SSH¶
Overview¶
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.1
SSH allows for anyone to connect to remote computers and servers, like when running jobs on either Glamdring or the Fulton Supercomputing Lab. It provides a text-based interface by spawning a remote shell. After connecting, all commands you type in your local terminal are sent to the remote server and executed there.
For more information on how SSH works and authenticates users, check out this guide from Digital Ocean: SSH Essentials: Working with SSH Servers, Clients, and Keys. This page is where much of the following information will be sourced from.
Generating SSH Keys¶
Generating a new SSH public and private key pair on your local computer is the first step towards authenticating with a remote server without a password. Unless there is a good reason not to, you should always authenticate using SSH keys.
A number of cryptographic algorithms can be used to generate SSH keys, including RSA, DSA, and ECDSA. RSA keys are generally preferred and are the default key type.
To generate an RSA key pair on your local computer, type:
1 | ssh-keygen -t rsa -b 4096 -C "username@example.com" |
This creates a new ssh key, using the provided email as a label. The -t
flag specifies the cryptographic algorithm to be used and the -b
flag specifies how large, in bits, the key should be. The larger the key, the more hardened it is. This command will then generate the following prompt:
1 2 | Generating public/private rsa key pair. Enter file in which to save the key (/home/username/.ssh/id_rsa): |
This prompt allows you to choose the location to store your RSA private key. Press ENTER to leave this as the default, which will store them in the .ssh
hidden directory in your user's home directory. Leaving the default location selected will allow your SSH client to find the keys automatically.
1 2 | Enter passphrase (empty for no passphrase): Enter same passphrase again: |
The next prompt allows you to enter a passphrase of an arbitrary length to secure your private key. By default, you will have to enter any passphrase you set here every time you use the private key, as an additional security measure. Feel free to press ENTER to leave this blank if you do not want a passphrase. Keep in mind though that this will allow anyone who gains control of your private key to login to your servers. Generally, you should encrypt the private key if you are on a shared computer.
If you choose to enter a passphrase, nothing will be displayed as you type. This is a security precaution.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | Your identification has been saved in /home/username/.ssh/id_rsa. Your public key has been saved in /home/username/.ssh/id_rsa.pub. The key fingerprint is: 8c:e9:7c:fa:bf:c4:e5:9c:c9:b8:60:1f:fe:1c:d3:8a root@here The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | + | | o S . | | o . * + | | o + = O . | | + = = + | | ....Eo+ | +-----------------+ |
This procedure has generated an RSA SSH key pair, located in the .ssh
hidden directory within your user's home directory (~\.ssh
). These files are:
1 2 | ~/.ssh/id_rsa: The private key. DO NOT SHARE THIS FILE! ~/.ssh/id_rsa.pub: The associated public key. This can be shared freely without consequence. |
Danger
Never send your private key to anyone unless you know what you're doing. Anyone who has access to your private key can authenticate with it. Consider also encrypting it with a password, as described in the instructions, if using a shared computer.
Adding your SSH Keys to an SSH Agent to Avoid Typing the Passphrase¶
If you have an passphrase on your private SSH key, you will be prompted to enter the passphrase every time you use it to connect to a remote host.
To avoid having to repeatedly do this, you can run an SSH agent. This small utility stores your private key after you have entered the passphrase for the first time. It will be available for the duration of your terminal session, allowing you to connect in the future without re-entering the passphrase.
To start the SSH Agent, type the following into your local terminal session:
1 | eval $(ssh-agent) |
1 | Agent pid 10891 |
This will start the agent program and place it into the background. Now, you need to add your private key to the agent, so that it can manage your key:
1 | ssh-add ~/.ssh/id_rsa |
1 2 | Enter passphrase for /home/username/.ssh/id_rsa: Identity added: /home/username/.ssh/id_rsa (/home/username/.ssh/id_rsa) |
Info
If you have an Apple computer, run ssh-add -K ~/.ssh/id_rsa
instead. The -K
option is Apple's standard version of ssh-add
, which stores the passphrase in your keychain for you when you add an ssh key to the ssh-agent.
If you don't have Apple's standard version installed, you may receive an error. For more information on resolving this error, see "Error: ssh-add: illegal option -- K."
You will have to enter your passphrase (if one is set). Afterwards, your identity file is added to the agent, allowing you to use your key to sign in without having re-enter the passphrase again.
Removing or Changing the Passphrase on a Private Key¶
If you have generated a passphrase for your private key and wish to change or remove it, you can do so easily.
Info
To change or remove the passphrase, you must know the original passphrase. If you have lost the passphrase to the key, there is no recourse and you will have to generate a new key pair.
To change or remove the passphrase, simply type:
1 | ssh-keygen -p |
1 | Enter file in which the key is (/home/username/.ssh/id_rsa): |
You can type the location of the key you wish to modify or press ENTER to accept the default value:
1 | Enter old passphrase: |
Enter the old passphrase that you wish to change. You will then be prompted for a new passphrase:
1 2 | Enter new passphrase (empty for no passphrase): Enter same passphrase again: |
Here, enter your new passphrase or press ENTER to remove the passphrase.
Copying your Public SSH Key to a Server¶
There are a few different tools for doing this with password authentication, but we'll just cover the manual method here.
On your local machine, you can find the contents of your public key file by typing:
1 | cat ~/.ssh/id_rsa.pub |
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test |
You can copy this value, and manually paste it into the appropriate location on the remote server. You will have to log into the remote server through other means (like the DigitalOcean web console) or send the public key to the system administrator.
On the remote server, create the ~/.ssh
directory if it does not already exist:
1 | mkdir -p ~/.ssh |
Afterwards, you can create or append to the ~/.ssh/authorized_keys
file by typing:
1 | echo public_key_string >> ~/.ssh/authorized_keys |
You should now be able to log into the remote server without a password.
Connecting to a Remote Server¶
To connect to a remote server and open a shell session there, you can use the ssh command.
The simplest form assumes that your username on your local machine is the same as that on the remote server. If this is true, you can connect using:
1 | ssh remote_host |
If your username is different on the remoter server, you need to pass the remote user's name like this:
1 | ssh username@remote_host |
Your first time connecting to a new host, you will see a message that looks like this:
1 2 3 | The authenticity of host '111.111.11.111 (111.111.11.111)' can't be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes |
Type yes
to accept the authenticity of the remote host.
If you are using password authentication, you will be prompted for the password for the remote account here. If you are using SSH keys, you will be prompted for your private key's passphrase if one is set, otherwise you will be logged in automatically.