|Using Jazz | Getting Started | About the LCRC | Presentations | Status | FAQ | Search | Main Page|
When connecting to Jazz, you will need to provide information that demonstrates you are who you say you are. This is traditionally done by providing your username and your password. However, this is not secure enough, and we now require other methods. SSH supports several different methods, one of which is the use of "keys".
Without going into the details of the protocol, this document will describe what you need to do to get your SSH program to use keys. This will involve generating and installing keys. Once these are in place, we highly recommend that you use an "ssh-agent" to reduce the number of times you need to type a password.
You will need to setup SSH keys on the machine that you use to log onto Jazz. This may be your laptop, your machine at home, a desktop at some other site, or any other computer not in the Jazz UNIX space.
Follow the instructions below based on the kind of system that you are using.There are two files associated with a SSH user key (typically referred to as a key pair):
Below are the steps necessary to set up your ssh key access. In order to allow key-only access to Jazz, you will need to have at least one SSH user key pair. If you don't have a key pair, start with the Generate keys step. If you already have a key pair, you can skip to the Install your public key step.
WE REQUIRE THE USE OF A PASSPHRASE.
During the process of generating a key, you will be asked for a passphrase. Please select a strong passphrase. What consitutes a strong passphrase is detailed in the SSH Passphrases section of the SSH policy document.
There are a very limited number of circumstances where a key without a passphrase is acceptable. If you have a strong need to use one, please contact the support team prior to installing it. The reason for not allowing passwordless ssh keys is that with a copy of your private key, if it has no passphrase, a person can ssh as you to any host to which you've allowed access without knowing a password or passphrase.
To generate a key pair use the command "ssh-keygen" (see the example below). This command will create and store keys in your ~/.ssh directory. It will overwrite any existing keys (unless you specify a different filename with the -f option).
To generate an RSA key, type:
ssh-keygen -t rsa -b 4096You will be asked for a passphrase. Please carefully read the comments on passphrase selection above before selecting your passphrase. The default file names for an RSA key are id_rsa (private key) and id_rsa.pub (public key).
Note: if you use cygwin for SSH, see the unix instructions above.
If you use SecureCRT, there is a version of SecureCRT that supports agents, you will need that version.
Generate your key by clicking "Tools", then "Generate Public Key". Follow the prompts (we recommend an RSA key, despite what the text above the selection box says). Choose a strong passphrase (please carefully read the comments on passphrase selection above before selecting your passphrase). Use 4096 for the key length. Important: make a note of where it installs the key. It is probably something like:
C:\Documents and Settings\USERNAME\Application Data\VanDyke\Identity
If you upgraded from an old version, it might be:
C:\Documents and Settings\USERNAME\Application Data\Van Dyke Technologies\Identity
Type "Yes" to the global public key question.
If you will be accessing Jazz for the first time, you will not be able to install your public key on Jazz without assistance. In order to install your key, you must take the following steps:
Please do NOT proceed with the next step until you receive the email from the Systems team.
If you already have a SSHv2 key installed on Jazz, you can use the following methods to install an additional key:
At this point, you should have an id_rsa.pub file in your ~/.ssh directory. That file contains the public key. In order for you to tell Jazz that you want to authorize the associated private key to identify you, you need to place that public key on Jazz in the ~/.ssh/authorized_keys file.
To add a key to your authorized keys file, you can do the following:
edit the ~/.ssh/authorized_keys file (or do a 'cat >> ~/.ssh/authorized_keys') and cut and paste the output from the cat of the public key file.
cat ~/.ssh/id_rsa.pub | ssh email@example.com 'cat - >> ~/.ssh/authorized_keys'
Installing your SecureCRT keys onto Jazz is somewhat tricky because SecureCRT stores your public key in a funky format. To get it into the format OpenSSH recognizes:
ssh-keygen -i -f ~/.ssh/windows-machine-name.ident >> ~/.ssh/authorized_keys
The first SecureCRT session you open will ask the passphrase for the key you generated, and any subsequent ones will not (as long as SecureCRT is running.)
At this point, if you were to ssh from your local machine to Jazz, instead of being asked for a password, you'll see something like this:
Enter passphrase for key '/homes/<username>/.ssh/id_rsa':
What you type at that prompt is not your Unix password. It is the passphrase you used when you created your key. That passphrase is not stored anywhere.
In this mode of operation, you will be typing your passphrase each time you log in. There is a way, however, for you to reduce the number of times you need to type the passphrase.
If you run an ssh-agent, you can tell it to remember the passphrase for a key while it is running.
If your desktop is a Unix-based workstation running X-Windows, it is possible to set it up so that when you log onto the machine, an SSH agent is launched automatically. This is true of all MCS linux workstations. If your machine is not configured to do that, you can launch one by running:
To add your keys to the agent:
You will be asked for the passphrase for your .ssh/id_rsa key.
Once you have done an ssh-add of a key, you can ssh to other machines that have the associated public key stored in the authorized_keys file without typing your ssh passphrase.
MacOS users can use GUI tools such as the following to manage keys and agents:
If you followed the steps in the section on setting up your ssh keys for Windows, then SecureCRT should be set up to automatically run an ssh-agent. In this case, the first SecureCRT session you open will ask the passphrase for the key you generated, and any subsequent ones will not (as long as SecureCRT is running.)
You should now be all set to use ssh key-only access to Jazz.
WARNING: SSH requires that your home and ~/.ssh directories not be writable by anyone other than you. Do not change the permissions on these directories to allow group or world write access. If you do, SSH will not allow you to log on until someone on the Systems team corrects the permissions.
For more information on using SSH and how to obtain a version for your local machine, please read the MCS Offsite Access document. This document also contains information on why SSH is necessary and pointers to other useful sources of information on ssh and scp.
Last Updated: 6/27/2006