Versions Compared

Old Version 1

changes.mady.by.user Lisa Stafford

Saved on

compared with

New Version Current

changes.mady.by.user Lisa Stafford

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Goals:

  1. To provide users with information on best security practices for SSH keys

  2. Provide step by step instructions for users to manage their SSH keys in the HPC Key Management Application.

    1. This includes Revocation, regenerating, and reconfigure keys on different devices.

...

Table of Contents
minLevel1
maxLevel6
outlinefalse
stylenone
typelist
printabletrue

...

When to revoke and regenerate your SSH keys

At some point, it may be necessary to revoke your old SSH key and create a new one. Situations that may require revoking your old ssh keys and creating new keys include:

  1. Device compromise:

    1. A device upon which you store your ssh key files has been compromised, due to malware, malicious actors gaining access to log in as you on your device, or malicious actors gaining access to data stored on your device.

  2. Data compromise:

    1. Your key files were copied or accessed by someone other than yourself

    2. You backed up your key files to a location outside your device that was subject to a compromise

  3. Following good security practices:

    1. It is recommended that ssh keys be rotated as part of a remediation process to ensure any keys that may have been compromised since their initial generation cease to be usable. ARCC recommends rotating your keys every 6 months (similar to requiring password changes at regular intervals).

...

Using SSH Key Manager to revoke and regenerate SSH keys

Note: if you are revoking and regenerating your ssh keys due to a compromise, you must perform the following steps on a different, uncompromised device

  1. Open a new browser window and go to the OnDemand URL (3rd column in table below) for the HPC in which you’d like to revoke and regenerate your keys

  2. Log in per directions on the linked wiki page (right-most column) associated with the HPC cluster in which you would like to regenerate keys

Insert excerpt
DOCUMENTAT:Open OnDemand: Access HPC with a Web BrowserDOCUMENTAT:
Open OnDemand: Access HPC with a Web Browser
nameOnDemand Service List
nopaneltrue

...

Click the download button. This will download your new key files to the local device from you’re currently accessing OnDemand.

...

...

Replacing SSH Keys on your Device

Before configuring your new ssh keys on your devices (usually this is your main workstation or laptop) you must remove your old keys.
As always, ARCC recommends only setting up SSH authentication keys on devices you have sole access to, and not on shared devices. If you do set up an ssh key for authentication on a shared device, only do so on computers where individuals log into separate, individual profiles on the computer. If you’re not sure how to determine this, contact arcc-help@uwyo.edu

Expand the section associated with your specific device OS and follow directions to remove your old SSH keys before replacing them with your new keys.

On a Windows PC

Expand
titleRemoving SSH Keys on a Windows PC

The standard location for ssh key files on a windows system are in your personal User directory in a hidden subfolder named .ssh. On a normal windows PC, this would be under C:\Users\<your_username>\.ssh\. If you have configured your keys using a non-standard key location, it is your responsibility to be aware of this location.

  1. Open file explorer (By hitting your windows key + E, or clicking the file explorer icon fileexplorericon.png from your start menu or taskbar)

  2. Browse to the directory in which your key files are stored

  3. Delete the following files:

    1. id_ecdsa

    2. id_ecdsa.pub

    3. id_edcsa-cert

Note: we have found that Microsoft sometimes categorizes file types incorrectly. The public key and cert files may be categorized incorrectly as a Microsoft Publisher file and icon. This is ok.

  1. Once your old key files have been deleted, you may configure your new keys. Follow the remaining directions here to configure your new keys on your Windows PC

On a Mac

Expand
titleRemoving SSH Keys on a Mac

The standard location for ssh key files on a Mac OS computer are in your personal /home directory in a hidden subfolder named .ssh. On most Macs, this would be under /Users/<your_name_on_mac>/.ssh/. If you have configured your keys using a non-standard key location, it is your responsibility to be aware of this location.

  1. Open your terminal ( or hit keys)

  2. If your SSH keys are stored in the standard location, change directories to your .ssh directory for your user account on the Mac with the following command: cd ~/.ssh otherwise cd to the directory in which your keys are stored.

  3. Remove your old keys using the rm command: rm id_ecdsa id_ecdsa-cert.pub id_ecdsa.pub

  4. Once your old key files have been deleted, you copy over and configure your new keys as described in the linked instructions here.

On a Linux PC

Expand
titleRemoving SSH Keys on a Linux Computer

The standard location for ssh key files on a Linux OS computer are in your personal /home directory in a hidden subfolder named .ssh. On most Linux machines, this would be under /home/<your_username>/.ssh/. If you have configured your keys using a non-standard key location, it is your responsibility to be aware of this location.

  1. Open your choice of command line interface (shell, terminal, console, prompt, etc)

  2. If your SSH keys are stored in the standard location, change directories to your .ssh directory for your home on the PC with the following command: cd ~/.ssh otherwise cd to the directory in which your keys are stored.

  3. Remove your old keys using the rm command: rm id_ecdsa id_ecdsa-cert.pub id_ecdsa.pub

  4. Once your old key files have been deleted, you copy over and configure your new keys as described in the linked instructions here.

...

Next Steps

Previous

SSH Keys for Authentication

Workshop Home

Intro to Accessing the Cluster

Next 

Intro to an ARCC HPC