Setting up RSA use for passwordless use of the cluster#


Further details about what RSA is, and how it works, can be read from the wiki page: RSA Wiki page

Setup#


Creating a SSH key pair is easy using the ssh-keygen utility - there are quite a lot of options to this but by default it will create keys suitable for most users (a 2048 bit RSA key pair for use with ssh protocol 2 connections). But do note that you must create a keypair with no passphrase; if you specify a passphrase, it defeats the whole object of the private/public keypair scheme as you'll then be prompted for the passphrase instead of the password! So in the example ssh-keygen session shown below, simply hit the return key both times you are prompted for a passphrase and it will create a keypair that does not use or require a passphrase:

andy@riemann:$ ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key ( /cs/research/bioinf/home1/green/tetchner/.ssh/id_rsa ):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /cs/research/bioinf/home1/green/tetchner/.ssh/id_rsa

Your public key has been saved in /cs/research/bioinf/home1/green/tetchner/.ssh/id_rsa.pub

The key fingerprint is:

This will create two keys in your .ssh folder:

tetchner@radixin% ls -l

-rw------- 1 tetchner postgrad 1675 Mar 27 17:02 id_rsa

-rw-r----- 1 tetchner postgrad 411 Mar 27 17:02 id_rsa.pub

The id_rsa key is your private key which you should look after and never give to anyone else; note that its permissions are such that only yourself can read it or change it and if you relax these permissions in any way, the key becomes insecure. Most ssh clients will warn or even prevent you from using the key until the permissions have been set correctly. On the other hand your public key is id_rsa.pub which can be read by anyone - this is intentional otherwise the remote system will not be able to use your public key.

The private key, id_rsa, needs to be in your .ssh folder on the computer you are making the ssh connection from while the id_rsa.pub public key must be in your .ssh folder on the computer you want to connect to. If you are connecting to a remote system where your home directory is not the same as current home directory (e.g. morecambe), or to an external system, then you will have to copy your public key to your .ssh folder on the remote system first

Once you have created your key pair, copy your id_rsa.pub public key to a file called authorized keys or, alternatively, if this will be the only ssh key pair you will ever use on these systems, you can simply create a soft symbolic link (symlink) to it:

e.g. on morecambe, you need to add the public key for your machine (e.g. radixin) to the 'authorised_keys' file on morecambe, on a separate line.

e.g. ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAArp ... (cut) cGubuWXDrW8nETGcTCPjZfRpb0mAdmSrGmLUPC5McSmzpAfPQ== tetchner@radixin.cs.ucl.ac.uk

Likewise, add the public RSA key obtained from morecambe ( /home/<user>/.ssh/id_rsa.pub ) to your local 'authorised_keys' file on your machine ( /cs/research/bioinf/home1/green/<user>/.ssh/authorized_keys ).

andy@riemann:$ cd .ssh

andy@riemann:~/.ssh $ ln -s id_rsa.pub authorized_keys

You can have multiple public keys in your 'authorized_keys' file by specifying each on a separate line.

Now make a ssh connection to the remote system where your id_rsa.pub key is already installed; if you have not connected to that system before, you'll be prompted as usual whether you want to do this as your ~/.ssh/known_hosts file will not already have a public host key for that host. Once you have answered 'yes' to confirm the connection, you will be logged in without being asked for your password and the next time you connect to that system, you will not even be asked if you want to connect. Magic!


Source article:

From Imperial.ac.uk

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-1) was last changed on 04-Apr-2013 11:25 by UnknownAuthor