Back to Documents Page
advanced   

Using SSH Keys

Table of Contents

General Information
Secure Management of SSH keys
Generating an SSH key pair
Setting up hosts to allow SSH key authentication
Connecting to gate.ucar.edu with SSH key forwarding
Connecting to gate.ucar.edu with SSH key and X forwarding

General Information

The NCAR gateway system, gate.ucar.edu, allows you to utilize ssh-agent to pass your ssh key securely through to hosts within the NCAR network. This means that you can configure your account on Lab hosts to allow you to connect from authorized hosts, like gate.ucar.edu, through the use of SHH keys.

Secure Management of SSH keys

Your SSH key consists of two parts, a private identity key and a public identity key. Your private key is what you use to authorized an SSH connection, while your public key is what is installed on hosts that you want to connect to.

It's very important to protect your private key from theft or unauthorized use. Your private key should only be readable by your own user id, and it should be protected with a passphrase. It is not wise to ever create a key without a passphrase. If you do and the key is stolen, it can be used to access any systems you have installed your public key on. Ideally, you would never store your private key on a multi-user system, but only on your private workstation. If you need to access your private key from a multi-user system, you should store it on a USB drive that you only mount while starting up ssh-agent.

When you use ssh-agent to manage your private key, the private key is stored in memory for the duration of your session. You should make sure to log out of that session when you are done with it. This will purge your key from memory preventing someone else from using it.

Generating an SSH key pair

If you don't already have SSH keys, you will need to generate them. You want to generate dsa keys with passphrases. 

      desktop [1] ssh-keygen -t dsa
      Generating public/private dsa key pair.
      Enter file in which to save the key (~username/.ssh/id_rsa): 
      Enter passphrase (empty for no passphrase): enter a nice long passphrase
      Enter same passphrase again: 
      Your identification has been saved in ~username/.ssh/id_rsa.
      Your public key has been saved in ~username/.ssh/id_dsa.pub.
      The key fingerprint is:
      46:a2:d2:a5:c3:ff:dd:12:54:ad:8a:98:b2:a2:9b:5d wombat@myworkstationhome

      desktop [2] cd ~/.ssh
      desktop [3] cp id_dsa.pub my_keys
id_dsa contains the private identity, this file should only be readable by the user
id_dsa.pub contains the public identity

Setting up hosts to allow SSH key authentication

You need to install your public key on one of the hosts in the Lab. You only need to do this on one host. If your workstation is part of the NCAR network, you can simply scp your my_keys file to on of the Lab hosts.

      [1] scp my_keys host ~username/.ssh/
      [2] ssh breeze.scd.ucar.edu
      [3] cd .ssh
      [4] cat my_keys >> authorized_keys2

If your workstation is not part of the NCAR network, you will need to login to one of the Lab hosts and scp your my_keys file from your workstation. If you cant' pull the file you can cut and paste the key from a window on your workstation.

Connecting through gate.ucar.edu with SSH key forwarding

Open a shell window on your desktop machine. Start ssh-agent and add your key to the agent. You can then login to machine you've installed your key on from this window without typing your passphrase.

      desktop [1] ssh-agent tcsh
      desktop [2] ssh-add 
      desktop [3] ssh -A gate.ucar.edu
      CryptoCard Challenge ""34219310": enter your code here
      UCAR SSH Proxy (? for help)> breeze.scd.ucar.edu
      breeze [1]

NOTE: This example uses tcsh as the agent shell. You may use whatever shell you are used to working in.

Connecting through gate.ucar.edu with SSH key and X forwarding

If you need to forward X windows connections also, you will need to add the -X option to your ssh command.

      desktop [1] ssh-agent tcsh
      desktop [2] ssh-add
      desktop [3] ssh -X -A gate.ucar.edu
      CryptoCard Challenge ""34219310": enter your code here
      UCAR SSH Proxy (? for help)> breeze.scd.ucar.edu
      breeze [1]

NOTE: This example uses tcsh as the agent shell. You may use whatever shell you are used to working in.

© 2008, UCAR | Privacy Policy | Terms of Use | Sponsored by NSF | Managed by UCAR

Postal Address: P.O. Box 3000, Boulder, CO 80307-3000 • Shipping Address: 1850 Table Mesa Drive, Boulder, CO 80305