How to create an SSH key pair

On your local computer, using a terminal application, call the following command to create a pair of keys: ssh-keygen -t ecdsa -b 521.
This creates a 521 bit long key using the ecdsa Digital Signature Algorithm.
. Hit when asked which file to create and make sure that you provide a sufficiently long passphrase. Rembember your passphrase! Do not write it down anywhere!

If all works out, you should see a terminal window output similar to the following one:

Generating public/private ecdsa key pair.
Enter file in which to save the key (/afs/cern.ch/user/<username>/.ssh/id_ecdsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /afs/cern.ch/user/<username>/.ssh/id_ecdsa.
Your public key has been saved in /afs/cern.ch/user/<username>/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx <username>@lxplusXXX.cern.ch
The key's randomart image is:
<some ASCII image>

Remember that your .ssh directory now hosts two new files:

id_ecdsa is the private key file and
id_ecdsa.pub is the public key file.

The public key file =id_ecdsa.pub= will be copied to the lxplus server machine.
The private key file remains for all times on your local computer. Whenever being asked for the passphrase, it will be used locally and will never leave your computer!

Copy now the *public key file id_ecdsa to the lxplus server.
For this, open a terminal window on your local computer and use ssh-copy-id:

% ssh-copy-id -i ~/.ssh/id_ecdsa.pub <username>@lxplus.cern.ch

Now you can log into the lxplus system using ssh @lxplus.cern.ch, but the local ssh client programme would still ask you at each login the passphrase.
You can avoid that by adding the key to a programme called the ssh agent. Once the ssh agent has stored your private key, you do not need any longer to provide a password, since the ssh agent will use your key to negotiate the authentication with the server computer into which you wish to log in or from which you wish to mount a filesystem.

Start the ssh agent using the command eval `ssh-agent`.

Then. add the private key for the lxplus system as follows (you will be asked the passphrase for the ssh key. Do you still remember it?):

% ssh-add ~/.ssh/id_ecdsa 
Enter passphrase for /Users/<username>/.ssh/id_ecdsa: 
Identity added: /Users/<username>/.ssh/id_ecdsa (/Users/<username>/.ssh/id_ecdsa)

You can at any time ask the ssh agent which keys it has remembered by using the command ssh-add -l.

To avoid that the ssh agent has to be started each time you restart your computer, you can add a code snipped in your favourite login shell script, e.g. for .bashrc:

if [ -z "$SSH_AUTH_SOCK" ] ; then
    eval `ssh-agent`
    ssh-add
fi

-- JohannesGutleber - 2020-05-20

Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2020-05-20 - JohannesGutleber
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    FCC All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback