Logging with SSH Key

The clients that support the Secure SHell SSH port allow a secure connection to the login node. Only after a secure connection between the login node and the PC has been established, the PC sends our username and password to the login node. The biggest weakness of a secure connection is thus the user password; if it is too simple, an unauthorized person can guess the password and break into the system.

For this reason, cluster administrators prefer that we use an SSH key when connecting to the login node. An SSH key has two parts: a private and a public part. To log in using an SSH key, the public part must be installed on the login node.

Warning

The private part of the SSH key should not be shared with anyone, while the public part of the key can be shared with others.

After the login node receives the public part of our SSH key, it won't require a password anymore. Instead, it will send a simple challenge to the PC. The login node encrypts a random number using the public part of the SSH key and sends it to the PC. The PC decrypts the cypher using the private part of the SSH key and returns it to the login node. If the number matches, the connection will be established; otherwise, it won't.

Hint

For a more in-depth explanation of SSH encryption, see link.

Public/Private Key: an Illustrative Example

To understand the idea behind the private and public keys, let's imagine Alice and Bob who want to communicate without worrying that somebody will read their messages. Both of them generate a lock and a key. The locks are exchanged with each other, while the keys are always kept private. Once they meet for a coffee and exchange their locks as they will help them communicate safely. Once home, Bob writes a message to Alice and puts it in a box safely locked with Alice's lock. After the message is safely stored, it is then sent to Alice. If somebody intercepts the packet, it will have no value as no one has the key to the lock except for Alice. After Alice receives the box, she can safely open box and read Bob's messages without worrying that somebody read the messages.

In this scenario, Bob and Alice represent the client and server, while the lock and key correspond to public and private keys, respectively. The SSH protocol relies on the exchange of public keys and the decryption using private keys. Public keys are shared with others and used to verify the digital signatures generated by the corresponding private keys. On the other hand, the owner keeps SSH private keys secret and are used for authentication and generating digital signatures.

Creating SSH Key

We open command line and write:

ssh-keygen -b 4096 -C <label>

With -b 4096, we request the generation of a 4096-bit key. With -C <label>, we can add an optional label to the key for easier identification, such as the name of the personal computer for which we want to create an SSH key. By default, we will generate an SSH key with the RSA encryption algorithm. When prompted for the file to store the key and the passphrase to encrypt the private key, press ↵ Enter

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa
Your public key has been saved in /home/user/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:500u+TSqIvo8E50rdvWPgIZOWMZkd7AYMg13soVIwV8 vm-ubuntu
The key's randomart image is:
+---[RSA 3072]----+
| o*=+.+          |
|  o+oBEo         |
|   .=.o .        |
|   +.. .         |
|    +. .S . .    |
|   +..o..o =     |
|  . o.oo..+ =    |
|   +*.+  ..* .   |
|  .++* ...o.o    |
+----[SHA256]-----+

We have created an SSH key encrypted with the RSA algorithm, which is stored in two files: the private key is in the id_rsa file, and the public key is in the id_rsa.pub file. The private key should not be shared with anyone, but the public key will be sent to the entry node.

Warning

Each time you execute the above command, a different key will be generated.

To display the public part of the SSH key, you can use the cat command on Linux and macOS, and the type command on Windows. Simply enter the full file name of the public key that was output by the previous command. (Your public key has been saved in /home/user/.ssh/id_rsa.pub).

ExampleCommand

$ cat /home/user/.ssh/id_rsa.pub

cat /home/user/.ssh/id_rsa.pub

The public part of the SSH key is displayed on the screen.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChchJqb1erbiP/z2cxpxfVKABw+pA2B6djMKvBSrl1upbfXxvKTXsX8zJ1mO6zX
dwqj8zwrCr//zIynyqxJWOtSBMM3aIsI2wzc9aPfyHZxFf48+zS+WwLduick5NHlqemtrfPYBWLEKyXIkKzQFhEBq9gG3gJxw17uS
dT6zUMfYytzvV3b54tJp1ZvLHbV7oMd2wSVZkW0AUtVqFDpFurUzWxEamABaGf9mcNbDAhJ8I2pxp4t3pVPiyAvrs8pUJdWKeeTgs
27CUQlzsWwGe2xjwyl7lpUOEze8dWJbczgpWkTyXCMtdbpuyc3st5LwcW3zo+62UyXD3oncf13E/SGqbjCxpiSLD0jB56mLmBl7v3
b0f5D62gwIxSV6Cwy/WAs2n91wRENCEl5Lhn2L1hjpa3bB4nlgsrQOYXpPJgdWlZC9PlcEHrXedfUJ+QSLp3+lJnGGyrM+VCtWE7x
6dczBpADt7AGPTwNCoYrd5MnBTDifv+pNRFB5oshrs0Tjk= vm-ubuntu

If preferred, you can open the file in a text editor of your choice.

Distributing Public Part of the SSH Key

The NSC, Maister, and Trdina computer clusters use the FIDO system (Fast IDentity Online) for distributing the public part of the SSH key. To access all three systems, we only need to publish the key in one place. When we log in to the entry node using an SSH client, the entry node in the FIDO system will verify if we have published the public part of the key and use it for authentication. If the key is not available, we will be prompted to enter a password.

To publish the public part of the SSH key, we first visit the website fido.sling.si.

Sign in FIDO system

On login page sign in using your SLING SSO (Single Sign-On) credentials for accessing clusters. In the fields, Username and Password, we fill our username and password and press the button Login. After successful login, we can see the main page with our data.

User data in FIDO system

Look for the "Account Settings" section and locate the SSH public keys entry. Click on the Add button ( represented by Add label and circled with number 1). A window or prompt will open, allowing you to enter the public part of your SSH key. You can copy the public key from your command line or a text editor and paste it into the provided field.

Entering public SSH key

We click the button Set to close the window. After that, on the main page with our data, we press the Save button (the button is circled and labelled with the number 2). After saving the SSH public key, we can see it in the "SSH public keys" section (the public key is circled and labelled with the number 3). You can verify its presence by checking the "SSH public keys" section on the main page. The key should be listed there. Close the website or log out of your account.

Successful entry of SSH key

Close the website and try to connect to the login node without password. In command prompt we write:

ExampleCommand

$ ssh <ime>@nsc-login1.ijs.si
Last login: Sat Jan 16 21:33:38 2021 from 93.103.18.69

ssh <ime>@nsc-login1.ijs.si

Hint

For computer systems that are not integrated with SLING SSO, please follow the instructions specific to those systems. link.