Generating SSH Keys

After making sure your SSH client is installed, the next step is to generate your SSH keys. SSH keys are used to authenticate your client to the cluster frontend nodes as opposed to a passphrase, as well as getting the encrypted session going. After generating the keys, you have to upload your public key so you can authenticate to the cluster in the future.

SSH Key Basics

An SSH key has two parts: the public key that you can share, and the private key which you must protect and never share. In all clients other than PuTTY (and those that use it), the two parts have the same filename except that the public key file has the added extention .pub for public. In PuTTY, the private key has the extention .ppk and the public key can be saved with an arbitrary extension. The best ways to protect the private key is to either encrypt it or to store it on a security key/card with a PIN.

Warning

It is CRITICAL that you protect your SSH private key. It should never leave your computer/device! Anyone with the private key and the means to decrypt it (assuming you encrypted it at all) can impersonate you to the cluster to corrupt or delete your files, use up all your compute time, and/or cause problems in your name.

You should always encrypt your SSH private keys or store them on a security key/card with a PIN. Do not copy them onto USB thumb drives, external hard disks, etc.! Do not send them to other people or upload them anywhere! Remember it violates our Terms of Use to share your account or private SSH key(s) with other persons. If you think someone might have gotten hold of your private key (stolen device, etc.), please immediately delete them from your HPC account! If you need help, do not hesitate to contact our support.

Generate SSH Key

If your client supports it, you should generate an ed25519 key since it is both fast and secure. Or ed25519-sk for the NHR cluster (don’t on the SCC) if you have want to use a compatible FIDO2 security key for 2FA (Second Factor Authentication). Otherwise, you should create a 4096-bit rsa key which is a pretty much universally supported and safe but slower fallback. See the FAQ page on keys for more information on these keys. Instructions for generating the key for several clients are given below.

MobaXterm

  1. Open MobaXterm
  2. Click “Start local terminal server”
  3. Generate an SSH key the same way as for an OpenSSH client following the instructions below.

OpenSSH in Terminal (Linux, Mac, Windows PowerShell)

To generate a key with the filename KEYNAME (traditionally, one would choose ~/.ssh/id_NAME where NAME is a convenient name to help keep track of the key), you should run the following in your terminal on your local machine

generate key with OpenSSH:
ssh-keygen -t ed25519 -f KEYNAME
ssh-keygen -t rsa -b 4096 -f KEYNAME

and provide a passphrase to encrypt the key with. Choose a secure passphrase to encrypt your private key that you can remember but others cannot figure out! Then the file ~/.ssh/id_NAME is your private key and ~/.ssh/id_NAME.pub is your public key. Your terminal should look something like the following:

foo@mylaptop:~> ssh-keygen -t ed25519 -f ~/.ssh/id_test
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/foo/.ssh/id_test
Your public key has been saved in /home/foo/.ssh/id_test.pub
The key fingerprint is:
SHA256:54NGZLI2MQSowPoqviWFDlJ5S5KHtDwcbjPdHHaEtUY foo@mylaptop
The key's randomart image is:
+--[ED25519 256]--+
|. o...++E        |
|.*.B =.+ .       |
|o./ = * =        |
|oo.O . O         |
|oo .. + S .      |
|+ o  . o +       |
| + .    o o      |
|o o    .   .     |
|oo.              |
+----[SHA256]-----+
foo@mylaptop:~>

PuTTY

SSH keys are generated by the program PuTTYgen. To create a key pair, follow these steps:

  1. Open PuTTYgen
  2. Set the key parameters at the bottom to either “EdDSA” and “Ed25519 (255 bits)” for ed25519 (best) or “RSA” and “4096 bits” for rsa (fallback).
  3. Click Generate and follow the instructions to generate the key
  4. Enter a passphrase to encrypt the key. Choose a secure passphrase that you can remember but others cannot figure out!
  5. Click both Save private key and Save public key to save the respective key to disk. Note that PuTTY uses a different storage convention than other clients.
Screenshot of PuTTYgen creating an ed25519 key.

PuTTYgen ed25519

Generating an ed25519 key with PuTTYgen.