Synopsis

The following howto will teach you how to set up and use a pair of SSH keys for public key authentication on a POSIX terminal, thus on Linux or Mac OS X.

It does also work for MobaXterm, but the latter has a handier GUI-based option that is explained here.

Creating the key pair


You can create a key pair on your local workstation or your homedir in Snellius, by issuing one of these commands, the first one will create a key with a standard name, but in the case that you use several keys your best bet is the second command:
ssh-keygen -t ed25519

To generate a key with a name, follow the command below.
(warning) You will need to pass the name of the key in the command line when connecting  (warning)

ssh-keygen -t ed25519 -f .ssh/myfancykey

The flag -t specifies the encryption algorithm, if left blank it will use RSA instead.

The flag -f sets the name and path of the output keypair. We suggest setting it to something meaningful, like your username. In the case above, you would get the following pair of keys:  

Private keymyfancykeythis is for your private use only. Keep it safe in /home/.ssh
Public Keymyfancykey.pubthis is the key you will use for all types of key exchanges, including with our systems

You will be asked to set a passphrase. I recommend that you enter a sentence you can easily remember for the passphrase question, this secures the private key.

Guard your private key with a passphrase

If you do not set a passphrase on the private key pair, anyone that can steal your private key can authenticate anywhere you have registered the public key.

Upload the public key to SURF

Upload your key on the user portal under "Public ssh keys". When adding the key, you will be asked for the password of the user portal, to make sure no malicious actor can add their own SSH key. You should then be able to log in from your workstation to the HPC system using the passphrase set on the key pair.

It might take few minutes between adding a new public key on the portal and that key working on the HPC system.

Caching the key-pair passphrase

If you've read the above description of how to set up a public-private key pair, you might be wondering about the passphrase set on the key pair. Isn't that just another password that needs to be entered when authenticating to Snellius? You are indeed right, but there are ways to cache that password on your local system using something known as an SSH agent. It depends on the particular operating system that you're using locally how the agent is to be set up.

For example, for Linux desktop-based system you can arrange that you have to type in the pass-phrase only once per login-session on your workstation:

  • When you are using the GNOME or KDE desktop environment, enter the command 'ssh-add' after which you will be prompted for your pass-phrase. The system remembers your passphrase and it is supplied automatically with subsequent ssh  and scp  commands.

  • When you are not using KDE or GNOME, it depends on your environment how to proceed. The general principle is, that you must be working in an environment started with ssh-agent, the KDE and GNOME environments take care of that. If you are not running KDE or GNOME, try something like:

ssh-agent bash

and give the 'ssh-add' command.

Using the key

Once you have your key on the server and caching is eventually enabled, you can use it. If you did generate a standard key, without a name, SSH will know how to find it and use it. In the case that you did create a named key, you will have to tell SSH where to find it. These are the commands respectively:

ssh user@snellius.surf.nl

ssh -i .ssh/myfancykey  user@snellius.surf.nl


The first time that you log in, you may be prompted for the passphrase, but after that the fingerprints of your local system and your IP address will be stored in Snellius'  known_hosts file and the other way around. Thus, unless you use 2FA, you will log in directly to the system without having to give a password,