Using ssh keys to access BlueM

Access to BlueM is only allowed using the secure communications protocals available from ssh. Normally, you ssh to BlueM and enter in your password to login. However, ssh allows connections without entering a password. Instead you use something called an authentication key. When you login using an authentication key and you enter a passphrase instead of a password. So what is the advantage? It is also possible for a passphrase to be cached, so that you only need to enter it once a day.

This document describes how to set up an authentication key and use it to login to BlueM. We will discuss using an authentication key with a passphrase entered at login and the preferred method of logging into BlueM, using a cached passphrase. We assume your are using a Unix/Linux/OS X machine. If you are using a Windows machine then the procedure is discussed here.

There is a video of the procedure discussed in this document available from

http://geco.mines.edu/ssh/sshra.mov

We will start from your home directory on the machine you are using to connect to BlueM. So do a:

cd ~

Next you create the authentication key that will be used to access BlueM. The command to create keys is ssh-keygen. The key is actuall a set of two files. One is called the public key and the other a private key.

Use the ssh-keygen command with the -tdsa option:

ssh-keygen -tdsa

The command will ask you for a file in which to place the keys. The default file name in "id_dsa." It is possible that you already have a file by that name so append a "_ra" to the file name so that it is id_dsa_ra. The file name will be something like:

/Users/joeminer/.ssh/id_dsa_ra

except you will have a different directory name.

You will also be asked for a passphrase. A passphrase should be something long enough so that it is not easy to guess but easy for you to remember, like your grandmother's aunt's list of 13 children. If you forget your passphrase it can not be recovered but you can just delete your old key set and create a new one.

Next you need to go in to the hidden directory where your ssh information is stored.

cd .ssh

If you list the files in this directory you will see, among other possible files, id_dsa_ra and id_dsa_ra.pub. These are your newly generated private and public part of the key set. Ssh is strict about the file access settings for these files. In particular, these files should not be readable by other people. To set the permissions for these files so that they are only readable by you, use the command chmod.

chmod 600 id_dsa_ra*

Next, using your favorite editor create the file config containing the following lines, substituting your username on BlueM for "joeminer"

Host ra.mines.edu
HostName 138.67.1.145
User joeminer
Identityfile2 ~/.ssh/id_dsa_ra

Host ra
HostName 138.67.1.145
User joeminer
Identityfile2 ~/.ssh/id_dsa_ra

Some versions of ssh require that the protection for the config file also to be set to 600 as you did for the key files.

The contents of id_dsa_ra.pub need to be copied to your authorized_keys file on BlueM. There are two ways to do this. The quick/Unix Geek way to do this is to use the command:

cat ~/.ssh/id_dsa_ra.pub | ssh -l joeminer ra.mines.edu "cat >> .ssh/authorized_keys"

You will need to replace joeminer with your BlueM username. The command "pipes" the file through ssh and then appends it to the authorized_keys file. You should use copy/paste to enter this command, again replacing the joeminer username with your own. You will be asked for your BlueM password when you run this command but it should be the last time.

If you don't want to use this command then type out the contents of the file "id_dsa_ra.pub".

cat id_dsa_ra.pub

It will look something like:

ssh-dss AAAAB3NzaC1kc3MAAACBAMiWzyItzCGTj5+70h+TcAq42fPRVHzc9
d53Vj13DnkuDocbu+Jd1Fe6IFvHTcdZ+Y7m6ygqXW9Ue9+5gWs2BdOCJ8xBDm
LEtMEoRvfiWgI+aN1n9PbpOr6zYKNknAM3jAeSK8dlZ62mkOPxQA4aGig/p/5
RxkPiDKmabMmdxp5PAAAAFQDQ//MhJ2ep/OTzS7CJys4/eR0XrQAAAIEAlSVN
XWxgRjwygBvWKEP2q6umajdflbprehwbvslNBUVIAscepshTG5rLy4qDURero
wowItTBgSjRwDF0xmTVBOZu3R89bLYj1vexGbp1quIWUJeZquWQXiOvwh6bk8
Vmn5nu82VTVdKSohn0FzzzhAQJ3AC0zeVcfvHxggAGHIgAA3CACGEoGGiAqGe
dqJAoTMJ6g8zwfHeHREHhVUml6On6jh1DtMkZdOCJ/juDl271p/XClJCvFtKH
ZNiTv3j6VLUgZ1D27Tejac1CjasdfakWBIjGoJcLNCLaYST7J5Ty7SYpsuo29
wFOHQ35SPF3GzB4YcKL2gLrbl8I0QAflHC+ni8= joeminer@bonk.Mines.EDU

Copy the contents of this file so that you can paste the them into a file when you log on to BlueM.

