Recent Changes - Search:

Public

Physics

Engineering

Literature
Journal Club
People

MineralPET
DAQ

Computing

Africa


SSH Certificates

Certificates

Cryptographic certificates, or "keys", help you to login from one machine to another without having to type passwords. You can have multiple certificates, e.g. one on a personal laptop, one on a desktop PC, one for use on group workstations. These can also be used to authenticate with GitHub.

If you would like to connect from machine A (local) to machine B (remote) you must:

Generate a public/private key pair

On Linux or Os X:

[user@machine_A ~] ssh-keygen -t ed25519
  • Accept the default location and name (/home/youruser/.ssh/id_ed25519).
  • Don't give a passphrase (unless you want to set up ssh-agent to keep your keys unlocked)
    • Bear in mind that without a passphrase, anyone that gains access your account will also gain access to you account on the other servers that you have already distributed the key to.
    • But read the item below about ssh-agent, for enhanced security
  • There will be 2 files, id_ed25519 (keep contents secret) and id_ed25519.pub.

On Windows

OpenSSH

OpenSSH operates much the same as on Linux and MacOS. The difference is that the ssh-agent service will persist keys in the Windows (user) registry. See the Microsoft guide on User Key Generation.

If you don't have OpenSSH installed, follow the Microsoft guide. Note that you only need the client component, you can ignore the server parts.

Windows Subsystem for Linux

Within a WSL distribution

PuTTY

PuTTY is an integrated terminal and SSH client.

Send your public key to one of our sysadmins

Your key can be deployed to our group machines via Foreman. Be sure to keep your key private, only send the .pub file to others.

Add the public key to the authorized_keys file on a machine

To manually add your key to a machine, add the public part to the authorized_keys file in your ~/.ssh/ directory on the machine. E.g.:

[user@machine_A ~] scp .ssh/id_dsa.pub machine_B:~/.ssh/new_key.pub
[user@machine_B ~] cat new_key.pub >> authorized_keys

Helper script

A script to help to copy the key, make directories, fix permissions: Attach:ssh_installkey

Certificates with passwords

You can get the benefits of the certificates and retain the security of passwords if you generate a certificate with password, and then use ssh-agent. But this is not-trivial, so you should really read man ssh-agent.

SSH, X11 and su

If you connect to another PC using ssh -X, you can run remote graphical programs and have them display on your machine. Things are still fine if you use sudo, but if you su to another account it will not work:

[sergio@psi ~]$ sudo xlogo
[sergio@psi ~]$ sudo su
[root@psi sergio]# xlogo
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).

but you can solve this by

[root@psi sergio]# xauth merge ~sergio/.Xauthority
[root@psi sergio]# xlogo

(of course it must be ~your_user/.Xauthority).

Once in a while, check your xauth list and, if there is too much old stuff, use xauth remove, or just rm .Xauthority and login again.

Edit - History - Print - Recent Changes - Search
Page last modified on March 09, 2024, at 02:45 pm