Goals:
Provide users with information on what an SSH Key is, how it works, and the benefits of using one.
Explain recommended best practices for SSH key security.
Walk new users through an example setting up SSH keys to authenticate to ARCC HPC clusters.
Guide users to the locations of step-by-step instructions for configuring an SSH key specific to their device, OS, and client application.
...
Table of Contents | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
What are SSH Keys?
Every HPC user at ARCC has an option for private identity keys on each system they have access to. These are private keys associated with that user’s identity on an ARCC HPC cluster. On our systems, the user also has a certificate associated with their private identity key.
...
Warning |
---|
Warning: Please be careful with these files. Do not change their permissions, put them in an insecure digital location, or share them with others. They are your “virtual keys” to log in as yourself on the HPC. If provided to or shared with others, they will be able to log into that ARCC HPC resource as you |
...
Benefits of using an SSH Key for HPC Authentication
Improved Security
When using private keys to authenticate, users do not need to transmit their username and password information over the network. Because private keys are kept on your local machine, they are less vulnerable to interception and attack.
Remote systems configured to only accept SSH Key Authentication are more secure than authenticating with a username and password alone. Secure environments should require authentication using “something you know, something you have, something you are”. Ideally, when encrypted with a passphrase, an SSH key covers 2 of those 3 with the passphrase covering something you know, and the private key covering something you have. On some devices, you may have the option to replace a passphrase with “something you are” such as a fingerprint or other biometric scanner to decrypt your key files.
Improved Access Control
SSH keys control access to HPC resources by restricting access only to authorized users with corresponding private keys. Each user is provided a unique key associated with their identity and permissions on the system.
This makes it easier to revoke compromised users without requiring password changes, while still allowing all other existing users to authenticate normally.
Convenience
Once configured appropriately, SSH keys are often more convenient and increase user productivity. For security, and appropriate configuration, we recommend always encrypting keys with a unique passphrase.
Tools like an ssh-agent can hold keys in memory allowing access to the ssh client which saves users from needing to enter their key passphrase repeatedly and reducing the likelihood of failed authentication when repeatedly entering passwords.
Automation
SSH keys may be used in scripts and automation tools to automate tasks that would require logging into the remote server or HPC. This can make activities on the HPC easier and reduces the risks associated with password exposure.
...
SSH Key Management and Security
When you set up your SSH key your device, please follow best practices:
Don’t share your SSH key with others
Encrypt your private key files with a passphrase
Set up SSH keys with appropriate permissions
Do not set up SSH keys on shared devices
If a device storing your SSH keys becomes compromised, use a different, uncompromised device to log into OnDemand. Go to the SSH Key Manager application to revoke your old key and create a new one. If you need assistance, please contact arcc-help@uwyo.edu immediately.
...
Creating a new key
Insert excerpt | ||||||||
---|---|---|---|---|---|---|---|---|
|
...
Client Configuration
After creating and downloading your Personal SSH Identity Keys, the keys must now be set up on the system from which you’re going to be logging into the cluster from. If you set up an SSH key on a computer, that computer should be one that belongs to you or only you have access to. You should not set up your private SSH keys on a shared device or workstation since other users could gain access to the remote HPC cluster with your credentials if they had access to the keys.As mentioned in the previous section, SSH key access should be limited only to the individual user being granted SSH access.
Client configuration is dependent on the device and OS from which you’ll be accessing the HPC using SSH.
Windows specific instructions are available here
Mac specific instructions are available here
Linux specific instructions are available here
...
Previous | Next |
---|