UCSD CMS T2 SSH PubKey? Information

Contents

Introduction

This document outlines the procedure for generating an OpenSSH? Public Keypair for use in accessing the UCSD CMS T2 center.

Generating an SSH Key Pair

Mac or Linux Requirements

• OpenSSH? or equivalent installed

Generating the key

Log into the machine and type the following commands

ssh-keygen -t rsa 
Enter file in which to save the key (/home/users/tmartin/.ssh/id_rsa):

Hit Enter and when prompted enter a fairly easy to remember but secure passphrase

This command will generate two files in ~/.ssh

$ ls -l ~/.ssh/id*
-rw-------  1 tmartin tmartin 1743 Nov  7  2006 /home/users/tmartin/.ssh/id_rsa
-rw-r--r--  1 tmartin tmartin  397 Nov  7  2006 /home/users/tmartin/.ssh/id_rsa.pub

Installing the key on the UCSD T2 interactive systems

If you do not currently have an account on the UCSD T2 interactive system you will have to contact UCSD CMS T2 support to have an account created. You will be required to send vi email the file ~/.ssh/id_rsa.pub. This is the public portion of your keypair and can be shared freely.

If you do have an existing account or machine that can access the UCSD CMS T2 interactive systems log in using that system. Once there edit the following file using your favorite editor.

~/.ssh/authorized_keys

Append the contents of the newly created id_rsa.pub to this file.

Using an SSH Agent with Keychain

The SSH Agent can provide a much more convenient way to access remote resources. Especially if it is necessary to log into several machines in a chain. To support the ssh-agent which comes with OpenSSH? we recommend the use of a bash shell script called ssh-keychain. This script is meant to assist in the management of your keypairs and ssh agents and greatly simplifies their use. In particular keychain will manage several key pairs in the same agent and make sure only 1 agent is running per user.

Whenever you login or create a new window keychain will search for and link the environment to the currently running ssh-agent. If an ssh-agent is not running, say at system startup, keychain will start a new agent and prompt you for your passphrase. This should be the only time you are prompted for a passphrase for your ssh keypair.

Where can I get it?

keychain: SSH Agent Keychain Script version 2.6.6

How Do I Install It?

Download the shell script and install it in your home directory under ~/bin

</verbatim> cd ~ mkdir bin cd bin wget http://hepuser/twiki/pub/UCSDTier2/SSHKeyUCSD/keychain chmod 755 keychain cd </verbatim>

Then add the following to your ~/.bashrc file.

# User specific aliases and functions
~/bin/keychain ~/.ssh/id_rsa ~/.ssh/id_dsa
. ~/.keychain/${HOSTNAME}-sh

Re-Log into the system or create a new window. Keychain should start automatically and check for an existing agent, starting one if there is no agent running and prompt you for your keypair passphrase if necessary.

Using the Agent When You Connect

When you are logging into a remote system from a machine that is running the SSH Agent it will automatically attempt to use the agent to perform the required authentication. However in other to log into a third machine in the chain using the agent on your original system you will need to forward your agent

Forwarding the Agent with Open SSH

When you connect to a remote system from which you would like to log into addition machines using your local ssh-agent you will need to tell ssh to forward a connection to your local agent. This can be done in the following ways

Using the -A switch to ssh

eg.

ssh -A username@remote.server.edu

Changing the local ssh client configuration (~/.ssh/config)

Edit or create the file

~/.ssh/config

Note: Settings in this file will override the global defaults

add the following line

ForwardAgent yes
 
 
 

Authors

-- TerrenceMartin - 31 Mar 2008

• keychain: SSH Agent Keychain Script version 2.6.6