Difference between revisions of "Using SSH Keys To Access HPG"

From UFRC
Jump to navigation Jump to search
Line 1: Line 1:
 
==Introduction==
 
==Introduction==
After a new account is created on HiPerGator (HPG) you as the account's owner can log in using your GatorLink credentials (gatorlink username and password). However, mis-typing the credentials several times will result in a security system block of the user's IP address. For convenience and speed, especially when copying files between HPG and a remote computer system - whether it's a local computer you are connecting from or an external system - using scp or rsync tools or SFTP applications it may be useful to set up a SSH key pair to use instead of GatorLink credentials.
+
After a new account is created on HiPerGator (HPG) you, as the account's owner, can log in using your credentials (GatorLink username and password for UF users). Mis-typing the credentials several times will result in a security system block of the user's IP address and can be slow. For convenience and speed, it may be useful to set up a SSH key pair to use.
  
SSH key pair means there are two keys - a private key is stored in the ~/.ssh/ directory on the system you are connecting from and acts as the identity file (the key part of the lock/key mechanism). Use a good passphrase to protect the private key in case it's accessed by someone else and use an SSH agent to store it, so you only have to type the passphrase in once when starting the computer or the terminal application. A public key gets copied to every system you want to connect to and can be described as a specification for the 'lock' part of the lock/key ssh mechanism to allow the receiving computer connections to your account from a system that uses the private key part of the pair as its identify file.
+
SSH key pair means there are two keys:
 +
# A private key is stored in the <code>~/.ssh/</code> directory on the computer you are connecting from
 +
## The private key acts as the identity file (the key part of the lock/key mechanism).  
 +
## Use a good passphrase to protect the private key in case it is accessed by someone else
 +
## Use an SSH agent to store it, so you only have to type the passphrase in once when starting the computer or the terminal application.  
 +
# A public key gets copied to every system you want to connect to and can be described as a specification for the 'lock' part of the lock/key ssh mechanism to allow the receiving computer connections to your account from a system that uses the private key part of the pair as its identify file.
  
 
The private key is not used automatically, although most systems are configured to use ~/.ssh/id_rsa by default. See how to configure your ssh setup to use the correct private key as the IdentityFile below.
 
The private key is not used automatically, although most systems are configured to use ~/.ssh/id_rsa by default. See how to configure your ssh setup to use the correct private key as the IdentityFile below.
Line 8: Line 13:
 
=SSH Configuration=
 
=SSH Configuration=
 
==Linux and MacOS==
 
==Linux and MacOS==
A convenient configuration for your ssh '''client'''
+
A convenient configuration for your ssh '''client''' on your local computer. The <code>ControlPath</code> and following lines setup persistent connections so that you do not need to redo the MFA verification with every connection. Replace you username in the <code>User</code> line.
 
<pre>
 
<pre>
 
Host hpg
 
Host hpg
 
     User albertgator
 
     User albertgator
 
     HostName hpg.rc.ufl.edu
 
     HostName hpg.rc.ufl.edu
 +
    Port 2222
 
     ControlPath ~/.ssh/cm-%r@%l-%h:%p
 
     ControlPath ~/.ssh/cm-%r@%l-%h:%p
 
     ControlMaster auto
 
     ControlMaster auto

Revision as of 16:43, 25 August 2022

Introduction

After a new account is created on HiPerGator (HPG) you, as the account's owner, can log in using your credentials (GatorLink username and password for UF users). Mis-typing the credentials several times will result in a security system block of the user's IP address and can be slow. For convenience and speed, it may be useful to set up a SSH key pair to use.

SSH key pair means there are two keys:

  1. A private key is stored in the ~/.ssh/ directory on the computer you are connecting from
    1. The private key acts as the identity file (the key part of the lock/key mechanism).
    2. Use a good passphrase to protect the private key in case it is accessed by someone else
    3. Use an SSH agent to store it, so you only have to type the passphrase in once when starting the computer or the terminal application.
  2. A public key gets copied to every system you want to connect to and can be described as a specification for the 'lock' part of the lock/key ssh mechanism to allow the receiving computer connections to your account from a system that uses the private key part of the pair as its identify file.

The private key is not used automatically, although most systems are configured to use ~/.ssh/id_rsa by default. See how to configure your ssh setup to use the correct private key as the IdentityFile below.

SSH Configuration

Linux and MacOS

A convenient configuration for your ssh client on your local computer. The ControlPath and following lines setup persistent connections so that you do not need to redo the MFA verification with every connection. Replace you username in the User line. 

Host hpg
    User albertgator
    HostName hpg.rc.ufl.edu
    Port 2222
    ControlPath ~/.ssh/cm-%r@%l-%h:%p
    ControlMaster auto
    ControlPersist 8h

In all commands below you can now use 'hpg' instead of USER@hpg.rc.ufl.edu

Create SSH Keys

Linux

For a modern ED25519 cipher

  • Generate a key
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "Comment to make the key recognizable among many"
  • Add the following configuration at the top of the ~/.ssh/config file
Host *
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_ed25519
  • Configure your account on HiPerGator to accept the key instead of the username/password. Substitute your real username for 'USER':
ssh-copy-id ~/.ssh/id_ed25519 USER@hpg.rc.ufl.edu

For an RSA key

  • ssh-keygen -o -t rsa -b 4096 -f ~/.ssh/id_rsa
ssh-add -K ~/.ssh/id_rsa

Edit ~/.ssh/config and add 

Host *
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_rsa
  • Configure your account on HiPerGator to accept the key instead of the username/password. Substitute your real username for 'USER':
ssh-copy-id ~/.ssh/id_rsa USER@hpg.rc.ufl.edu

The default cipher for ssh keys is RSA. However, key length less than 4096 should not be used for better security.

MacOS

The procedure is mostly the same as on Linux when using either the built-in MacOS terminal application or iTerm2.

For a modern ED25519 cipher

  • Generate a key
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "Comment to make the key recognizable among many"
  • Add the following configuration to ~/.ssh/config file
Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519

For an RSA key

  • ssh-keygen -o -t rsa -b 4096 -f ~/.ssh/id_rsa
ssh-add -K ~/.ssh/id_rsa

Edit ~/.ssh/config and add 

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa
  • Configure your account on HiPerGator to accept the key instead of the username/password. Substitute your real username for 'USER':
ssh-copy-id ~/.ssh/id_rsa USER@hpg.rc.ufl.edu


Windows

See the following document that describes how to Create SSH keys on Windows.

Retrieved from "https://help.rc.ufl.edu/mediawiki/index.php?title=Using_SSH_Keys_To_Access_HPG&oldid=26029"