Goals:
To provide users with information on best security practices for SSH keys
Provide step by step instructions for users to manage their SSH keys in the HPC Key Management Application.
This includes Revocation, regenerating, and reconfigure keys on different devices.
When to revoke and regenerate your SSH keys
At some point, it may be necessary to revoke your old SSH key and create a new one. Situations that may require revoking your old ssh keys and creating new keys include:
Device compromise:
A device upon which you store your ssh key files has been compromised, due to malware, malicious actors gaining access to log in as you on your device, or malicious actors gaining access to data stored on your device.
Data compromise:
Your key files were copied or accessed by someone other than yourself
You backed up your key files to a location outside your device that was subject to a compromise
Following good security practices:
It is recommended that ssh keys be rotated as part of a remediation process to ensure any keys that may have been compromised since their initial generation cease to be usable. ARCC recommends rotating your keys every 6 months (similar to requiring password changes at regular intervals).
Using SSH Key Manager to revoke and regenerate SSH keys
Note: if you are revoking and regenerating your ssh keys due to a compromise, you must perform the following steps on a different, uncompromised device
Open a new browser window and go to the OnDemand URL (3rd column in table below) for the HPC in which you’d like to revoke and regenerate your keys
Log in per directions on the linked wiki page (right-most column) associated with the HPC cluster in which you would like to regenerate keys
To facilitate greater access and usability of our HPC services, UW ARCC has configured OnDemand for 3 of our HPC clusters:
HPC Cluster | OnDemand Name | OnDemand URL | ARCC Wiki Pages for HPC-specific OnDemand Services |
|---|---|---|---|
MedBow OnDemand | |||
Southpass | |||
WildIris ODM |
Once logged in, click on the SSH Key Manager application in the dashboard to manage your keys.
This will bring up the key management screen. At the bottom is a list of any keys you’ve created previously. If you have revoked keys in the past, you will have a list of your prior keys (in gray) and your current key (in green). Otherwise you will have only your current authentication key (highlighted in green)
Click the red “Revoke” button associated with your current key (highlighted in green).
Your latest key will now turn from green to gray and should change status to “REVOKED”.
Click the Generate New Key button
You may receive a message asking if you’re sure you want to do this. Click Continue.
A new key will be created, highlighted in green. This is your current SSH key set to authenticate into the HPC resource.
Click the download button. This will download your new key files to the local device from you’re currently accessing OnDemand.
Replacing SSH Keys on your Device
Before configuring your new ssh keys on your devices (usually this is your main workstation or laptop) you must remove your old keys.
As always, ARCC recommends only setting up SSH authentication keys on devices you have sole access to, and not on shared devices. If you do set up an ssh key for authentication on a shared device, only do so on computers where individuals log into separate, individual profiles on the computer. If you’re not sure how to determine this, contact arcc-help@uwyo.edu
Expand the section associated with your specific device OS and follow directions to remove your old SSH keys before replacing them with your new keys.
On a Windows PC
The standard location for ssh key files on a windows system are in your personal User directory in a hidden subfolder named .ssh. On a normal windows PC, this would be under C:\Users\<your_username>\.ssh\. If you have configured your keys using a non-standard key location, it is your responsibility to be aware of this location.
Open file explorer (By hitting your windows key + E, or clicking the file explorer icon
from your start menu or taskbar) Browse to the directory in which your key files are stored
Delete the following files:
id_ecdsa
id_ecdsa.pub
id_edcsa-cert
Note: we have found that Microsoft sometimes categorizes file types incorrectly. The public key and cert files may be categorized incorrectly as a Microsoft Publisher file and icon. This is ok.
Once your old key files have been deleted, you may configure your new keys. Follow the remaining directions here to configure your new keys on your Windows PC
On a Mac
The standard location for ssh key files on a Mac OS computer are in your personal /home directory in a hidden subfolder named .ssh. On most Macs, this would be under /Users/<your_name_on_mac>/.ssh/. If you have configured your keys using a non-standard key location, it is your responsibility to be aware of this location.
Open your terminal (
→
→
→
or hit
keys)
If your SSH keys are stored in the standard location, change directories to your .ssh directory for your user account on the Mac with the following command:
cd ~/.sshotherwise cd to the directory in which your keys are stored.Remove your old keys using the rm command:
rm id_ecdsa id_ecdsa-cert.pub id_ecdsa.pubOnce your old key files have been deleted, you copy over and configure your new keys as described in the linked instructions here.
On a Linux PC
File Navigation |