« Back

ssh

SSH with Key Pairs and Passphrase

Logging in using SSH key pairs allows users to move seamlessly between XSEDE resources after initial login at the location where you generated the keys (e.g. your laptop). (This ability is also offered with SSO through the XSEDE User Portal.) To use SSH key pairs, you must generate an SSH key pair on the machine from which you will be logging on to the XSEDE site.

  • The PRIVATE key of that pair (~/.ssh/id_rsa) will remain in a secure location on your machine of origin.
  • The PUBLIC key of the pair (~/.ssh/id_rsa.pub) must be moved to the proper location(s) on XSEDE machines.

Once your key has been installed, you can access that system via any SSH2 client.

How to Generate and Distribute Key Pairs

  1. On a Linux machine (or Mac), * run ssh-keygen from the command line. If asked to supply -t (type), use ssh-keygen -t rsa. Use the default file name (<>~/.ssh/id_rsa).
  2. Enter a passphrase when prompted; do not skip it. Follow the guidelines for picking a good password in general. SSH passphrases can be any length, so the longer, the better. Remember this passphrase.
  3. Add your keys to the SSH-agent's memory using ssh-add, followed by your passphrase
  4. Confirm that the permissions are set correctly: rwx by only the owner for the directory and rw by only the owner for the files.
    drwx------ 2 username mygroup 1024 ... .ssh/
    -rw------- 1 username mygroup 391 ... id_rsa
    -rw------- 1 username mygroup 391 ... id_rsa.pub
    -rw------- 1 username mygroup 906 ... known_hosts
    * For a Windows machine, consult your SSH client documentation for generation of key pairs.
  5. Add your public key to the XSEDE resource; for fastest access, use XSEDE SSO.
    • Log in to the XSEDE User Portal using your XSEDE-wide password.
    • Go to the My XSEDE tab >> Accounts.
    • Click on the machine where you wish to place your public key; a terminal window will open (requires Java).
    • In your home directory, create a .ssh directory.
    • Copy your PUBLIC key to this directory
    • Set permissions on the directory:
      drwx------ 2 username mygroup 1024 ... .ssh/
      -rw------- 1 username mygroup 391 ... id_rsa.pub
    For NCSA systems, the PUBLIC key file should be named authorized_keys .
  6. Log in to XSEDE from your SSH client:
    <username>@tg-login.<sitename>.xsede.org
    SSH will prompt you for the passphrase that you used to create the key pair.

Why use a passphrase if the private key is safe?

If you could guarantee that your private key were safe, it would probably be acceptable to skip a passphrase. However, laptops and single-user workstations can be broken into. A passphrase adds one more level of protection. This is analogous to an ATM card. You need the card and the PIN to withdraw money. If your wallet were stolen and the card had no PIN, the thief could use it to withdraw cash from your account. Just as a PIN prevents your card from being used by an unauthorized person, giving your SSH keypair a passphrase prevents your key from being used if the private key is stolen.

- from CalTech SSH Key FAQ

There are exceptions, where no passphrase is used. See SSH with Key Pairs without a Passphrase.