Creating the key pair
ssh-keygen -t ed25519
To generate a key with a name, follow the command below.
You will need to pass the name of the key in the command line when connecting
ssh-keygen -t ed25519 -f .ssh/myfancykey
The flag -t
specifies the encryption algorithm, if left blank it will use RSA instead.
The flag -f
sets the name and path of the output keypair. We suggest setting it to something meaningful, like your username. In the case above, you would get the following pair of keys:
Private key | myfancykey | this is for your private use only. Keep it safe in /home/.ssh |
---|---|---|
Public Key | myfancykey.pub | this is the key you will use for all types of key exchanges, including with our systems |
You will be asked to set a passphrase. I recommend that you enter a sentence you can easily remember for the passphrase question, this secures the private key.
Guard your private key with a passphrase
If you do not set a passphrase on the private key pair, anyone that can steal your private key can authenticate anywhere you have registered the public key.
Upload the public key to SURF
Upload your key on the user portal under "Public ssh keys". When adding the key, you will be asked for the password of the user portal, to make sure no malicious actor can add their own SSH key. You should then be able to log in from your workstation to the HPC system using the passphrase set on the key pair.
It might take few minutes between adding a new public key on the portal and that key working on the HPC system.
Caching the key-pair passphrase
If you've read the above description of how to set up a public-private key pair, you might be wondering about the passphrase set on the key pair. Isn't that just another password that needs to be entered when authenticating to Snellius? You are indeed right, but there are ways to cache that password on your local system using something known as an SSH agent. It depends on the particular operating system that you're using locally how the agent is to be set up.
For example, for Linux desktop-based system you can arrange that you have to type in the pass-phrase only once per login-session on your workstation:
When you are using the GNOME or KDE desktop environment, enter the command '
ssh-add'
after which you will be prompted for your pass-phrase. The system remembers your passphrase and it is supplied automatically with subsequentssh
andscp
commands.When you are not using KDE or GNOME, it depends on your environment how to proceed. The general principle is, that you must be working in an environment started with ssh-agent, the KDE and GNOME environments take care of that. If you are not running KDE or GNOME, try something like:
ssh-agent bash
and give the 'ssh-add'
command.
Using the key
Once you have your key on the server and caching is eventually enabled, you can use it. If you did generate a standard key, without a name, SSH will know how to find it and use it. In the case that you did create a named key, you will have to tell SSH where to find it. These are the commands respectively:
ssh user@snellius.surf.nl ssh -i .ssh/myfancykey user@snellius.surf.nl
The first time that you log in, you may be prompted for the passphrase, but after that the fingerprints of your local system and your IP address will be stored in Snellius' known_hosts file and the other way around. Thus, unless you use 2FA, you will log in directly to the system without having to give a password,