UCSD CMS T2 SSH PubKey? Information
Contents
Introduction
This document outlines the procedure for generating an
OpenSSH? Public Keypair for use in accessing the UCSD CMS T2 center.
Generating an SSH Key Pair
Mac or Linux Requirements
- OpenSSH? or equivalent installed
Generating the key
Log into the machine and type the following commands
ssh-keygen -t rsa
Enter file in which to save the key (/home/users/tmartin/.ssh/id_rsa):
Hit Enter and when prompted enter a fairly easy to remember but secure passphrase
This command will generate two files in ~/.ssh
$ ls -l ~/.ssh/id*
-rw------- 1 tmartin tmartin 1743 Nov 7 2006 /home/users/tmartin/.ssh/id_rsa
-rw-r--r-- 1 tmartin tmartin 397 Nov 7 2006 /home/users/tmartin/.ssh/id_rsa.pub
Installing the key on the UCSD T2 interactive systems
If you do not currently have an account on the UCSD T2 interactive system you will have to contact UCSD CMS T2 support to have an account created. You will be required to send vi email the file ~/.ssh/id_rsa.pub. This is the public portion of your keypair and can be shared freely.
If you do have an existing account or machine that can access the UCSD CMS T2 interactive systems log in using that system. Once there edit the following file using your favorite editor.
~/.ssh/authorized_keys
Append the contents of the newly created id_rsa.pub to this file.
Using an SSH Agent with Keychain
The SSH Agent can provide a much more convenient way to access remote resources. Especially if it is necessary to log into several machines in a chain. To support the ssh-agent which comes with
OpenSSH? we recommend the use of a bash shell script called ssh-keychain. This script is meant to assist in the management of your keypairs and ssh agents and greatly simplifies their use. In particular keychain will manage several key pairs in the same agent and make sure only 1 agent is running per user.
Whenever you login or create a new window keychain will search for and link the environment to the currently running ssh-agent. If an ssh-agent is not running, say at system startup, keychain will start a new agent and prompt you for your passphrase. This should be the only time you are prompted for a passphrase for your ssh keypair.
Where can I get it?
keychain: SSH Agent Keychain Script version 2.6.6
How Do I Install It?
Download the shell script and install it in your home directory under ~/bin
</verbatim> cd ~ mkdir bin cd bin wget
http://hepuser/twiki/pub/UCSDTier2/SSHKeyUCSD/keychain chmod 755 keychain cd </verbatim>
Then add the following to your ~/.bashrc file.
# User specific aliases and functions
~/bin/keychain ~/.ssh/id_rsa ~/.ssh/id_dsa
. ~/.keychain/${HOSTNAME}-sh
Re-Log into the system or create a new window. Keychain should start automatically and check for an existing agent, starting one if there is no agent running and prompt you for your keypair passphrase if necessary.
Using the Agent When You Connect
When you are logging into a remote system from a machine that is running the SSH Agent it will automatically attempt to use the agent to perform the required authentication. However in other to log into a third machine in the chain using the agent on your original system you will need to forward your agent
Forwarding the Agent with Open SSH
When you connect to a remote system from which you would like to log into addition machines using your local ssh-agent you will need to tell ssh to forward a connection to your local agent. This can be done in the following ways
Using the -A switch to ssh
eg.
ssh -A username@remote.server.edu
Changing the local ssh client configuration (~/.ssh/config)
Edit or create the file
~/.ssh/config
Note: Settings in this file will override the global defaults
add the following line
ForwardAgent yes
Authors
--
TerrenceMartin - 31 Mar 2008
- keychain: SSH Agent Keychain Script version 2.6.6