Skip to content

SSH key-based authentication

While the most common way of login to the HPCC is by using the username/password pair, a more secure authentication method is the use of SSH keys. Although setting up your keys is a little more complex, it is a one-time investment. The HPCC provides key-based authentication as an option, in addition to the usual password-based login.

Note

Starting in October 2022, login to our rsync gateway (rsync.hpcc.msu.edu) will accept SSH keys as the ONLY authentication method. Username/password won't work.

What are SSH keypairs?

An SSH keypair consists of a private key and a public key. Your private key is a secret key just like your password which you should not share with anyone. On the other hand, your public key can be made publicly available in the same way that your name can be made public. The public key is stored on the server you attempt to log into (that is, the HPCC), while the private key is stored on your own computer. When a user attempts to log in, an encryption process starts on the HPCC side, using the public key. With your private key, your computer will be able to decrypt the encrypted message sent from the HPCC. When everything matches up, your login is approved.

Steps

Generate an SSH keypair

We recommend Windows users use MobaXTerm to generate and manage their key pairs. If you are Windows user who is not comfortable with the command line, the following instructions will guide you through using Graphical User Interface (GUI) tools built into MobaXterm which should work similar to other Windows applications. Please follows these instructions carefully as each step is important to ensure your keys are created using the proper format for use with HPCC.

In MobaXTerm, click Tools -> MobaKeyGen (SSH Key Generator) in the menu bar. You will see the following window:

Screenshot of the MobaXTerm SSH Key Generator window. RSA is selected by default and the Generate button is highlighted.

Click Generate and follow the commands on the screen. The Parameters should be set to RSA, Number of bits 4096. The Key comment field can be used to enter a description of the key e.g. "My home PC". We also recommend adding a key passphrase to secure your key.

Screenshot of the MobaXTerm SSH Key Generator window. RSA is selected and the Number of bits in a generated key is set to 4096.

Save the private key to your computer by going to the Conversions menu at the top of the screen, and selecting "Export OpenSSH key". Save the resulting file in C:\Users\<Account_Name>\.ssh\id_rsa where <Account_Name> is your Windows account name. Create the .ssh directory if it doesn't already exist.

When uploading your public key to the HPCC in the next section, copy the public key from the MobaKeyGen window. Make sure you copy all of the characters.

Note

If you use "Save public key", the file will not be in the correct format.

Screenshot of the key generator window with the ssh-rsa key text circled

Back in the MobaXTerm window, in the User sessions pane, right click the link you use to connect to the HPCC (usually something like hpcc.msu.edu (<netid>)), and select "Edit session". In the "Advanced SSH settings" pane, click "Use private key", and add the path to the key file you saved in C:\Users\<Account_Name>\.ssh\id_rsa. Click "OK" to save.

Screenshot of MobaXterm Session settings. The Advanced SSH settings tab is selected with the "Use private key" field filled with C:\Users\Craig.ssh\id_rsa.

Note

If you are having trouble connecting with an SFTP session in MobaXterm to rsync.hpcc.msu.edu, make sure you check the "Use private key" box and point towards the private key (id_rsa) file which should be in either:

  • C:\Users\<Account_Name>\AppData\Roaming\MobaXterm\home\.ssh if you used command line or
  • C:\Users\<Account_Name>\.ssh if you use the the GUI tool

Screenshot of the MobaXTerm SFTP settings window with the Use private key option checked and a directory path to the key set

  1. Start a command line on your personal computer:

    • Click the Launchpad icon in the dock, search for the Terminal application, and click Terminal
    • In the Finder, open /Applications/Utilities and double click the Terminal
    1. Install MobaXterm
    2. Start MobaXterm and choose the "Start local terminal" option:

      Screenshot of the MobaXTerm start tab with the Start Local Terminal button circled

    This will depend on your desktop environment and terminal name, but usually you can search for "Terminal" in your applications.

  2. Generate a keypair:

    ssh-keygen -t rsa -b 4096
    

    You will be given an option for protecting your private key with a passphrase. Please do this, as it will prevent your private key from being used by a malicious individual if it is ever stolen.

    After you have set a passphrase and the keys have generated, you will find the both the public and private key files in the .ssh directory under your home directory. By default, id_rsa is the private key file and id_rsa.pub the public key file.

Upload your public key to the HPCC

  1. Log into the OnDemand web portal.
  2. From the Files dropdown at the top of the screen, click your Home Directory.
  3. Click the checkbox above the File Browser listings to "Show Dotfiles".

    OnDemand file browser with "Show Dotfiles" checkbox circled and checked

  4. (If the .ssh directory doesn't exist) Click the New Directory button near the top of the screen and enter .ssh as the directory name (do not forget the leading .).

    OnDemand file browser New Directory dialog with ".ssh" entered as directory name

  5. Click the .ssh directory in the File Browser listing to open it.

    OnDemand file browser listing for ".ssh" directory with link circled

  6. (If the authorized_keys file doesn't exist) Click the New File button near the top of the screen and enter authorized_keys as the file name.

    OnDemand file browser New File dialog with "authorized_keys" entered as file name

  7. In the three-dot dropdown next to the authorized_keys filename, click Edit

    OnDemand file browser listing for "authorized_keys" file with dropdown menu clicked and "Edit" circled

  8. Copy the public key from your personal computer. If using MobaXterm graphically, you should already have copied this in the last step of that section. If you used the command line, type cat ~/.ssh/id_rsa.pub and copy the output.

    Warning

    Only copy key files with the .pub extension. Key files without this extension are private keys, which should never be shared!

  9. Paste into the OnDemand file editor, and click Save.

  10. Close the tab and go back to the File Browser in the .ssh directory.
  11. Click the button above the File Browser that says "Open in Terminal".

    OnDemand file browser with "Open in Terminal" button circled

  12. Type the following two commands, hitting Enter after each one:

    chmod 700 .
    chmod 600 authorized_keys
    

    OnDemand terminal with "chmod 700 ." and "chmod 600 authorized_keys" entered

Note that this option can only be used if you are able to log in using your password on the command line. If not, please use the steps in the other tab "Graphically via OnDemand".

To copy your key to the HPCC, run the following command, replacing <netid> with your MSU NetID:

    ssh-copy-id -i ~/.ssh/id_rsa.pub <netid>@hpcc.msu.edu

Enter your MSU password when prompted. Note that the command line will stay blank while entering your password (i.e., no text or stars will be shown).

Try logging in to the HPCC via SSH to verify that you do not need to enter your MSU password. You may be prompted for your SSH key passphrase if you set it when creating your SSH keys.