Jazz SSH Key Information



	Using Jazz \| Getting Started \| About the LCRC \| Presentations \| Status \| FAQ \| Search \| Main Page

Using SSH Keys on Jazz

Please read the Jazz SSH Policy page.

Reusable passwords are not allowed for remote access to Jazz. SSHv2 keys and Globus certificates are the only methods supported.

When connecting to Jazz, you will need to provide information that demonstrates you are who you say you are. This is traditionally done by providing your username and your password. However, this is not secure enough, and we now require other methods. SSH supports several different methods, one of which is the use of "keys".

Without going into the details of the protocol, this document will describe what you need to do to get your SSH program to use keys. This will involve generating and installing keys. Once these are in place, we highly recommend that you use an "ssh-agent" to reduce the number of times you need to type a password.

Prepare your client environment

You will need to setup SSH keys on the machine that you use to log onto Jazz. This may be your laptop, your machine at home, a desktop at some other site, or any other computer not in the Jazz UNIX space.

Follow the instructions below based on the kind of system that you are using.

There are two files associated with a SSH user key (typically referred to as a key pair):

The private key file. This file should be carefully protected. It should be readable only by you and stored only on a secure computer (typically your laptop or desktop computer). Private key files should not be stored on Jazz.
The public key file. This file is named the same as the private key file but with a .pub extension. It does not need to be as securely protected as the private key file. The contents of the public key file associated with the key you wish to use for Jazz access should be placed inside the ~/.ssh/authorized_keys file located on Jazz.

Only SSH protocol 2 keys (types RSA and DSA) will be allowed on Jazz. We generally recommend RSA. The instructions for generating keys in this document are for generating RSA keys; read the ssh-keygen man page if you wish to generate DSA keys instead.

Below are the steps necessary to set up your ssh key access. In order to allow key-only access to Jazz, you will need to have at least one SSH user key pair. If you don't have a key pair, start with the Generate keys step. If you already have a key pair, you can skip to the Install your public key step.

WE REQUIRE THE USE OF A PASSPHRASE.

During the process of generating a key, you will be asked for a passphrase. Please select a strong passphrase. What consitutes a strong passphrase is detailed in the SSH Passphrases section of the SSH policy document.

There are a very limited number of circumstances where a key without a passphrase is acceptable. If you have a strong need to use one, please contact the support team prior to installing it. The reason for not allowing passwordless ssh keys is that with a copy of your private key, if it has no passphrase, a person can ssh as you to any host to which you've allowed access without knowing a password or passphrase.

Steps to set up keys for access to Jazz

Details

Instructions for the different types of OS and different SSH client packages for which we have experience are below. If you use a different client and need help or wish to provide the instructions on using that client, please contact support@lcrc.anl.gov.

