediately press the
Return
key to accept the default filename and location.
When prompted for a passphrase, CCB policy requires a 16 character passphrase. Private keys without a password are strictly prohibited.
When prompted to confirm your passphrase, type the same passphrase and press
the Return
key.
Finally, the Terminal should display a message indicating that the key pair was successfully created.
In particular:
- The private key is located at
~/.ssh/id_ecdsa
. - The public key is located at
~/.ssh/id_ecdsa.pub
.
Adding the public key on the CCB cluster
Finally, the public key – generated and saved as a file on your own computer – needs to be copied to your account on the CCB cluster, so that the CCB cluster can prove its identity to the client (see above, Motivation).
Conceptually, the command that you type in the Terminal on your personal computer should be structured as follows:
ssh-copy-id -i ~/.ssh/id_ecdsa <username>@<remote>
Replace <username>
by your own username, and <remote>
by one of the
login nodes (see General information).
If the public key indeed does not exist on your CCB cluster account yet,
you will be prompted for your password.
Type it, and press the Return
key.
This adds the public key to the file ~/.ssh/authorized_keys
on your
account on the CCB cluster.
Configuring the SSH client
Having set up the SSH key pair on your own computer and the CCB cluster,
you still need to configure the SSH client so that it uses the private key
whenever you invoke the ssh
command, to prove your identity to the CCB cluster,
and vice versa.
Open (or create) the file ~/.ssh/config
on your personal computer.
You may do so using any text editor of your choice, including
graphical applications (e.g., Sublime Text)
or Terminal text editors such as those listed in the section
Editing files in the Terminal.
In that file, add the following lines:
Host *
IdentityFile ~/.ssh/id_ecdsa
Those lines configure the private key pair used for any remote host that you log into
using the ssh
command.
- The keyword
Host
creates a new set of parameters. - The pattern
*
matches all hostnames, making those parameters global defaults unless overwritten in subsequent declarations. - The field
IdentityFile
specifies the path to the private SSH key file that you created earlier on your personal computer.
Alternatively, if you happen to use different SSH key pairs to connect to different
SSH servers, you may need to explicitly declare the name of the host next to the
Host
keyword, so that the following configuration settings only apply to that
particular host.
Host cbrglogin1.molbiol.ox.ac.uk
IdentityFile ~/.ssh/id_ecdsa
More information about fields that may be configured is available on the page Advanced client configuration
Log in using your SSH key pair
You can now log into the CCB cluster using the same ssh
command as before.
You will be prompted to type your SSH passphrase when the SSH key pair is used.
ssh <username>@<remote>
The screenshot below demonstrates the ssh
command in action.