At SDSC, we allow key-based authentication to access our supercomputers in addition to the usual password-based and Globus-based authentication mechanisms. Setting up ssh keys on Linux and Mac desktops is quite simple, but the process is a lot more involved on Windows. Because the steps required to use key-based authentication to log into Gordon and Trestles is a common request from our Windows users, below is an illustrated guide on exactly how to do this.
Before you begin, you will need to download two pieces of software:
- PuTTY, my preferred SSH client for Windows (you may already have this)
puttygen.exe, part of the PuTTY suite, which can generate SSH keys
Both can be downloaded from the PuTTY website as standalone
executables that don’t need to be “installed”, so it’s convenient to download
.exe files on to your desktop and just run them from there.
Generating an SSH Key
As its name suggests,
puttygen.exe is the program you’ll have to
launch to generate an SSH key for you to use to log into a remote system using
key-based authentication. Start it up, and you should see a screen similar to
the one below:
The first thing you need to do is change the “Number of bits in a
generated key” to at least
2048 (red arrow).
The default value of 1024 bits is no longer considered secure, so please
don’t forget to do this step!
Then press the
Generate button (green
arrow) and you will see this:
You will need to wiggle your mouse over the blank area below the progress
bar to feed
puttygen enough randomness to generate an unpredictable
ssh key for you. Once the progress bar is full, you will be presented with
your ssh key, which takes the form of a bunch of letters and numbers.
First, copy the public key that
puttygen created into your
Then you will need to paste this into your account on Gordon or Trestles.
SSH to one of those machines (logging in with your password, since we haven’t
set up key-based authentication yet) and edit
$ nano -w .ssh/authorized_keys
Note the nano -w; if you forget to specify -w, word
wrap will be enabled and bungle up the format of your
file! You don’t want this, because each line of
must be an entire ssh publickey. You should already have one publickey in
there that was set up the very first time you logged into your account:
GNU nano 1.3.12 File: g09job.qsub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5RnzGKXvfcIcJOnyo3gz22qz763WP7jgnD9pndZyaT4$ ^G Get Help ^O WriteOut ^R Read File ^Y Prev Page ^K Cut Text ^C Cur Pos ^X Exit ^J Justify ^W Where Is ^V Next Page ^U UnCut Text^T To Spell
So move the cursor down to an empty line (or create a new line by pressing
return), then paste in the line that you copied from
GNU nano 1.3.12 File: g09job.qsub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5RnzGKXvfcIcJOnyo3gz22qz763WP7jgnD9pndZyaT4$ $Zk9qyY7Wnylxy3q5Py8fTggmtKQ+3YinbnGr ^G Get Help ^O WriteOut ^R Read File ^Y Prev Page ^K Cut Text ^C Cur Pos ^X Exit ^J Justify ^W Where Is ^V Next Page ^U UnCut Text^T To Spell
Again, be sure that word wrap didn’t break the line you pasted from
puttygen into multiple lines. Once you’ve done this,
ctrl+x to exit, and be sure to save your changes.
Once you’ve pasted your publickey from
puttygen into your remote
authorized_keys file on Gordon/Trestles, go back to your
puttygen window. We still have to save the privatekey
corresponding to the publickey you just pasted.
Before saving your private key though, note that you can add a Key passphrase (red arrow below) to your ssh key to encrypt it. This is essentially password-protecting your password and I strongly recommend doing this even though it’s optional–without encrypting your ssh key with a passphrase, anyone who can access your ssh key file will be able to log into your Gordon/Trestles account without needing to know your login password. On Windows, this is a very real hazard.
Now you have to save the private part of your ssh key by clicking the Save private key button (red arrow below):
If you disregarded my advice and are leaving your privatekey unencrypted, you will get a warning. Again, don’t leave your ssh key unencrypted on Windows unless you are sure you know what you are doing–this typically means editing the file access permissions for the keyfile you will be generating to make sure nobody on your network can access this file and use it to break into your account on Gordon/Trestles.
Save your private key somewhere safe–definitely don’t put it in a shared folder or anywhere someone can easily steal it from you. This key file is all you (or whoever else gets ahold of it) needs to get into your account if you did not encrypt it with a passphrase.
Using the Key with PuTTY
Now that you’ve generated your
.ppk private key file, you can
configure PuTTY to use that key before presenting you with a password prompt
whenever you try to log in. If you don’t have a profile already created for
Gordon or Trestles in PuTTY, you can make one by doing something like
- Enter gordon.sdsc.edu under Host Name (or IP address)
- Enter Gordon under Saved Sessions
- Pressing the Save button
If you already have a saved profile, be sure to Load it red arrow below) before proceeding–this will allow us to modify it instead of having to create a new profile for the ssh key we just generated.
On the list of options on the left side of the PuTTY window, scroll down to Connection, then expand it, expand the SSH tree, then click the Auth category. You will be presented with something like this:
Click the Browse button under the Private key for
authentication input box, then find the
PPK file we just
puttygen and load it:
Navigate back to the Session option on the left side of the
PuTTY window and click Save to save the location of your
PPK file with your profile for Gordon (or Trestles):
Following this, you should be able to now Open the profile and
have your private key used whenever you try to connect. As a bonus, this
PPK file can be used with programs like WinSCP
in much the same way. Using key-based authentication is arguably better than
simply saving your login password in WinSCP, and if your key is ever stolen,
you can de-activate it by removing it from the
file in your account on Gordon or Trestles and repeat this process to generate
a new key.