Inhalt |
---|
This page aims to provide you with a step-by-step guide on how to use public key authentication for external login to connect to the HLRNthe NHR@ZIB system "Lise".
Summary
- Create an SSH keypair key pair with a passphrase that is not used anywhere else.
- Upload the your public key on our Service Portal NHR@ZIB.
- Specify your new private key when connecting to our frontends login nodes (either via via
ssh -i <yourkey><your_private_key_file>
or in your ssh configlocal SSH configuration).
Step-by-step guide
An SSH key pair consists of a public key and a private key. The public key is used to encrypt messages. Such messages can only be decrypted using the corresponding private key. For this reason the private key must be stored safely on the local machine - protected by a passphrase, and not accessible by other users.
SSH Key Generation
Generating your key pair differs depending on the SSH implementation available on your local machine. The default for with Linux and MacOS is OpenSSH. This is also available (without extra installation) in more recent versions of Windows.
...
Kein Format |
---|
$ ssh-keygen -t rsa -b 4096 -f $HOME/.ssh/id_rsa_hlrnnhr Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa_hlrnnhr): Enter passphrase (empty for no passphrase): ************************ Enter same passphrase again: ************************ Your identification has been saved in /home/user/.ssh/id_rsa_hlrnnhr. Your public key has been saved in /home/user/.ssh/id_rsa_hlrnnhr.pub. The key fingerprint is: b8:df:d1:14:48:03:00:68:5e:46:9c:1a:b2:b2:d4:f4 user@host The key's random art image is: +--[ RSA 4096]----+ | +oo....o | |. +.= . o | | =o=. . . | |o.o. E . . | |o. . S . | |. . o | | . . . | | . . . | | . . | +-----------------+ |
In this example, the private key is saved in the file /home/user/.ssh/id_rsa_hlrnnhr
, the corresponding public key in the file /home/user/.ssh/id_rsa_hlrnnhr.pub
. If you run this command, user
will be replaced by your local username.
...
Kein Format |
---|
ssh-keygen -yf $HOME/.ssh/id_rsa_hlrnnhr Enter passphrase: |
If you are not asked for a passphrase, please use ssh-keygen =pf $HOME/.ssh/id_rsa_hlrnnhr
to create a passphrase. Once you are certain that you have set a passphrase to protect the key, you can safely continue with uploading the public key as described below.
We recommend to use choose a good distinct comment (ssh-keygen -C "<comment>" -f <...>
) to conveniently identify your key later on.
Current login node ssh host keys
When connecting for the first time, ssh will show you a key fingerprint of our login nodes, and ask for confirmation.
The current ssh host keys for
- blogin[1-6].hlrn.de
are
Codeblock |
---|
SHA256:mrwKbHEz3pJCmvU7ZEXoIKxVRz0E9/4GDp3k41x4Q8g (RSA)
SHA256:53WD36v+IjHObgS3DbjIi+zShcQ/MCAIqJNgJOlfR08 (ED25519)
SHA256:pNGlm//LyjJZi6tX0mz5SPSs4IBkuyJI/iWI10JbhgE (ECDSA)
|
- bgnlogin[1-2].nhr.zib.de
- bgilogin[1-2].nhr.zib.de
are
Codeblock |
---|
SHA256:rusM3G/8eG7ZFLNJtvymL/wNHFGgkOFTMYCBk3yLiL8 (ECDSA)
SHA256:8/hSIv0HfMDEy1gUQjVmb0cUMDztgacNfXSBUzcgCFM (ED25519)
SHA256:WulefLWFPRPPobUI6/+4bJpttV9SlQhZ0prEo8ELp1k (RSA)
|
PuTTY
Under Windows, SSH key pairs can be generated with the tool PuTTYgen which is part of the PuTTY installation package and also available separately.
- Select: Type of key to generate: SSH-2 RSA
- Fill in: Number of bits in a generated key: 4096
- Press: Generate
- Fill in: your key passphrase
- Fill in: confirm your passphrasePress
- : Save private keycopy the shown public key to a new textfile for upload to NHR
(don't use "Save public key" for upload to NHR, wrong formatting here) - Press: Save public private key
- Please remember the path name where you saved your SSH key files!
Info |
---|
PuTTY |
...
changed its default key file format |
...
in version 0.75 from PPK2 to PPK3. This is not an issue as long as you use a PuTTY version, or software using PuTTY in its core, greater 0.75 |
SSH Public Key Upload
Before you can log in to one of the HLRN NHR@ZIB login nodes, make sure you first have to upload uploaded your SSH public key (not the private one) at the HLRN Service Portal NHR@ZIB. There Here you can also perform other administrative tasks like displaying or removing (public) keysview or remove public keys uploaded earlier (if any).
At the HLRN Service the Portal NHR@ZIB, choose the item "Manage keys" / "Verwalten Ihrer Keys". For the key management you will have to log in using your HLRN account with your user name and your portal password.
...
- Press the button "Request upload of a new key" / "Upload eines neuen Schlüssels anfordern". After pressing the upload request button, you will need to confirm that you will adhere to the HLRN our key usage policy. The most important points here are: to always use a passphrase to protect the key and to never give access to your private key to others. Please read carefully and make sure you understand the implications of this agreement.
- In the next step, an e-mail is sent to your registered mail address containing a one-time URL. Use this URL (click it or copy it into the address field of your browser) to go to the page containing the actual upload button.
You can upload up to seven SSH public keys to at the HLRN service portal.
Hinweis |
---|
The Your SSH public keys are stored centrally in the HLRN our LDAP service data base. Do Please do not add SSH keys discussed here to your |
Erweitern | ||
---|---|---|
| ||
Directory At least with Safari you can press Also, you can press Or, another workaround: copy your public key file to a path not containing any hidden files/directories. |
External Login using SSH Keys
...
For external connections to the NHR@ZIB login nodes the private key of the SSH key pair is needed. Recall the name and the location (see above) of the file containing the private key.
OpenSSH
With the -i
option to the ssh
command you can specify the full path of your private SSH key file when you log in to one of the HLRN NHR@ZIB login nodes. You will be asked for the passphrase of your private key.
Example for a login to blogin (Berlin):
Kein Format |
---|
$ ssh -i $HOME/.ssh/id_rsa_hlrnnhr -l your_username blogin.hlrn.de Enter passphrase for key '/<home_directory>/.ssh/id_rsa_hlrnnhr': [...] |
Use Alternatively, use the SSH configuration file $HOME/.ssh/config
on your local machine to permanently store options for specific SSH connections , so that they can be omitted on the command line.
For example, by adding add the following lines to your local $HOME/.ssh/config
:
Kein Format |
---|
Host blogin Hostname blogin.hlrn.de IdentityFile ~/.ssh/id_rsa_hlrnnhr User your_username |
Now the ssh
command will automatically choose the proper credentials in the future, i. e., -l your_username
and -i <private_key>
can be omitted from the command line , so that that ssh blogin
is sufficient.
...
In PuTTY, you have to add/select your private key to Connection → SSH → Auth
to be able to log in.
...
hidden | true |
---|
...
In PuTTY version 0.78 this option has changed to Connection → SSH → Auth
→ Credentials.
Internal Login
SSH for internal connections between nodes of Lise works right out of the box - that is, without specifying any keys. This is enabled through host-based authentication which is active by default.