Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Goals:

  1. To provide users with information on best security practices for SSH keys

  2. Provide step by step instructions for users to manage their SSH keys in the HPC Key Management Application.

    1. This includes Revocation, regenerating, and reconfigure keys on different devices.



When to revoke and regenerate your SSH keys

At some point, it may be necessary to revoke your old SSH key and create a new one. Situations that may require revoking your old ssh keys and creating new keys include:

  1. Device compromise:

    1. A device upon which you store your ssh key files has been compromised, due to malware, malicious actors gaining access to log in as you on your device, or malicious actors gaining access to data stored on your device.

  2. Data compromise:

    1. Your key files were copied or accessed by someone other than yourself

    2. You backed up your key files to a location outside your device that was subject to a compromise

  3. Following good security practices:

    1. It is recommended that ssh keys be rotated as part of a remediation process to ensure any keys that may have been compromised since their initial generation cease to be usable. ARCC recommends rotating your keys every 6 months (similar to requiring password changes at regular intervals).


Using SSH Key Manager to revoke and regenerate SSH keys

Note: if you are revoking and regenerating your ssh keys due to a compromise, you must perform the following steps on a different, uncompromised device

  1. Open a new browser window and go to the OnDemand URL (3rd column in table below) for the HPC in which you’d like to revoke and regenerate your keys

  2. Log in per directions on the linked wiki page (right-most column) associated with the HPC cluster in which you would like to regenerate keys

To facilitate greater access and usability of our HPC services, UW ARCC has configured OnDemand for 3 of our HPC clusters:

  1. Once logged in, click on the SSH Key Manager application in the dashboard to manage your keys.

    odpinnedapps.png

  2. This will bring up the key management screen. At the bottom is a list of any keys you’ve created previously. If you have revoked keys in the past, you will have a list of your prior keys (in gray) and your current key (in green). Otherwise you will have only your current authentication key (highlighted in green)

  1. Click the red “Revoke” button associated with your current key (highlighted in green).

KeyGenMgr-Revoke.png

Your latest key will now turn from green to gray and should change status to “REVOKED”.

  1. Click the Generate New Key button

KeyGenMgr - generate new key.png

You may receive a message asking if you’re sure you want to do this. Click Continue.

  1. A new key will be created, highlighted in green. This is your current SSH key set to authenticate into the HPC resource.

Click the download button. This will download your new key files to the local device from you’re currently accessing OnDemand.

KeyGenMgr - download.png

Replacing SSH Keys on your Device

Before configuring your new ssh keys on your devices (usually this is your main workstation or laptop) you must remove your old keys.
As always, ARCC recommends only setting up SSH authentication keys on devices you have sole access to, and not on shared devices. If you do set up an ssh key for authentication on a shared device, only do so on computers where individuals log into separate, individual profiles on the computer. If you’re not sure how to determine this, contact arcc-help@uwyo.edu

Expand the section associated with your specific device OS and follow directions to remove your old SSH keys before replacing them with your new keys.

On a Windows PC

 Removing SSH Keys on a Windows PC

The standard location for ssh key files on a windows system are in your personal User directory in a hidden subfolder named .ssh. On a normal windows PC, this would be under C:\Users\<your_username>\.ssh\. If you have configured your keys using a non-standard key location, it is your responsibility to be aware of this location.

  1. Open file explorer (By hitting your windows key + E, or clicking the file explorer icon fileexplorericon.png from your start menu or taskbar)

  2. Browse to the directory in which your key files are stored

  3. Delete the following files:

    1. id_ecdsa

    2. id_ecdsa.pub

    3. id_edcsa-cert

Note: we have found that Microsoft sometimes categorizes file types incorrectly. The public key and cert files may be categorized incorrectly as a Microsoft Publisher file and icon. This is ok.

  1. Once your old key files have been deleted, you may configure your new keys. Follow the remaining directions here to configure your new keys on your Windows PC

On a Mac

 Removing SSH Keys on a Mac

The standard location for ssh key files on a Mac OS computer are in your personal /home directory in a hidden subfolder named .ssh. On most Macs, this would be under /Users/<your_name_on_mac>/.ssh/. If you have configured your keys using a non-standard key location, it is your responsibility to be aware of this location.

  1. Open your terminal ( or hit keys)

  2. If your SSH keys are stored in the standard location, change directories to your .ssh directory for your user account on the Mac with the following command: cd ~/.ssh otherwise cd to the directory in which your keys are stored.

  3. Remove your old keys using the rm command: rm id_ecdsa id_ecdsa-cert.pub id_ecdsa.pub

  4. Once your old key files have been deleted, you copy over and configure your new keys as described in the linked instructions here.

On a Linux PC

 Removing SSH Keys on a Linux Computer

The standard location for ssh key files on a Linux OS computer are in your personal /home directory in a hidden subfolder named .ssh. On most Linux machines, this would be under /home/<your_username>/.ssh/. If you have configured your keys using a non-standard key location, it is your responsibility to be aware of this location.

  1. Open your choice of command line interface (shell, terminal, console, prompt, etc)

  2. If your SSH keys are stored in the standard location, change directories to your .ssh directory for your home on the PC with the following command: cd ~/.ssh otherwise cd to the directory in which your keys are stored.

  3. Remove your old keys using the rm command: rm id_ecdsa id_ecdsa-cert.pub id_ecdsa.pub

  4. Once your old key files have been deleted, you copy over and configure your new keys as described in the linked instructions here.

  • No labels