Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Goals:

  1. Provide users with information on what an SSH Key is, how it works, and the benefits of using one.

  2. Explain recommended best practices for SSH key security.

  3. Walk new users through an example setting up SSH keys to authenticate to ARCC HPC clusters.

  4. Guide users to the locations of step-by-step instructions for configuring an SSH key specific to their device, OS, and client application.



What are SSH Keys?

Every HPC user at ARCC has an option for private identity keys on each system they have access to. These are private keys associated with that user’s identity on an ARCC HPC cluster. On our systems, the user also has a certificate associated with their private identity key.

On newer ARCC HPC systems, users may create a new SSH key by logging into the OnDemand resource associated with the HPC, and creating a key using the SSH key Manager application.

Warning: Please be careful with these files. Do not change their permissions, put them in an insecure digital location, or share them with others. They are your “virtual keys” to log in as yourself on the HPC. If provided to or shared with others, they will be able to log into that ARCC HPC resource as you


Benefits of using an SSH Key for HPC Authentication

  • Improved Security

    • When using private keys to authenticate, users do not need to transmit their username and password information over the network. Because private keys are kept on your local machine, they are less vulnerable to interception and attack.

    • Remote systems configured to only accept SSH Key Authentication are more secure than authenticating with a username and password alone. Secure environments should require authentication using “something you know, something you have, something you are”. Ideally, when encrypted with a passphrase, an SSH key covers 2 of those 3 with the passphrase covering something you know, and the private key covering something you have. On some devices, you may have the option to replace a passphrase with “something you are” such as a fingerprint or other biometric scanner to decrypt your key files.

  • Improved Access Control

    • SSH keys control access to HPC resources by restricting access only to authorized users with corresponding private keys. Each user is provided a unique key associated with their identity and permissions on the system.

    • This makes it easier to revoke compromised users without requiring password changes, while still allowing all other existing users to authenticate normally.

  • Convenience

    • Once configured appropriately, SSH keys are often more convenient and increase user productivity. For security, and appropriate configuration, we recommend always encrypting keys with a unique passphrase.

    • Tools like an ssh-agent can hold keys in memory allowing access to the ssh client which saves users from needing to enter their key passphrase repeatedly and reducing the likelihood of failed authentication when repeatedly entering passwords.

  • Automation

    • SSH keys may be used in scripts and automation tools to automate tasks that would require logging into the remote server or HPC. This can make activities on the HPC easier and reduces the risks associated with password exposure.


SSH Key Management and Security

When you set up your SSH key your device, please follow best practices:

  • Don’t share your SSH key with others

  • Encrypt your private key files with a passphrase

  • Set up SSH keys with appropriate permissions

  • Do not set up SSH keys on shared devices

  • If a device storing your SSH keys becomes compromised, use a different, uncompromised device to log into OnDemand. Go to the SSH Key Manager application to revoke your old key and create a new one. If you need assistance, please contact arcc-help@uwyo.edu immediately.


Creating a new key

To set up access:

  1. First, log into the OnDemand resource for the HPC you want to set up SSH keys for.

    1. For MedicineBow, log in at https://medicinebow.arcc.uwyo.edu/. Step-by-step directions for logging into MedicineBow OnDemand are available here.

    2. For WildIris, log in at https://https://wiodm01.arcc.uwyo.edu/. Step-by-step directions for logging into WildIris OnDemand are available here.

  2. Once you’re logged in, you should be presented with the HPC Dashboard. Click the following icon to set up SSH key authentication:

  3. Each key is associated with your identity, therefore you do not need to create a new key for every client you use to ssh into the HPC.

    If you haven’t set up an SSH key previously, you should see an empty screen/list with the option to generate a new a key. Click that button if you need to set up a key.

    gennewkey.png

    Doing this will create a new set of files associated with your login to the HPC.

    If you’ve already created a key previously you don’t need another one. Skip this step and download a key you’ve already generated for your account as described in the next step.

  4. Click the download button associated with the key ID for your ssh key to download them to your client/computer.

    downloadkey.png

Please be careful with these files. Do not change their permissions, put them in an insecure digital location, or share them with others. They are your “virtual keys” to log in as yourself on the HPC. If provided to or shared with others, they will be able to log into that ARCC HPC resource as you


Client Configuration

After creating and downloading your Personal SSH Identity Keys, the keys must now be set up on the system from which you’re going to be logging into the cluster from. As mentioned in the previous section, SSH key access should be limited only to the individual user being granted SSH access.

Client configuration is dependent on the device and OS from which you’ll be accessing the HPC using SSH.

Windows specific instructions are available here

Mac specific instructions are available here

Linux specific instructions are available here


  • No labels