Versions Compared

Old Version 2

changes.mady.by.user Lisa Stafford

Saved on

compared with

New Version 3

changes.mady.by.user Lisa Stafford

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Goals:

  1. Provide users with information on what an SSH Key is, how it works, and the benefits of using one.

  2. Explain recommended best practices for SSH key security.

  3. Walk new users through an example setting up SSH keys to authenticate to ARCC HPC clusters.

  4. Guide users to the locations of step-by-step instructions for configuring an SSH key specific to their device, OS, and client application.

...

What are SSH Keys?

Every HPC user at ARCC has an option for private identity keys on each system they have access to. These are private keys associated with that user’s identity on an ARCC HPC cluster. On our systems, the user also has a certificate associated with their private identity key.

...

Warning

Warning: Please be careful with these files. Do not change their permissions, put them in an insecure digital location, or share them with others. They are your “virtual keys” to log in as yourself on the HPC. If provided to or shared with others, they will be able to log into that ARCC HPC resource as you

...

Benefits of using an SSH Key for HPC Authentication

  • Improved Security

    • One of the main benefits of SSH Key Authentication is improved security of privileged accounts. When using private keys to authenticate, users do not need to transmit their username and password information over the network. Because private keys are kept on your local machine, they are less vulnerable to interception and attack.

    • Systems configured to only accept SSH Key Authentication are more secure because they cover several sets of vulnerabilities with intersection. A common model for authentication is “Something you know, something you have, something you are”. Ideally, when encrypted with a passphrase, an SSH key covers 2 of the 3 with the passphrase covering something you know, and the private key covering something you have. On some devices, you can also decrypt the key files with “something you are” such as a fingerprint or other biometric scanner.

  • Improved Access Control

    • SSH keys control access to HPC resources by restricting access only to authorized users with corresponding private keys. Each user is provided a unique key associated with their identity and permissions on the system.

    • This makes it easier to revoke any compromised users without requiring password changes, while still allowing all other existing users to authenticate normally.

  • Convenience

    • SSH keys are often more convenient and increase user productivity when used and configured appropriately. We recommend encrypting keys with a unique passphrase.

    • Tools like an ssh-agent can hold keys in memory allowing access to the ssh client which saves users from needing to enter their key passphrase repeatedly and reducing the likelihood of failed authentication when repeatedly entering passwords.

  • Automation

    • SSH keys may be used in scripts and automation tools to automate tasks that would require logging into the remote server or HPC. This can make activities on the HPC easier and reduces the risks associated with password exposure.

...

Creating a new key

Insert excerpt
DOCUMENTAT:Setting Up Password-Free SSH Authentication
DOCUMENTAT:Setting Up Password-Free SSH Authentication
nameGeneral Setup Instructions
nopaneltrue

...

SSH Key Management and Security

When you set up your SSH key your device, please follow best practices:

  • Don’t share your SSH key with others

  • Encrypt your private key files with a passphrase

  • Set up SSH keys with appropriate permissions

  • Do not set up SSH keys on shared devices

  • If a device storing your SSH keys becomes compromised, use a different, uncompromised device to log into OnDemand. Go to the SSH Key Manager application to revoke your old key and create a new one. If you need assistance, please contact arcc-help@uwyo.edu immediately.

...

Client Configuration

After creating and downloading your Personal SSH Identity Keys, the keys must now be set up on the system from which you’re going to be logging into the cluster from. If you set up an SSH key on a computer, that computer should be one that belongs to you or only you have access to. You should not set up your private SSH keys on a shared device or workstation since other users could gain access to the remote HPC cluster with your credentials if they had access to the keysAs mentioned in the previous section, SSH key access should be limited only to the individual user being granted SSH access.

Client configuration is dependent on the device and OS from which you’ll be accessing the HPC using SSH.