Connect to a server via ssh¶
- Overview
- Create an ssh keypair
- Add the public ssh key to the
authorized_keysfile - Login to a server via ssh
- Common issues
- Requesting support
Overview¶
ssh keys offer stronger security than password authentication and are highly resistant to brute-force attacks. Each key pair consists of a public key with extension .pub and a private key. Public ssh keys may be transferred to the machine you would like to connect to, while private keys are kept on the machine where they were generated.
Tip
ScienceCluster users use the ssh tool to connect to a Login Node on the cluster, as also described in the ScienceCluster training materials. An example of using ssh keypairs on ScienceCluster is to setup passwordless authentications. Detailed instructions can be found below.
ScienceCloud users use ssh keys to get access to their instances. The ScienceCloud training materials include a specific example.
Instructions for creating and uploading a key pair to ScienceCloud are also provided in details in an OLAT (UZH e-learning platform) minicourse:
Danger
A ssh connection can only be established between a computer having the private key and a computer/instance having the corresponding public key. It is therefore essential to never share or transfer your private key. If you have any questions, please contact Science IT.
Create an ssh keypair¶
On Linux/Mac/Windows¶
ssh-keygen -t ed25519
The above command will prompt you to set a password to unlock the key. If you accept the default options offered by the ssh-keygen command it subsequently generates two files named id_ed25519.pub and id_ed25519 and saves them under /home/<user>/.ssh/.
Note
If invoking ssh from the Windows Powershell terminal leads to an error, please install openssh.
These files can be confirmed / displayed using
ls ~/.ssh
which should show something similar to id_ed25519 id_ed25519.pub known_hosts, depending on whether default options were chosen during generation.
To display the content of the id_ed25519.pub file, which is the public half of your key, you can issue:
cat ~/.ssh/id_ed25519.pub
which displays something like
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaVb7jqPwhxFvY8ZcZ4OQ8F0o9yNfP2t9JH6Jt0O2n7 user@host
Note
If you didn't use the default keypair name, then replace id_ed25519 with the path of the private key.
On older Windows¶
Windows 10 and 11 have OpenSSH available via Powershell. See this ssh tutorial for more details. If you don't have the ssh command available in Powershell, see Microsoft's openssh overview.
Set up passwordless authentication¶
To enable secure and convenient access without repeatedly entering a password, you can configure passwordless ssh authentication. This is done by adding your public ssh key can be added to the authorized_keys file on the server you would like to connect to, i.e. ScienceCluster login node or an instance on ScienceCloud.
Note
Each line of the authorized_keys file is a public ssh key that has been added to the server.
Tip
ScienceCluster users can use the instructions below to setup passwordless authentication to avoid entering the Active Directory (AD) password every time they login into the cluster.
ScienceCloud users have the secure access via ssh already enabled by injecting their ssh public key into instances at launch (see section Instance creation and setup for more details). However, they can use the instructions below to give other people access to an instance. In this case, the person with whom you want to share access has to generate their ssh keypair, and send you their public ssh key in a text file.
Once you have located or received the public ssh key, you have two options when doing so: either using the ssh-copy-id command from your laptop/computer or a terminal-based text editor from the server.
Option 1: Use ssh-copy-id from your laptop/computer¶
You can use ssh-copy-id from Mac, Linux or WSL on Windows.
To add the public ssh key to ScienceCluster:
ssh-copy-id -i ~/path_to_local_key/your_public_key_name.pub shortname@cluster.s3it.uzh.ch
To add the public ssh key to the server on ScienceCloud:
ssh-copy-id -i ~/path_to_local_key/your_public_key_name.pub user@ipaddress
Note
If default names were used during ssh key pair generation, the public key will be called id_ed25519.pub located in the ~/.ssh directory. Make sure to update the command above using the corresponding name values chosen for the keys.
This will add the public ssh key to ScienceCluster or to the server on ScienceCloud, stored as a new line in the file ~/.ssh/authorized_keys.
Option 2: Use a terminal-based text editor from the server¶
Using a terminal-based text editor to edit the authorized_keys file is also an option if you prefer a more manual approach.
