Setting Up Password-Free SSH Keys on Windows Clients

Overview

This article provides details and specifics for how to set up a Password-Free SSH key to connect to ARCC HPC Clusters from a Windows client. Each key is associated with your identity, therefore you do not need to create a new key for every client you use to ssh into the HPC.

1 Overview
2 General Setup (not specific to specifically installed applications)
3 Troubleshooting your SSH Key Configuration on Windows

General Setup (not specific to specifically installed applications)

Assuming the files you downloaded from OnDemand were placed in your Downloads folder (C:/Users/<your_username_on_the_PC>/Downloads in this example), go into your downloads folder and look for a file named with your uwyo username, and unzip that by right clicking and choosing “Extract All”
This should create a new folder with your username.
Check for a .ssh folder associated with your computer account. This should be located at C:/Users/<your_username_on_the_PC>/.ssh. (If your data is set to store on another drive, you may have a different drive letter in your path).
If you do not have an .ssh folder under your Windows username, go to your start menu and search for command prompt. It should come up as a best match:
Once open, type in the following command into your command prompt: ssh-keygen
then hit Enter/Return. This will generate a public/private rsa key pair (which we will be replacing) and create your .ssh folder with appropriate permissions structure.
Copy the files from the extracted folder into your .ssh folder. You will be asked if it’s ok to replace the current files in the folder. Say ‘yes’ to confirm overwriting these files.
Test your access with the new key files by opening a new command prompt window and ssh’ing to the HPC with the following command replacing <username> with your UWYO or ARCC HPC username and <clustername> with the HPC name: ssh <username>@<clustername>.arcc.uwyo.edu.
(As an example: ssh cowboyjoe@beartooth.arcc.uwyo.edu)
If the key is configured correctly, you will be logged into the cluster without having to enter your password or authenticate over 2 factor.

Troubleshooting your SSH Key Configuration on Windows

In the event you are unable to ssh to the cluster or still being prompted for our username and password, the above instructions haven’t worked. This is likely due to permissions associated with your new key and possibly the permissions associated with the enveloping folder.

Additional steps may be necessary. You can correct ssh key issue through command line via command prompt, or powershell. These options should be attempted first. In the event that the problem is not corrected through command prompt or Powershell, please use steps to correct using Windows GUI.

Option 1: Correcting Permissions using Command Prompt (cmd)

Open an elevated command prompt
1. Go to your start menu.
2. In the search box type in: cmd
3. Your first option under Best match should be a command prompt
4. Right click this option and choose the option to “Run as administrator”
5. Once opened enter the following command lines (one command per line in the order below). Each command should be followed by an enter/return to run them in order:
  Set Key “%UserProfile%\.ssh\id_ecdsa” Icacls %Key% /c /t /Inheritence:d Icacls %Key% /c /t /Grant %UserName%:F Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users Icacls %Key% set "Key="

Option 2: Correcting key Permissions using Powershell

Open an elevated command prompt
1. Go to your start menu.
2. In the search box type in: powershell
3. You should be presented with an option for Windows Powershell or Windows Powershell (x86)
4. Right click the option and choose the option to “Run as administrator”
5. Once opened enter the following command lines (one command per line in the order below). Each command should be followed by an enter/return to run them in order:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa" Icacls $Key /c /t /Inheritance:d Icacls $Key /c /t /Grant ${env:UserName}:F TakeOwn /F $Key Icacls $Key /c /t /Grant:r ${env:UserName}:F Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users Icacls $Key Remove-Variable -Name Key

Option 3: Correcting Permissions using Windows GUI (Only to be used if above solutions using command prompt and powershell fail):

The following instructions provide correction using Windows GUI interface.

Disable permission inheritance for the .ssh folder
1. Go up to the folder containing your key and certificate files. (Usually this is C:\Users\<your_username_on_the_computer>\)
2. Right click on the .ssh folder (or whichever folder contains your new key files).
3. Choose Properties from the list of options in the menu (you may also select the .ssh folder so it is highlighted and hit Alt+Enter)
4. This will bring up a Properties window for your folder.
5. Click on the Security tab in the window then click the Advanced button.
6. This will bring up a new window for the folders Advanced Security Settings. Ensure that the Permissions tab is selected, then click the button to disable inheritance.
Convert your directory/folder permissions to explicit permissions.
1. You will be prompted for how to handle the blocked inheritance. Choose the option to Convert inherited permissions into explicit permissions on the object.
  Warning: Choosing the other option (to remove all inherited permissions from this object) can make the entire folder inaccessible. Do not select that option. If accidently selected, click the Cancel button at the bottom.
2. After converting the inherited permissions to explicit permissions set them to remove all users except for SYSTEM and yourself. Ensure that both you and SYSTEM have Full Control under access:
3. After confirming permissions for the folder are set correctly, Click the Apply button. Permissions should now be correctly set.
Update permissions for the key files:
1. Within the folder in which your key files are stored, perform the same actions to update permissions on each of the following files:
2. id_ecdsa, id_ecsda.pub id_ecdsa-cert should all have the following permission properties:
  SYSTEM and your_username on the computer should have full control while no one else has access to them.