SSH uses key pairs - a safely shareable public key and a private key.

What is SSH?

SSH key authentication

SSH key pairs can be generated with or without password for the key.  Clearly, passworded keys are more secure than non‑passworded keys.  This does not mean you have to enter the password every time you use the key pair; you can add the key to an ssh authentication agent, entering the password once, then use the key pair without the password.

You can create multiple key pairs, and use different key pairs for (for example) different servers.  In this event the impact of a stolen private key could be minimized.

There are several encryption algorithms supported by ssh - generally RSA or Ed25519 are the only ones you should use now. These examples use 4K RSA keys.  Ed25519 encryption is believed to be about as secure as a 3K RSA key.  More details 

For all practical purposes both are equally secure until, or unless, either is compromised.

Creating your first passworded ssh key pair.

$ ssh-keygen -t rsa -b 4096 -f ${HOME}/.ssh/id_rsa

Enter passphrase (empty for no passphrase): _your_passphrase_here_

Enter same passphrase again: _your_passphrase_here_



Now copy the public (.pub) key to the identity management portal.  Once this is done, it is used on all CCR servers that support SSH.

Your host (laptop or desktop) may startup the ssh agent for you on login, if it does you add this key with:

$ ssh-add ~/.ssh/id_rsa

Enter passphrase for /user/_username_/.ssh/id_rsa: _your_passphrase_here_

Identity added: /user/_username_/.ssh/id_rsa (/user/_username_/.ssh/id_rsa)


if you get the error:

    "Could not open a connection to your authentication agent."

then start the ssh agent with:

$ eval `ssh-agent`

then re-run the above "ssh-add" command

You can list the keys you have added to the authentication agent with:

$ ssh-add -L
ssh-rsa AAAA[...]hIBEQ== /user/_username_/.ssh/id_rsa

You can now ssh to the CCR front end servers vortex or transfer without entering a password, e.g.

$ ssh -A