Versions Compared

Version Old Version 2 New Version Current
Changes made by

Ambrish Raghoonundun, Mr

Ambrish Raghoonundun, Mr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

MacOS includes pre-installed OpenSSH client.
For Linux, please refer to the manual for your distribution. The most common ways are Debian/Ubuntu:

Code Block
sudo apt-get install openssh-client

or on CentOS/Fedora

Code Block
languagebash
sudo yum install openssh-clients

Generate a ssh key pair

  1. You should generate either "RSA" or "Ed25519" key. "RSA" keys will give you the greatest portability, while "Ed25519" will give you the best security but requires recent versions of client & server.

  2. Run the following commands in the terminal emulator (Terminal.app, gnome-terminal, konsole) to generate a ssh key pair:

    • Create .ssh directory:

      Code Block
      languagebash
      test -d $HOME/.ssh || mkdir $HOME/.ssh

    • Change its permissions:

      Code Block
      languagebash
      chmod 0700 $HOME/.ssh

    • Generate a private key (replace "test-key" by choosen filename and "username@physics.mcgill.ca" by your email address):
      For "RSA":

      Code Block
      languagebash
      ssh-keygen -t rsa -b 4096 -f "$HOME/.ssh/test-key" -C "username@physics.mcgill.ca"

      For "Ed25519":

      Code Block
       ssh-keygen -t ed25519 -f "$HOME/.ssh/test-key" -C "username@physics.mcgill.ca"

    • Enter the chosen passphrase when you will be prompted for it. Do not set a blank passphrase!

image101.png

  1. Now it is time to add the new ssh public key to your physics account (replace "test-key" by the name of your key).

    • If you are using a department computer: bring the file $HOME/.ssh/test-key.pub on a usb stick and run

      Code Block
      languagebash
      test -d ~/.ssh || mkdir ~/.ssh; chmod 0700 ~/.ssh; cat /path/to/test-key.pub >> ~/.ssh/authorized_keys

    • If you are working remotely: send the file $HOME/.ssh/test-key.pub to science.it@.mcgill.ca.

  2. Test the connection with your new key.

    • Create .ssh/socket directory: mkdir $HOME/.ssh/socket

    • Change its permissions: chmod 0700 $HOME/.ssh/socket

    • Create the file $HOME/.ssh/config: vi $HOME/.ssh/config or nano $HOME/.ssh/config

    • Add the following content to this file (replace “*.physics.mcgill.ca” with “*.meteo.mcgill.ca“ or “*.cs.mcgill.ca“ depending on your department, "test-key" by the name of your key and "username" by your physics/aos/cs username):

For MacOS:

Code Block
Host *.physics.mcgill.ca
  User username
  PreferredAuthentications publickey,password
  IdentityFile ~/.ssh/test-key
  IdentitiesOnly yes
  AddKeysToAgent yes
  ForwardAgent yes
  HashKnownHosts yes
  Compression yes
  Port 22
  Protocol 2
  ServerAliveInterval 60
  ServerAliveCountMax 10
  ControlPath ~/.ssh/socket/%h-%p-%r
  ControlMaster auto
  UseKeychain yes

For Linux:

Code Block
languagebash
Host *.physics.mcgill.ca
  User username
  PreferredAuthentications publickey,password
  IdentityFile ~/.ssh/test-key
  IdentitiesOnly yes
  AddKeysToAgent yes
  ForwardAgent yes
  HashKnownHosts yes
  Compression yes
  Port 22
  Protocol 2
  ServerAliveInterval 60
  ServerAliveCountMax 10
  ControlPath ~/.ssh/socket/%h-%p-%r
  ControlMaster auto

  • Save and close this file

  • Connect to one of our department jump hosts:

  • You will be prompted for the passphrase of your ssh private key

image103.pngimage104.png

Using ssh-agent

  1. SSH agent allows a user to enter their passphrase for unlocking various SSH keys once at the start of a session.

  2. MacOS has ssh-agent already pre-configured and unlocked upon logon. You can test it by running

    Code Block
     ssh-add -l

    Since we added "UseKeychain yes" into ssh configuration file, no further configuration required. MacOS will handle key unlocking automatically.

  3. Various Linux distributions have different approaches of how to run ssh-agent. It could be handled by GNOME Keyring or KDE Wallet or a bash script. Below we will describe the most generic way to start ssh-agent on logon.

    • Check if ssh-agent already running:

      Code Block
      languagebash
      ssh-add -l

    • If you see "The agent has no identities." or even an unlocked key — no further configuration required.

    • If the message says "Could not open a connection to your authentication agent.", add to the end of file $HOME/.profile the following:

      Code Block
      # Use named socket instead of randomly named file
export SSH_AUTH_SOCK="$HOME/.ssh/ssh-agent.sock"

# If ssh-agent is running ?
ssh-add -l 2>/dev/null >/dev/null

# If no ssh-agent found, run it
if [ $? -ge 2 ]; then
  rm -f "$SSH_AUTH_SOCK" >/dev/null
  ssh-agent -a "$SSH_AUTH_SOCK" >/dev/null
fi

    • Run source $HOME/.profile to apply changes.

image201.pngimage202.png

  1. Now it is time to add your ssh private key to ssh-agent. Depending of your settings, you should do it on each logon or only once.

    • Check ssh-agent for loaded keys:

      Code Block
      ssh-add -l

    • Add your key to ssh-agent (replace "test-key" by the name of your key):

      Code Block
      languagebash
      ssh-add $HOME/.ssh/test-key

    • You will be prompted for the passphrase of your ssh private key

    • Check ssh-agent again:

      Code Block
      ssh-add -l

    • Now you should be connected to choosen portal without any prompts.

image203.png