OpenSSH on MacOS or Linux

sudo apt-get install openssh-client

sudo yum install openssh-clients

Generate a ssh key pair

1. You should generate either "RSA" or "Ed25519" key. "RSA" keys will give you the greatest portability, while "Ed25519" will give you the best security but requires recent versions of client & server.

2. Run the following commands in the terminal emulator (Terminal.app, gnome-terminal, konsole) to generate a ssh key pair:

   • Create .ssh directory:

     test -d $HOME/.ssh || mkdir $HOME/.ssh

   • Change its permissions:

     chmod 0700 $HOME/.ssh

   • Generate a private key (replace "test-key" by choosen filename and "username@physics.mcgill.ca" by your email address):
     For "RSA":

     ssh-keygen -t rsa -b 4096 -f "$HOME/.ssh/test-key" -C "username@physics.mcgill.ca"

     For "Ed25519":

      ssh-keygen -t ed25519 -f "$HOME/.ssh/test-key" -C "username@physics.mcgill.ca"

   • Enter the chosen passphrase when you will be prompted for it. Do not set a blank passphrase!

3. Now it is time to add the new ssh public key to your physics account (replace "test-key" by the name of your key).

   • If you are using a department computer: bring the file $HOME/.ssh/test-key.pub on a usb stick and run

     test -d ~/.ssh || mkdir ~/.ssh; chmod 0700 ~/.ssh; cat /path/to/test-key.pub >> ~/.ssh/authorized_keys

   • If you are working remotely: send the file $HOME/.ssh/test-key.pub to science.it@.mcgill.ca.

4. Test the connection with your new key.

   • Create .ssh/socket directory: mkdir $HOME/.ssh/socket

   • Change its permissions: chmod 0700 $HOME/.ssh/socket

   • Create the file $HOME/.ssh/config: vi $HOME/.ssh/config or nano $HOME/.ssh/config

   • Add the following content to this file (replace "test-key" by the name of your key and "username" by your physics username):

• Save and close this file

• Connect to one of our department jump hosts:

• You will be prompted for the passphrase of your ssh private key

Using ssh-agent

1. SSH agent allows a user to enter their passphrase for unlocking various SSH keys once at the start of a session.

2. MacOS has ssh-agent already pre-configured and unlocked upon logon. You can test it by running

    ssh-add -l

   Since we added "UseKeychain yes" into ssh configuration file, no further configuration required. MacOS will handle key unlocking automatically.

3. Various Linux distributions have different approaches of how to run ssh-agent. It could be handled by GNOME Keyring or KDE Wallet or a bash script. Below we will describe the most generic way to start ssh-agent on logon.

   • Check if ssh-agent already running:

     ssh-add -l

   • If you see "The agent has no identities." or even an unlocked key — no further configuration required.

   • If the message says "Could not open a connection to your authentication agent.", add to the end of file $HOME/.profile the following:

     # Use named socket instead of randomly named file
     export SSH_AUTH_SOCK="$HOME/.ssh/ssh-agent.sock"
     
     # If ssh-agent is running ?
     ssh-add -l 2>/dev/null >/dev/null
     
     # If no ssh-agent found, run it
     if [ $? -ge 2 ]; then
       rm -f "$SSH_AUTH_SOCK" >/dev/null
       ssh-agent -a "$SSH_AUTH_SOCK" >/dev/null
     fi
                         

   • Run source $HOME/.profile to apply changes.

4. Now it is time to add your ssh private key to ssh-agent. Depending of your settings, you should do it on each logon or only once.

   • Check ssh-agent for loaded keys:

     ssh-add -l

   • Add your key to ssh-agent (replace "test-key" by the name of your key):

     ssh-add $HOME/.ssh/test-key

   • You will be prompted for the passphrase of your ssh private key

   • Check ssh-agent again:

     ssh-add -l

   • Now you should be connected to choosen portal without any prompts.