First, it is suggested to make a backup of the existing authorized_keys file (if there is one), in case you make any errors during this process.
cp ~/.ssh/authorized_keys ~/.ssh/authorized_keys_copy
To add a new public ssh key open the authorized_keys file with the nano text editor
nano ~/.ssh/authorized_keys
This command will open the nano text editor and allow you to edit the new authorized_keys file.
Note
On ScienceCluster, if there is no current authorized_keys file, the nano text editor will create a new file.
On ScienceCloud servers, the first line of the file that you see is the ssh key used when creating the instance.
To add a new public ssh key, simply move the cursor to a new line and paste the desired public ssh key. For reference, you can print the value of your public key if you run cat ~/path_to_local_key/your_public_key_name.pub from the laptop/computer where you generated the key pair. The entire printed value will be what you copy/paste into the ~/.ssh/authorized_keys file on the server.
When you are finished, exit the nano editor with CTRL+x. To confirm type y then ENTER.
Before you close the connection, open a second connection to the instance to verify that you have not corrupted the authorized_keys file. If you have any trouble establishing a new connection to the same instance, consider restoring the file from the backup copy: mv ~/.ssh/authorized_keys_copy ~/.ssh/authorized_keys.
Login to a server via ssh¶
Once you have added the public ssh key to the authorized_keys file, you can verify that the ssh login to ScienceCluster or to the ScienceCloud server works with the new key pair by adding -i ~/.ssh/your_private_key to the ssh command.
The login should now complete without asking for a password. Note that the command might ask for the passphrase you specified for the key.
Tip
ScienceCluster users can verify the passwordless authentication using the command ssh -i ~/.ssh/your_private_key shortname@cluster.s3it.uzh.ch from their laptop/computer.
ScienceCloud users sharing ssh access to an instance with another person can check that the person can login into the instance using ssh -i ~/.ssh/their_private_key user@ipaddress from their laptop/computer.
Common issues¶
I set up my ssh key pair but I still can't log in¶
A common issue with the key authentication is incorrect permissions on the home directory, .ssh directory, or the .ssh/authorized_keys file on the server. The home directory should be writable only by the owner while the other two should be accessible only by the owner. You can set the correct permissions by connecting via ssh to the server and running the following commands:
chmod 750 $HOME
chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
If you aren't prompted for your password, try adding this options -o PubkeyAuthentication=no -o PreferredAuthentications=password to the ssh command.
"Remote host identification has changed" error message¶
It is a perfectly normal behaviour: when you connect to an host that gets the host keys regenerated and your ssh client, i.e. your laptop/computer, expects them to be the same as before.
Tip
On ScienceCloud, when an instance is resized the cloud_init script regenerates the ssh host keys. Therefore, when you try to reconnect to the host, your ssh client expects the host keys to be the same as before. Since they have changed, ssh reports a host key mismatch error above.
To fix the problem take a close look at the warning message, in particular to the line Offending ED25519 key in _ <PATH_TO_YOUR_HOME_DIR>/_.ssh/known_hosts:.
The .ssh/known_hosts file is located in your home directory on the ssh client where the ssh key pair was created, and stores the host keys for hosts you have ever connected to.
You can either delete the offending line from the ~/.ssh/known_hosts file or run the ssh-keygen command with option -R.
Tip
ScienceCluster users experiencing this issue can run ssh-keygen -R cluster.s3it.uzh.ch.
ScienceCloud users can run ssh-keygen -R <IP_ADDRESS>, where <IP_ADDRESS> is the ScienceCloud instance IP address.
This command will remove the host key corresponding to the ScienceCluster or ScienceCloud instance IP address from your known_hosts file.
Once you reconnect you will be prompted to accept a new host key and upon doing that no warning message should display.
Requesting support¶
Please add -vvv to your ssh command, which prints a verbose output.
For example, if connecting to ScienceCluster:
ssh -vvv shortname@cluster.s3it.uzh.ch
and contact Science IT with the output as text or a screenshot.