Computational Science and Engineering
Sections
In this section
Computational Science and Engineering

2343 Academic Surge
UC Davis
One Shields Avenue
Davis, CA 95616

(530) 752-6298 phone
(530) 752-8894 fax

 
Personal tools

Use SSH at CSE

This document describes how we use SSH at CSE and gives you pointers on how to access our computational resources

Purpose

In an effort to reduce the use of insecure passwords CSE has decided to use SSH public key authentication only (ie no passwords) for shell access to our systems. With so many high profile systems we expect to be targeted by many antisocial elements. Password compromise is a common problem and it can mean many hours of downtime when an account is compromised. To help combat this problem we prefer the use of SSH public key authentication for shell access. This document describes how to use SSH at CSE.

Prerequisities

You need to install an SSH client to access our servers or clusters. Here is information on how to get an SSH client for your workstation.

Windows

For Windows you must install the SSH client manually. We recommend and support only one SSH client on Windows. PuTTY SSH client and WinSCP SFTP client are known to work well with our setup. Both work well with PuTTY's Pageant SSH Agent

Linux

OpenSSH is the current standard for ssh clients on Linux. Here is how to install ssh on a couple popular distributions

Ubuntu/Debian-based

If it is not installed by default you can install an ssh client by issuing sudo apt-get install ssh-client from the command line.

OS X

Apple has installed the openssh client by default. Unfortunately they do not offer SSH Agent integration with the Keychain tool. We recommend use of SSHKeychain for key-based access to CSE systems. You may also consider using MacFUSE / sshfs with MacFusion. If you plan on using subversion you should see this documentation for using subversion on OS X.

Passwords

You will not be prompted for a password when using SSH to access our systems (unless something is broken).

Passphrases

Passphrases are required to use private SSH keys and access our systems. If you do not have the passphrase you cannot use the private key. It should be noted that using an empty passphrase is only advised on private networks (like from a head node to compute nodes). If your key does not require a passphrase and you are using it on a public network then anyone who gains access to that account now has access to all other accounts that you have access to. In other words please use a difficult passphrase!

Key Encryption Types

The most common types of encryption for public/private keys is RSA and DSA. We don't really have a preference and support both.

Key Encryption Sizes

For RSA we recommend using a key size of 2048 or 4096. For DSA the key size must be exactly 1024. If you are using ssh-keygen just pass in an argument to the -b option.

Generating a key

The mechanism for using SSH without typing your password is called public key authentication. To use PKA you must generate a public key and a private key on your client. Fortunately, most SSH clients include a tools that can create ssh key pairs.

Linux and OS X

OS X and almost all Linux distributions include OpenSSH client tools by default. You can use a tool called ssh-keygen to generate ssh key pairs like so:

  $ ssh-keygen -b 4096 -t rsa
  Generating public/private rsa key pair.
  Enter passphrase (empty for no passphrase):
  Enter same passphrase again:
  Your identification has been saved in ~/.ssh/id_rsa.
  Your public key has been saved in ~/.ssh/id_rsa.pub.
  The key fingerprint is:
  a7:9a:68:fc:ca:60:0e:d5:c3:b1:c8:a3:ef:ba:02:65 user@host

If you wish to generate a DSA protected key just use dsa as an arguement to the -t option. ssh-keygen will generate two files the private key (usually named identity or id_rsa or id_dsa) in your your home in the .ssh directory. The file with the .pub extension is your public key and the one without an extension is your private key.

Windows

PuTTY has a tool called PuTTYgen that will generate ssh key pairs. Although the format is a bit different than OpenSSH the key can easily be converted for use on Linux. Please be sure to note what type of ssh key you choose. Please use rsa or dsa and not rsa1.

Permissions

You should keep your keys secure from other users on the system. Your private and public keys should both be only readable/writable by you chmod 400 ~/.ssh/id_[rd]sa*. You should also note that nobody other than root should have writeable access to either your home chmod go-w ~ or your the .ssh directory in your home chmod 700 ~/.ssh. If these permissions allow others to read or write these directories or files then public key authentication will fail.

Installing your Public Key

After you have created the public/private key pairs on your client machine, you need to copy the newly created public key to the server. We may ask you to send your public key to us via email because your account will not be accessible until your key is installed. to add your key what we will do is append it to your list of authorized keys. There may be two files in <your home>/.ssh directory. One is for SSH version 1 (authorized_keys) and another for SSH version 2 (authorized_keys2). We may append your key to just the version 2 since that is our preference.

  # cat ~/.ssh/id_[rd]sa.pub >> ~/.ssh/authorized_keys2

Once your public key is installed it is now ready for use.

More Help

To get more help please refer to our Shell FAQ's. If you are still having problems send a message to help at cse.ucdavis.edu with specific error messages.