CS 374: SSH Key-Based Authentication

To be able to ssh to a remote Linux system without entering your password, carefully follow these steps:

  1. In a terminal window, enter:
          ls -al
    to see if you have a .ssh directory in your home directory.
    - If you have no directory named .ssh in your home directory, use ssh to login to a remote system (e.g., another lab machine); then use Ctrl-d to close the connection. This will create the .ssh directory and some related files.
  2. Next, double-check that your .ssh directory is secure. Re-enter:
          ls -al 
    If the permissions on your .ssh directory are anything besides 700 (i.e., drwx------, meaning for this directory, you and only you can read, write, and execute in it), make the .ssh directory secure by entering:
          chmod 700 .ssh 
  3. Next, change your working directory to .ssh by entering:
          cd .ssh 
  4. Then list/view the contents of this directory by re-entering:
          ls -al 
  5. To generate your public and private keys in this directory using RSA encryption, enter the command:
          ssh-keygen -t rsa 
    The ssh-keygen program will prompt you three times:
    1. The first prompt is for the name of the file in which your private key will be stored; just press Enter to accept the default name (id_rsa).
    2. The second and third prompts ask you what password you want. Since we are trying to avoid entering passwords, do not enter any password at these prompts. Instead, just press Enter at both prompts, which will return you to the system prompt.
    In summary, you should just press Enter three times in responding to the ssh-keygen program's prompts.
  6. To see what new files ssh-keygen created, enter:
          ls -al 
    You should see two new files:
  7. Now that we have created our keys, we are ready to enable key-based authentication for ssh. To do so, enter:
         cat id_rsa.pub >> authorized_keys 
    This appends your public key to the authorized_keys file, which tells ssh to authenticate you using your key, instead of making you enter a password.

    (Alternatively, you can just copy your public key and paste it into the authorized_keys file using a text editor, so long as the editor does not insert extra control characters when it pastes.)

  8. Next, let's make certain that the files containing your keys are secure. To do so, check that the permissions on id_rsa and authorized_keys are 600 (i.e., only you may read or write those files) by entering:
          ls -al
    If the permissions on id_rsa or authorized_keys are anything besides 600 (i.e., -rw-------), enter:
          chmod 600 id_rsa
          chmod 600 authorized_keys
    This will ensure that only you can read from or write to a given file.

When you have completed these steps, the first time you ssh to a particular lab machine, you will be prompted to accept and cache its hostkey in your ~/.ssh/known_hosts file. You just have to do this once per machine; after that, ssh will see the host's name in the known_hosts file and let you ssh to it without any interaction.

The Ulab vs the Cluster

Because your home directory (containing .ssh) is shared by our ulab machines, the preceding steps should allow you to ssh from any ulab machine to any other ulab machine without being prompted for a password.

However, your home directory is not shared on our cluster, so it will be unable to read your key from your .ssh folder. To fix this, we just have to get your public key from your authorized_keys file in the ulab into your authorized_keys file on the cluster.

To do this securely, follow the steps in this video created by Chris Wieringa. It shows you how to use an information management system called FreeIPA to securely tranfer your public key to the cluster without you having to login there. For convenience, here is a link to our FreeIPA server.

When you have completed the steps in the video, test it out by trying to ssh to the cluster, for example:

   ssh -p 22122 yourUserName@dahl.calvin.edu
(Be sure you replace yourUserName with your user name.)

Note that the first time you do so, you will have to confirm that you want to add the cluster to your known_hosts file, as was the case in the ulab. Note also that for added security, we are using a non-standard port [22122] for ssh instead of port 22.

If you have followed the steps correctly, you should now be able to ssh and/or transfer files to the cluster from a ulab machine without entering your password -- congratulations!

Be sure you have this working before proceeding further.

If you experience difficulty getting this to work, please contact Chris Wieringa or Prof. Adams.

Calvin > CS > 374 > SSH Key Authentication