NOTE: This is for advanced users. You should already know how to login and transfer files to CCR before attempting to generate and use SSH keys
What is SSH?
SSH uses key pairs - a safely shareable public key and a private key. SSH key pairs can be generated with or without password for the key. Clearly, passworded keys are more secure than non‑passworded keys. This does not mean you have to enter the password every time you use the key pair; you can add the key to an ssh authentication agent, entering the password once, then use the key pair without the password. You can create multiple key pairs, and use different key pairs for (for example) different servers. In this event the impact of a stolen private key could be minimized.
There are several encryption algorithms supported by ssh - generally RSA or Ed25519 are the only ones you should use now. These examples use 4K RSA keys. Ed25519 encryption is believed to be about as secure as a 3K RSA key. More details For all practical purposes both are equally secure until, or unless, either is compromised.
In this example, we’re going to demonstrate how to create a new key pair using PuTTY, load a private key into PuTTY and then connect to CCR's servers. You’ll need two pieces of software to complete this task:
- PuTTY - Client to for managing SSH sessions
- PuTTYgen - Tool for managing and creating SSH key pairs
- Pagent - PuTTY authentication agent used for storing keys & passphrases (optional)
These tools can be downloaded here - You don't need to install them. To run them, just double click on the icons whenever you saved them.
Setup a connect to the login node you want to connect to. As an advanced user, you most likely already have this. Directions can be found here
Make sure you can connect with a password before attempting to setup SSH keys!
Generating a Public/Private Key Pair
If you do not already have a SSH key pair, you will need to generate one. Please read the information above if you don't know what this means. Keeping your private key secure is of the utmost importance if you choose to use SSH keys rather than a password to connect to CCR servers.
To generate a public/private key pair, start the PuTTY Key Generator (PuTTYgen). We recommend you change the "Number of bits in a generated key:" from the default of 2048 to 4096 (last option at the bottom of the GUI). Then click the Generate button and move your mouse around the empty area at the top of the GUI.
As you move your mouse around, you'll see the bar move across the window indicating it's working on generating your random, unique key.
Once this is complete, you'll save the generated keys.
- For the utmost in security, you can enter a passphrase for your private key. This is helpful if your machine is compromised and your key is stolen, the hacker would need the passphrase associated with the key to utilize it. However, every time you use the key, you will need to enter the passphrase. Ultimately, it is up to the user. We don't require it but do recommend it. If you choose to set one, enter it in the "Key passphrase" box.
- Changing the default "Key comment" may also be desirable to the user. Most people enter their email address here or you can enter something that reminds you this was generated for CCR use. This is also optional.
- Then click "Save public key" and then "Save private key" - the file location of the private key MUST be a place that only you have access to. Do not store this on a shared file system or a folder on your computer that is shared.
Convert to OpenSSH format
You must now convert the key pair generated by PuTTY into the OpenSSH format that CCR uses on its linux servers. To do so, select "Export OpenSSH key" from the Conversions menu.
If you've chosen not to save a key passphrase you will be asked again if you're sure. Click Yes or go back and add a key passphrase.
Upload PUBLIC key to CCR IDM portal
Select EVERYTHING in the box labeled "Public key for pasting into OpenSSH authorized_keys file" then right-click on it and choose Copy. Following the directions above, paste this into the identity management portal SSH key box. Once saved, this key will be used for all SSH-enabled logins to CCR servers.
Attaching the Private Key to the PuTTY Profile
Launch PuTTY again and load the profile of the server you want to connect to.
Expand the SSH menu on the left and then expand the Auth menu under that. Click on the browse button and navigate to the directory where you saved the private key you just exported in the last step.
Select it and then click back on the Session link on the left. Click the Save button to store this information in the profile for future use. Now click on the Open button to test your connect to the server.
Enter your username and when you hit enter, you should be logged into the system without having to enter your password. You're done! This is a one time setup process so now when you go to connect to the server, you only need to load the profile and click Open. If you want to setup any additional CCR servers to login with your SSH key, you only need to do the previous step where you attach your private key to the profile for that server. If you entered a key passphrase, you will be prompted for that here.
Using the Pagent tool for key & passphrase storage (optional)
You can setup PuTTY to safely store the private key passphrase so you only enter it once. The PuTTY authentication agent (Pagent) should already be running on your system. You'll see it in the system tray (bottom right corner of your screen). Double click on it to open the GUI. NOTE: If it's not running, find where you saved the PuTTY executables and open it from there.
This will show you any keys you've already loaded and used to connect to server. To add a new key, click the Add Key button and navigate to where your private key is stored. If you've associated a passphrase with it, you'll be prompted to enter it. This info is stored until the Pagent tool is stopped (i.e. when you shutdown or reboot your computer). Then all keys and info are forgotten and you'll have to add everything again the next time the software is started.
Create a desktop shortcut and right click on it, choosing Properties. Under Target you will find the path to the pagent executable. You should add the location of your private key to that line and click OK. If your executable is located in C:\pagent.exe and your private key is located in C:\Users\me\private_key.pem then the entry in the Target window would be:
Now when you double click on the Pagent shortcut, Pagent will start, load your private key and ask for your passphrase.