Skip to content

SSH key-based authentication

While the most common way of login to the HPCC is by using the username/password pair, a more secure authentication method is the use of SSH keys. Although setting up your keys is a little more complex, it is a one-time investment. The HPCC provides key-based authentication as an option, in addition to the usual password-based login.

Note

Starting in October 2022, login to our rsync gateway (rsync.hpcc.msu.edu) will accept SSH keys as the ONLY authentication method. Username/password won't work.

Generating SSH keypairs

An SSH keypair consists of a private key and a public key. Your private key is a secret key just like your password which you should not share with anyone. On the other hand, your public key can be made publicly available in the same way that your name can be made public. The public key is stored on the server you attempt to log into (that is, the HPCC), while the private key is stored on your own computer. When a user attempts to log in, an encryption process starts on the HPCC side, using the public key. With your private key, your computer will be able to decrypt the encrypted message sent from the HPCC. When everything matches up, your login is approved.

SSH tool suites usually provide a utility for generating these keypairs. On a Mac, you can run the command ssh-keygen in Terminal. On a Windows computer, you can use PuTTYgen to generate SSH key pairs. When you use these utilities, you will be given an option for protecting your private key with a passphrase. Please do this, as it will prevent your private key from being used by a malicious individual if it is ever stolen.

Generating SSH keypairs on Windows using Puttygen

Generating SSH keypairs on MacOS and Linux

  • To generate a keypair from command line (e.g., after opening a terminal on Mac or Linux), run

ssh-keygen -t rsa

  • After you have set a passphrase and it has generated the keys, you will find the key files in the .ssh directory under your home directory. By default, id_rsa is the private key file and id_rsa.pub the public key file.

Uploading your public key to the HPCC

In order to login to HPCC with key-based authentication from your local computer, you will need to add your public key to the ~/.ssh/authorized_keys file. If this file does not exist, it will need to be created.

Windows users:

  1. Copy the Public key from the PuTTYgen window

img!

  1. Log on to HPCC gateway gateway.hpcc.msu.edu or start an interacive Open OnDemand session

  2. On the HPCC, make sure you have a directory named .ssh under your home directory. If not, create one by running mkdir ~/.ssh on the HPCC or using the GUI file browser in the applications menu of an interactive OnDemand session

  3. Using an editor on the HPCC, such as nano or one of the editors in the ondemand GUI session, open or create the .ssh/authorized keys file and paste the copied public key.

  4. Set correct permissions by running these commands in the HPCC terminal or using the GUI file browser of an OnDemand session

    chmod 700 ~/.ssh

    chmod 600 ~/.ssh/authorized_keys

Warning

If you use MobaXTerm for access, make sure you keep MobaXTerm up to date. If you use a new version of PuTTYgen to create SSH keys, an older version of MobaXTerm may not be able to read your generated keys.

MacOS and Linux users:

  1. Log on to HPCC gateway gateway.hpcc.msu.edu or start an interactive ondemand session to edit within a linux GUI environment

  2. On the HPCC, make sure you have a directory named .ssh under your home directory. If not, create one by running mkdir ~/.ssh in the terminal

  3. Upload your public key id_rsa.pub from your computer to gateway.hpcc.msu.edu. There are multiple ways to do so, as given here.

  4. Append the public key file to another file ~/.ssh/authorized_keys. In order to do so, assuming that the pub key file has been copied to your home directory from Step 3, you can run the following command

    cat ~/id_rsa.pub >> ~/.ssh/authorized_keys

  5. Set correct permissions by running

    chmod 700 ~/.ssh

    chmod 600 ~/.ssh/authorized_keys