How to: Make a passwordless ssh connection between chpc(hello@delicatearch.chpc.utah.edu) and hci(world@hci-bio1.hci.utah.edu)
Suppose after we log into chpc , we want to "ssh" to hci without password.
1. Create RSA keys (on chpc).
hello@chpc:MY_HOME>ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key ($HOME/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): MY_PASSPHRASE
Enter same passphrase again:
Your identification has been saved in $HOME/.ssh/id_rsa.
Your public key has been saved in $HOME/.ssh/id_rsa.pub.
The key fingerprint is:
ad:9e:ab:f9:e1:1a:a4:85:16:3b:24:5f:35:b6:76:a7 user@machine
Now we have two files under $HOME/.ssh, "id_rsa" is private key, "id_rsa.pub" is public key.
2. Transfer the public key to world@hci's home directory (on chpc)
hello@chpc:$HOME>scp .ssh/id_rsa.pub world@hci-bio1.hci.utah.edu:~/
3. Append the id_rsa.pub to aothorized keys (on hci)
world@hci:$HOME>cat id_rsa.pub >>authorized_keys
4. Make the hci accept RSA key style connection.
By default, this features is off.
We need to modify the following line in /etc/ssh/sshd_config (root privilege is required)
#RSAAuthentication yes
#PubkeyAuthentication yes
to
RSAAuthentication yes
PubkeyAuthentication yes
Then we need to refresh the ssh service.
>/etc/init.d/sshd restart
5. Make a test (on chpc)
>ssh -2 world@hci-bio1.hci.utah.edu
Enter passphrase for key '$HOME/.ssh/id_rsa':
Here we need to input the passphrase of the private key, it is
Welcome to Ubuntu!
6. Now we need to eliminate the "passphrase" step using ssh-agent and ssh-add (on chpc)
ssh-agent are used to buffer the passphrase and keep it in memory, we we do not need input passphrase next time.
#start ssh-agent
>eval `ssh-agent`
#add passphrase
>ssh-add
Enter passphrase for chpc:$HOME/.ssh/id_rsa: MY_PASSPHRASE
Identity added: chpc:$HOME/.ssh/id_rsa
7. Make a test again (on chpc)
>ssh -2 world@hci-bio1.hci.utah.edu
Welcome to Ubuntu!
8. we can test scp (on chpc)
>scp hello.txt world@hci-bio1.hci.utah.edu:~/
To avoid run "eval `ssh-agent`" and "ssh-add" every time after we log into the chpc, we can append eval `ssh-agent` to ~/.bash_profile. So it will start automatically next time. However, we still need to run 'ssh-add' manually after each log in to register the passphrase for security. if passphrase is empty, we do not even need ssh-agent and ssh-add. But this may bring security risk to the private key.
we can also use "keychain" as the frontend of ssh-agent, so we do not have to create ssh-agent for each login. With keychain, only one ssh-agent is in service no matter how many consoles we open.
>wget http://www.funtoo.org/archive/keychain/keychain-2.7.1.tar.bz2
>tar -jxvf keychain-2.7.1.tar.bz2
>cd keychain-2.7.1
>./keychain
No comments:
Post a Comment