Generate keys:
- If your local machine is a Linux, MacOS X, Cygwin, or other Unix based computer:
  To generate a key pair use the command "ssh-keygen" (see the example below). This command will create and store keys in your ~/.ssh directory. It will overwrite any existing keys (unless you specify a different filename with the -f option).
  To generate an RSA key, type:
```
ssh-keygen -t rsa -b 4096
```
  You will be asked for a passphrase. Please carefully read the comments on passphrase selection above before selecting your passphrase. The default file names for an RSA key are id_rsa (private key) and id_rsa.pub (public key).
- If your local machine is a Windows computer with SecureCRT.
  Note: if you use cygwin for SSH, see the unix instructions above.
  If you use SecureCRT, there is a version of SecureCRT that supports agents, you will need that version.
  Generate your key by clicking "Tools", then "Generate Public Key". Follow the prompts (we recommend an RSA key, despite what the text above the selection box says). Choose a strong passphrase (please carefully read the comments on passphrase selection above before selecting your passphrase). Use 4096 for the key length. Important: make a note of where it installs the key. It is probably something like:
  C:\Documents and Settings\USERNAME\Application Data\VanDyke\Identity
  If you upgraded from an old version, it might be:
  C:\Documents and Settings\USERNAME\Application Data\Van Dyke Technologies\Identity
  Type "Yes" to the global public key question.
Install your public key:
If you will be accessing Jazz for the first time, you will not be able to install your public key on Jazz without assistance. In order to install your key, you must take the following steps:
1. Send us your SSH public key:
  - Visit your LCRC Personal Account Page and upload your public key. You will need to log on with your Jazz password.
    OR
  - Email your public key to the support team at support@lcrc.anl.gov. Please do not include the key within the body of your mail, but send it as an attachment. Once Systems has received the key, they will upload it and send you an email confirming that your key has been received and stating that it needs to be verified.
    Please do NOT proceed with the next step until you receive the email from the Systems team.
2. Call the Help Desk at (630) 252-6813 to verify your identity and your key. During the verification process you will need to read part of the public key to the Help Desk staff. Please have it available before contacting the Help Desk.
3. Once your key and id have been verified, the Help Desk will notify the Systems team. They will install the key in your authorized_keys file on Jazz and notify you thru email that your account is ready to be used.
If you already have a SSHv2 key installed on Jazz, you can use the following methods to install an additional key:
- For a Linux, MacOS X, Cygwin, or other Unix based local computer:
  At this point, you should have an id_rsa.pub file in your ~/.ssh directory. That file contains the public key. In order for you to tell Jazz that you want to authorize the associated private key to identify you, you need to place that public key on Jazz in the ~/.ssh/authorized_keys file.
  To add a key to your authorized keys file, you can do the following:
  1. on your local system:
```
cat ~/.ssh/id_rsa.pub
```
  2. on Jazz:
    edit the ~/.ssh/authorized_keys file (or do a 'cat >> ~/.ssh/authorized_keys') and cut and paste the output from the cat of the public key file.
  Or you can use a simple one line command (replacing 'username' with your Jazz username), executed on your local machine:
```
   cat ~/.ssh/id_rsa.pub | ssh username@lcrc.anl.gov 'cat - >> ~/.ssh/authorized_keys'
        
```
- For SecureCRT :
  Installing your SecureCRT keys onto Jazz is somewhat tricky because SecureCRT stores your public key in a funky format. To get it into the format OpenSSH recognizes:
  1. Log on to Jazz using SSH with your existing key.
  2. On the local machine, use Notepad.exe to open the Identity.pub file that was created with the Key Generation wizard.
  3. With the Identity.pub file opened in the Notepad application, open the Edit menu and choose Select All. Once everything is selected, open the Edit menu again and select Copy.
  4. On Jazz, complete the following steps:
    1. cat > ~/.ssh/windows-machine-name.ident (where "windows-machine-name" is the name of your machine)
    2. Click on the SecureCRT paste button to paste the contents of the Clipboard (which should now contain the contents of your Identity.pub file).
    3. Issue a CTRL+D to close the Identity.pub file.
    4. Convert the key to one that OpenSSH will recognize using the following command:
      ssh-keygen -i -f ~/.ssh/windows-machine-name.ident >> ~/.ssh/authorized_keys
  5. On the local machine, setup SecureCRT to use the key:
    1. Click "File" then "connect", and for each existing entry, in the list (or for new ones you add) click the "Properties" button (it looks like a hand holding a card).
    2. In the Authentication section under "Connection", change "Primary" to be "PublicKey". Choose "Properties" and make sure it's using your global file.
    3. Click "Options", "Global Options", and under SSH2 heading, check both boxes in the "Agent" section.
  The first SecureCRT session you open will ask the passphrase for the key you generated, and any subsequent ones will not (as long as SecureCRT is running.)
Test your SSH installation:
At this point, if you were to ssh from your local machine to Jazz, instead of being asked for a password, you'll see something like this:
```
        Enter passphrase for key '/homes/<username>/.ssh/id_rsa':
     
```
What you type at that prompt is not your Unix password. It is the passphrase you used when you created your key. That passphrase is not stored anywhere.
In this mode of operation, you will be typing your passphrase each time you log in. There is a way, however, for you to reduce the number of times you need to type the passphrase.
Use an SSH Agent:
If you run an ssh-agent, you can tell it to remember the passphrase for a key while it is running.
- If your local machine is a Linux or other Unix based computer:
  If your desktop is a Unix-based workstation running X-Windows, it is possible to set it up so that when you log onto the machine, an SSH agent is launched automatically. This is true of all MCS linux workstations. If your machine is not configured to do that, you can launch one by running:
```
eval `ssh-agent`
```
  To add your keys to the agent:
```
ssh-add
```
  You will be asked for the passphrase for your .ssh/id_rsa key.
  Once you have done an ssh-add of a key, you can ssh to other machines that have the associated public key stored in the authorized_keys file without typing your ssh passphrase.
  MacOS users can use GUI tools such as the following to manage keys and agents:
- If you are using SecureCRT on your local computer:
  If you followed the steps in the section on setting up your ssh keys for Windows, then SecureCRT should be set up to automatically run an ssh-agent. In this case, the first SecureCRT session you open will ask the passphrase for the key you generated, and any subsequent ones will not (as long as SecureCRT is running.)

You should now be all set to use ssh key-only access to Jazz.

WARNING: SSH requires that your home and ~/.ssh directories not be writable by anyone other than you. Do not change the permissions on these directories to allow group or world write access. If you do, SSH will not allow you to log on until someone on the Systems team corrects the permissions.

For more information on using SSH and how to obtain a version for your local machine, please read the MCS Offsite Access document. This document also contains information on why SSH is necessary and pointers to other useful sources of information on ssh and scp.

Last Updated: 6/27/2006

Help Security/Privacy Notice Disclaimer