NIH HPC Systems SSH Public Key Authentication

What are SSH Keys?

SSH is a data transfer protocol that automatically encrypts all data exchanged between the two computers during your entire login session. Normally you would login to Helix and start an SSH session using your username and a password. SSH public key authentication provides much stronger "authentication" than a password, so it is more difficult for a hacker to gain access to your account by impersonating you from another computer.

To prepare to use public key authentication, you need to run an SSH program to create two special files, called "keys". One is called your "public key" and the other is your "private key." The public key may be copied to a special location on Helix or Biowulf to allow access to your account.

The private key, on the other hand, must be carefully protected and must only exist on the computer from which you will login to Biowulf or Helix. All SSH private keys must be protected with a password meeting NIH password requirements. As long as no one else has access to your private key, the computer to which you login will have a high degree of confidence that you are who you say you are without sending any sensitive information (like passwords or keys) over the network.

Per NIH security policy, sharing of SSH keypairs between Biowulf users is strictly prohibited. Your SSH key must only be used to access your Biowulf/Helix account.

Private Key Passphrases

Because the private key you generate is so important, you must always protect it with a good passphrase, one that is memorable and strong.

When it comes to passphrases, length beats complexity. A simple sentence with some punctuation and numbers is very difficult to crack but easy to remember. SSH keys used to access Biowulf or Helix must always be protected by a complex passphrase.

You should never use your Helix or Biowulf password as your private key passphrase. While your Helix or Biowulf password must change regularly, your SSH key passphrase does not.

Where To Use/Store Private Keys

The use of SSH public key authentication is more secure than typical UNIX passwords. This is because neither the passphrase nor the private key are transmitted out of the client machine during the authentication. However, this security can be lost if the private key is stolen.

It is safest to store your private keys only on systems such as your desktop workstation, where only a small number of people would normally have access. It is considered less safe to store your private keys on a multi-user system or on systems where your home directory is shared across many systems. For this reason we recommend against creating and storing private keys on Helix and Biowulf.

Where To Store Public Keys

On Biowulf/Helix, public keys should be added to your ~/.ssh/authorized_keys file. The authorized_keys file expects a single SSH public key per line.

If you would like to remove a public key from your authorized_keys file, you can delete the single line in the ~/.ssh/authorized_keys file containing the key.

SSH Keys and Password Expiration

SSH keys are not a substitute for password policy, and will not override expired passwords. You will need to reset your password according to NIH policy, even if you use SSH keys.

SSH Key Policy


How To Create SSH Key Pairs

Using PuTTY On A Windows Desktop


Watch this 5 minutes video

Or :

1. Download and install the latest PuTTY version from http://www.chiark.greenend.org.uk/~sgtatham/putty/. Be sure to also include PuTTYgen.

2. Create a key pair using PuTTYgen. Set key type to 'RSA' and the number of bits to 4096. After generating it, save the private key somewhere on your desktop machine, make it hidden and read-only.

3. Copy and paste your public key from the PuTTY Key Generator window into an empty *plain text* file, and transfer the file to your Helix home directory (see here for information about transfering files). Don't click on the button 'save the public key' directly, as PuTTYgen doesn't save it in the correct format.

4. Log into Helix and concatenate your public key to ~/.ssh/authorized_keys and make sure authorized_keys is only accessible by you:

[user@helix]$ cat public_key_file >> ~/.ssh/authorized_keys [user@helix]$ rm public_key_file [user@helix]$ chmod 0600 ~/.ssh/authorized_keys

5. Start PuTTY on your desktop and open the Connection->SSH->Auth window. Browse the path for the private key file (which you saved above). Save the PuTTY configuration for Helix and then log in. You will be prompted to enter the passphrase for the private key.


Using A Mac or Linux Workstation

Generate an ssh keypair using ssh-keygen:

[mydesktop:~] user% ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/Users/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/user/.ssh/id_rsa. Your public key has been saved in /Users/user/.ssh/id_rsa.pub. The key fingerprint is: 3c:a7:1f:6c:c9:ac:b9:10:50:b4:6b:2e:47:ab:8f:7f user@mydesktop.cit.nih.gov [mydesktop:~] user%

The public key should be copied from its present location to the authorized_keys file on Helix.

[mydesktop:~] scp /Users/$USER/.ssh/id_rsa.pub $USER@helix.nih.gov:~/tmp.pub

Log in to Helix:

[user@helix]$ cat tmp.pub >> ~/.ssh/authorized_keys [user@helix]$ rm tmp.pub [user@helix]$ chmod 0600 ~/.ssh/authorized_keys

From a Mac or a Linux machine, you can run 'ssh-agent' to start the ssh-agent. Then you can add your keys with 'ssh-add'. You will be prompted for your public key password you set above.

[mydesktop:~] ssh-agent [mydesktop:~] ssh-add

Now you can ssh using public key authentication like this:

ssh $USER@helix.nih.gov

Depending on your workstation configuration, you may need to run 'ssh-agent' after every reboot.

References