CS 374: SSH Key-Based Authentication

To be able to ssh to a remote Linux system without entering your password, carefully follow these steps:

  1. In a terminal window, enter:
          ls -al
     
    and see if you have a .ssh directory in your home directory.
    - If you have no directory named .ssh in your home directory, use ssh to login to a remote system (e.g., another lab machine); then use Ctrl-d to close the connection. This will create the .ssh directory and some related files.
  2. Next, double-check that your .ssh directory is secure. Re-enter:
          ls -al 
    If the permissions on your .ssh directory are anything besides 700 (i.e., drwx------, indicating for this directory, you and only you can read, write, and execute in it), make the .ssh directory secure by entering:
          chmod 700 .ssh 
  3. Next, change your working directory to .ssh by entering:
          cd .ssh 
  4. Then list/view the contents of this directory by re-entering:
          ls -al 
  5. To generate your public and private keys in this directory using RSA encryption, enter the command:
          ssh-keygen -t rsa 
    The ssh-keygen program will prompt you three times:
    1. The first prompt is for the name of the file in which your private key will be stored; just press Enter to accept the default name (id_rsa).
    2. The second and third prompts ask you what password you want. Since we are trying to avoid entering passwords, do not enter any password at these prompts. Instead, just press Enter at both prompts, which will return you to the system prompt.
    In summary, you should just press Enter three times in responding to the ssh-keygen program's prompts.
  6. To see what new files ssh-keygen created, enter:
          ls -al 
    You should see two new files:
  7. Now that we have created our keys, we are ready to enable key-based authentication for ssh. To do so, enter:
         cat id_rsa.pub >> authorized_keys 
    This appends your public key to the authorized_keys file, which tells ssh to authenticate you using your key, instead of making you enter a password.

    (Alternatively, you can just copy your public key and paste it into the authorized_keys file using a text editor, so long as the editor does not insert extra control characters when it pastes.)

  8. Next, let's make certain that the files containing your keys are secure. To do so, check that the permissions on id_rsa and authorized_keys are 600 (i.e., only you may read or write those files) by entering:
          ls -al
    If the permissions on id_rsa or authorized_keys are anything besides 600 (i.e., -rw-------), enter:
          chmod 600 id_rsa
    and/or
          chmod 600 authorized_keys
    This will ensure that only you can read from or write to a given file.

When you have completed these steps, the first time you ssh to a particular lab machine, you will be prompted to accept and cache its hostkey in your ~/.ssh/known_hosts file. You just have to do this once per machine; after that, ssh will see the host's name in the known_hosts file and let you ssh to it without any interaction.

Accessing the Cluster from the Lab Machines

Because your home directory (containing .ssh) is shared by our CS lab machines, the preceding steps should allow you to ssh from any ulab machine to any other ulab machine without being prompted for a password.

However, to keep Borg secure, accounts on it are separate from CS lab accounts. For example, your home directory is not shared on our cluster, so it will be unable to read your key from your .ssh folder.

To fix this, we just have to get your public key from your authorized_keys file in the lab into your authorized_keys file on the cluster. To do so, you will need your Borg password, which you should have received via email, so take a moment to look up that password.

The easiest way to set up password-free authentication on Borg is to use the ssh-copy-id command. To illustrate, if I were doing this, I would enter:

   ssh-copy-id adams@borg
Borg will then prompt you for your password; when you enter it correctly, the ssh-copy-id command will copy your public key information over to Borg and appends it to your authorized_keys file.

Try the preceding command, substituting your user-name for adams.

When you have completed these steps, test your work by trying to ssh to the cluster, for example:

   ssh yourUserName@borg
(Be sure you replace yourUserName with your user name.)

Note that the first time you do so, you may have to confirm that you want to add the cluster to your lab machine's known_hosts file. But after that, you should be able to connect directly to Borg from any CS lab workstation.

If you have followed the steps correctly, you should now be able to ssh or use scp to transfer files to the cluster from a CS lab machine without entering your password -- congratulations!

Be sure you have this working before proceeding further.

If you experience difficulty getting this to work, please contact Chris Wieringa or Prof. Adams.

Accessing the Cluster From Outside the CS Lab

For security reasons, if you want to SSH directly to Borg from a non-CS-lab machine, you cannot authenticate using your password. Instead, you must use public-key authentication. To do so, you will need to replicate the setup work we have done here:

  1. Generate encryption keys on the machine from which you will be connecting. How you do this will depend on the OS running on that machine. Google is your friend. 8^)
  2. Append your public key to the authorized_keys file on Borg. The easiest way to do this is to transport your key to a CS lab machine, use the lab machine to copy your public key to Borg, and then append the public key to your .ssh/authorized_keys file.
Once you have your keys set up, you will need to use a non-standard port (22122) to SSH to Borg. For example, to connect to Borg from home after completing steps 1 and 2 above, I would enter:
   ssh -p 22122 adams@borg.calvin.edu
and Borg accepts the connection.)


Calvin > CS > 374 > SSH Key Authentication