How do I use SSH keys to login to UPPMAX?

To generate a SSH key using OpenSSH:

Run the 'ssh-keygen' command as shown in the following example. Be sure to enter a password for the key, as that will make your key much more secure; omit this passphrase if the key will be used to perform automated (scripted) operations. (Note though that if we find local keys on UPPMAX machines without any passphrase, then they will be deleted; i.e. you can only have this non-passphrase key on your local machine.) Your username is replaced with USERNAME in this example.

$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/username/.ssh/id_ed25519):
Created directory '/home/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_ed25519.
Your public key has been saved in /home/username/.ssh/
The key fingerprint is:
SHA256:0wvR2GgxtvLza4LRUK47+9wyk3NHXL35dEiSWgoK1Vs usernamef@yourcomputer
The key's randomart image is:
+--[ED25519 256]--+
|       .+        |
|      ..oOE      |
|     ..o*oo  . . |
|    . .++o  + o .|
|     . =S..= + .o|
|      + .=o.o .oo|
|       + .o.   .o|
|      +.B.o..   .|
|      .+oOo.     |

if you have an old client, chances are ed25519 is not available. In this case you can fall back to RSA (-t rsa instead of -t ed25519 to ssh-keygen).

Copying the public key to the remote server

Once you have generated a key pair, you will need to copy the public key to the remote server so that it will use SSH key authentication. The public key file shares the same name as the private key except that it is appended with a .pub extension. Note that the private key is not shared and remains on the local machine.

Simple method

If your key file is ~/.ssh/ you can simply enter the following command.

$ ssh-copy-id

SSH agents

If your private key is encrypted with a passphrase, this passphrase must be entered every time you attempt to connect to an SSH server using public-key authentication. