What is SSH?
SSH key authentication
SSH uses key pairs - a safely shareable public key and a private key. SSH key pairs can be generated with or without password for the key. Clearly, passworded keys are more secure than non‑passworded keys. This does not mean you have to enter the password every time you use the key pair; you can add the key to an ssh authentication agent, entering the password once, then use the key pair without the password. You can create multiple key pairs, and use different key pairs for (for example) different servers. In this event the impact of a stolen private key could be minimized.
There are several encryption algorithms supported by ssh - generally RSA or Ed25519 are the only ones you should use now. These examples use 4096 RSA keys. Ed25519 encryption is believed to be about as secure as a 3K RSA key. More details For all practical purposes both are equally secure until, or unless, either is compromised.
In this example, we’re going to demonstrate how to create a new key pair using MobaXterm, load a private key into MobaXterm and then connect to CCR's servers. You can use other SSH clients such as Putty. Most are very similar to MobaXterm; however, you will need to look up documentation online for configuring these.
Download and install MobaXterm (the free version is appropriate for home/academic use)
NOTE: We recommend version 21+ as we've received reports that earlier versions have issues with key generation.
Generating a Public/Private Key Pair
If you do not already have a SSH key pair, you will need to generate one. Please read the information above if you don't know what this means. Keeping your private key secure is of the utmost importance if you choose to use SSH keys rather than a password to connect to CCR servers.
To generate a public/private key pair, start the MobaXterm SSH Key Generator (MobaKeyGen) found under the MobaXterm Tools menu.
Under 'type of key to generate' select RSA. We HIGHLY recommend you change the "Number of bits in a generated key:" from the default of 2048 to 4096 (last option at the bottom of the GUI). Anything less than this is insecure Then click the Generate button and move your mouse around the empty area at the top of the GUI. As you move your mouse around, you'll see the bar move across the window indicating it's working on generating your random, unique key.
Convert to OpenSSH format
Once this is complete, you must now convert the key pair generated by MobaKeyGen into the OpenSSH format that CCR uses on its Linux servers. Before doing so you might want to consider:
- For the utmost in security, you can enter a passphrase for your private key. This is helpful if your machine is compromised and your key is stolen, the hacker would need the passphrase associated with the key to utilize it. However, every time you use the key, you will need to enter the passphrase. Ultimately, it is up to the user. We don't require it but do recommend it. If you choose to set one, enter it in the "Key passphrase" box.
- Changing the default "Key comment" may also be desirable to the user. Most people enter their email address here or you can enter something that reminds you this was generated for CCR use. This is also optional.
To convert the key to OpenSSH format, select "Export OpenSSH key" from the Conversions menu.
If you've chosen not to save a key passphrase you will be asked again if you're sure. Click Yes or go back and add a key passphrase.
You will be prompted to select a location to save the private key. The file location of the private key MUST be a place that only you have access to. Do not store this on a shared file system or a folder on your computer that is shared. IMPORTANT: Make sure to save the key with an extension of .ppk - if you don't this won't work when trying to connect using MobaXterm or FileZilla
Finally, click the "Save public key" button. We recommend you save it with the same name as your private key but ending in .pub. Before you close this window, go to the next step to copy that SSH public key into your CCR account.
Upload PUBLIC key to CCR IDM portal
Select EVERYTHING in the box labeled "Public key for pasting into OpenSSH authorized_keys file" then right-click on it and choose Copy. Following the directions above, paste this into the identity management portal SSH key box. Once saved, this key will be used for all SSH-enabled logins to CCR servers.
Attaching the Private Key to the MobaXterm Session
Launch MobaXterm again and load the session of the server you want to connect to. If you don't already have a session created, see these steps below to create on and add the private key to it:
1. Click the Session button, then click the SSH icon:
See the highlighted sections in the screenshot above to make sure you enter all the correct info.
2. Enter remote host (server name) - this can be any of these:
vortex.ccr.buffalo.edu (pool of front end login nodes for all CCR clusters)
transfer.ccr.buffalo.edu (data transfer node for uploading/downloading data)
3. Click the "specify username" checkbox and enter your CCR username
4. Ensure the port is 22
5. Make sure the "X11 Forwarding" box is checked
6. Click the "Use private key" box and browse to where you saved your private key ending in .ppk to select it
7. If you'd like to set a name for this session, click the "Bookmark settings" tab and enter a session name.
Click OK and this will launch the session
You should be logged into the system without having to enter your password. You're done! This is a one time setup process so now when you go to connect to the server, you only need to double click on the session name or right-click on it and choose "Execute"
If you need to change any settings, right-click on the session name and choose "Edit session"