What are SSH Keys?
SSH is a data transfer protocol that automatically encrypts all data exchanged between the two computers during your entire login session. Normally you would login to Helix and start an SSH session using your username and a password. SSH public key authentication provides much stronger "authentication" than a password, so it is more difficult for a hacker to gain access to your account by impersonating you from another computer.
To prepare to use public key authentication, you need to run an SSH program to create two special files, called "keys". One is called your "public key" and the other is your "private key." The public key needs to be copied to a special location on Helix or Biowulf to allow access.
The private key, on the other hand, must be carefully protected and only needs to exist on the computer from which you will login to Helix. As long as no one else has access to your private key, the computer to which you login will have a high degree of confidence that you are who you say you are without sending any sensitive information (like passwords or keys) over the network.
Private Key Passphrases
Because the private key you generate is so important, you must always protect it with a good passphrase, one that is memorable and strong.
When it comes to passphrases, length beats complexity. A simple sentence with some punctuation and numbers is very difficult to crack but easy to remember. You should never use an empty passphrase.
You should never use your Helix or Biowulf password as your private key passphrase. While your Helix or Biowulf password must change regularly, your passphrase does not.
Where To Use/Store Private Keys
The use of SSH public key authentication is more secure than typical UNIX passwords. This is because neither the passphrase nor the private key are transmitted out of the client machine during the authentication. However, this security can be lost if the private key is stolen.
It is safest to store your private keys only on systems such as your desktop workstation, where only a small number of people would normally have access. It is considered less safe to store your private keys on a multi-user system or on systems where your home directory is shared across many systems. For this reason we recommend against creating and storing private keys on Helix and Biowulf.
SSH Keys and Password Expiration
SSH keys are not a substitute for password policy, and will not override expired passwords. You will need to reset your password according to NIH policy, even if you use SSH keys.
How To Create SSH Key Pairs
Using PuTTY On A Windows Desktop
Download and install the latest PuTTY version from http://www.chiark.greenend.org.uk/~sgtatham/putty/. Be sure to also include PuTTYgen.
Create a key pair using PuTTYgen. Set key type to 'SSH-2 RSA' and the number of bits to 1024. After generating it, save the private key somewhere on your desktop machine, make it hidden and read-only. Make sure you create a good, strong and long passphrase!
Cut and paste your public key from the PuTTY Key Generator window into an empty file, and transfer the file to your Helix home directory (see here for information about transfering files). Don't save the public key directly, as PuTTYgen doesn't save it in the correct format.
Log into Helix and concatenate your public key to ~/.ssh/authorized_keys and make sure authorized_keys is only accessible by you:
[user@helix]$ cat public_key_file >> ~/.ssh/authorized_keys [user@helix]$ rm public_key_file [user@helix]$ chmod 0600 ~/.ssh/authorized_keys
Start PuTTY on your desktop and open the Connection->SSH->Auth window. Browse the path for the private key file (which you saved above). Save the PuTTY configuration for Helix and then log in. You will be prompted to enter the passphrase for the private key.
Using A Mac/Linux Desktop
Generate an ssh keypair using ssh-keygen:
[mydesktop:~] user% ssh-keygen -t rsa -b 1024 Generating public/private rsa key pair. Enter file in which to save the key (/Users/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/user/.ssh/id_rsa. Your public key has been saved in /Users/user/.ssh/id_rsa.pub. The key fingerprint is: 3c:a7:1f:6c:c9:ac:b9:10:50:b4:6b:2e:47:ab:8f:7f email@example.com [mydesktop:~] user%
The public key should be copied from its present location to the authorized_keys file on Helix.
[mydesktop:~] scp /Users/user/.ssh/id_rsa.pub firstname.lastname@example.org:~/tmp
Log in to Helix:
[user@helix]$ cat tmp >> ~/.ssh/authorized_keys [user@helix]$ rm tmp [user@helix]$ chmod 0600 ~/.ssh/authorized_keys
From a Mac or a Linux machine, you can ssh using public key authentication like this:
You will be prompted for your passphrase.