Generating SSH Keys

After making sure your SSH client is installed, the next step is to generate your SSH keys. SSH keys are used to authenticate your client to the cluster frontend nodes as opposed to a password, as well as getting the encrypted session going. After generating the keys, you have to upload your public key so you can authenticate to the cluster in the future.

SSH Key Basics

An SSH key has two parts: the public key that you can share, and the private key which you must protect and never share. The two parts have the same filename except that the public key file has the added extention .pub for public. It is highly recommended to encrypt the private key by specifying a passphrase when creating it. You can also create and store it on a hardware security key/card and secure it with a PIN.

Warning

It is CRITICAL that you protect your SSH private key. It should never leave your computer/device! Anyone with the private key and the means to decrypt it (assuming you encrypted it at all) can impersonate you to the cluster to corrupt or delete your files, use up all your compute time, and/or cause problems in your name.

You should encrypt your SSH private keys or store them on a security key/card with a PIN. Do not copy them onto USB thumb drives, external hard disks, etc.! Do not send them to other people under any circumstances or upload them anywhere!

Remember that it violates our Terms of Use to share your account or private SSH key(s) with other persons. If you think someone might have gotten hold of your private key (stolen device, etc.), please immediately delete them from your HPC account! If you need help, do not hesitate to contact our support.

Generate SSH Key

If your client supports it, you should generate an ed25519 key since it is both fast and secure. You can also use ed25519-sk if you have and want to use a compatible FIDO2 security key for 2FA (Second Factor Authentication). Otherwise, you should create a 4096-bit rsa key which is a pretty much universally supported and safe but much larger and slower fallback. See the FAQ page on keys for more information on these keys. Instructions for generating keys for several clients are given below.

OpenSSH in Terminal (Linux, Mac, Windows PowerShell)

To generate a key (traditionally, one would choose ~/.ssh/id_NAME where NAME is a convenient name to help keep track of the key), you should run the following in your terminal on your local machine

generate key with OpenSSH:

ssh-keygen -t ed25519

ssh-keygen -t rsa -b 4096

It will suggest a default file /home/user/.ssh/id_ed25519, which you can change. If you change it, you need to enter the full path including the filename. Then provide a passphrase to encrypt the key with. Alternatively you can provide the filename with the parameter -f, but then you need to specify the complete path like -f ~/.ssh/id_test. Otherwise it will be generated in the current directory. Choose a secure passphrase to encrypt your private key that you can remember but others cannot figure out! Then the file ~/.ssh/id_NAME is your private key and ~/.ssh/id_NAME.pub is your public key. Your terminal should look something like the following:

foo@mylaptop:~> ssh-keygen -t ed25519 -f ~/.ssh/id_test
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/foo/.ssh/id_test
Your public key has been saved in /home/foo/.ssh/id_test.pub
The key fingerprint is:
SHA256:54NGZLI2MQSowPoqviWFDlJ5S5KHtDwcbjPdHHaEtUY foo@mylaptop
The key's randomart image is:
+--[ED25519 256]--+
|. o...++E        |
|.*.B =.+ .       |
|o./ = * =        |
|oo.O . O         |
|oo .. + S .      |
|+ o  . o +       |
| + .    o o      |
|o o    .   .     |
|oo.              |
+----[SHA256]-----+
foo@mylaptop:~>

If you are using Windows, note that the public and private key is saved in the User folder, e.g. c:\Users\username\.ssh by default.