Log on to BlueM as you always have. The file on BlueM that you will need to modify is authorized_keys in the hidden directory .ssh. So first change to this directory.

cd .ssh

Using your favorite editor add the text from id_dsa_ra.pub to the end of the file authorized_keys. Include a linefeed before and after what you are adding for good measure.

IMPORTANT:

The text that you copy from id_dsa_ra.pub is a single line. Some times when you do the copy/paste linefeeds are added. Make sure that you are only pasting a single line and remove extra linefeeds if required.

Log out of bluem. The next time you connect to BlueM you should not need a password but you will be asked for your passphrase.

Limiting Access to be only from a specific machine
and using different keys for specific purposes

It is possible to set up keys so that they can only be used from a specific machine. For example, you might want to set up a key that can only be used to copy files to BlueM to your desktop machine. If you do this you might also want to use a special name for BlueM, that you set, to indicate to yourself that you are using a specific key. Normally to access BlueM you would type:

ssh ra

Let's assume that you created a key as described above but named the key id_dsa_ra_scp. Then you put an entry in your config file like:

Host ra_scp
HostName 138.67.1.145
User joeminer
Identityfile2 ~/.ssh/id_dsa_ra_scp

Note we have ra_scp as our host name. When you run ssh (or scp) and you use the name ra_scp instead of RA you will use the key id_dsa_ra_scp.

To restrict this key to be only usable from a particular host you need to modify your your authorized_keys file on RA. Assume you only want to be able to use a key from a specific machine, say poway.mines.edu. Then edit your authorized_keys file on RA and put the following in front of the key of interest followed by a space.

from="poway.mines.edu,no-port-forwarding,no-X11-forwarding,no-agent-forwarding" 

This procedure also works for doing copies from RA. For example if you set up the keys and the config file as discussed above then you can do a copy of the file "tio.f90" from your home directory "~" on RA to a local directory on your desktop machine "poway" using the command:

poway:~ joeuser$ scp ra_scp:~/tio.f90 .

This along with the method for caching passphrases discussed in the next section makes coping files from RA relatively painless.

Good Security and Easy Access

Normally when you use a passphrase and you login you're asked to enter the passphrase. Fortunately ssh-add allows you to preload or cache your passphrase. The syntax for doing this is to enter the command followed by the path to your key. For example:

ssh-add ~/.ssh/id_dsa_ra

will prompt for a phasephrase. The next time you logon to BlueM you will not be asked for a passphrase or password. Unfortunately, this holds forever. Using ssh-add in this fashion essentiality erases your passphrase.

The easiest way around this problem is to use the command:

ssh-add -d ~/.ssh/id_dsa_ra

or

ssh-add -D

This restores the requirement for entering the passphrase. So you can enter your passphrase one time a day and then later disable passphraseless login.

A better way to do this is to add a timeout parameter to your ssh-add command using the -t option. For example, the command:

ssh-add -t 43200 ~/.ssh/id_dsa_ra

will allow you to logon to RA repeatability without entering a phasephrase for 43200 seconds or 12 hours. The command ssh-add -D will also still terminate access without a passphrase.

If when you enter ssh-add you get a warning similar to:

Could not open a connection to your authentication agent.

then you need to start a background process called an ssh-agent. Most terminal programs will do this automatically for you. Talk with your system administer to enable this feature. To manually start an agent enter:

ssh-agent bash

or if you use tchs instead of bash

ssh-agent tcsh

Recommend Procedure

  1. Generate your keys as discussed above, using a nontrivial phasephrase.
  2. Add an alias to the commands ssh-add -t 43200 ~/.ssh/id_dsa_ra and ssh-add -D to your environment, such as ssh_init and ssh_kill.
  3. Before you logon to BlueM run the command ssh_init and when you finished for the day run ssh_kill.

If you run bash shell you can add the alias to your environment by adding the following to lines to your .bashrc file:

alias ssh-init="ssh-add -t 43200 ~/.ssh/id_dsa_ra"
alias ssh-kill="ssh-add -D"

If you run tcshrc then add these lines to your .tcshrc file:

alias ssh-init "ssh-add -t 43200 ~/.ssh/id_dsa_ra"
alias ssh-kill "ssh-add -d ~/.ssh/id_dsa_ra"



Some Linux Journal articles on SSH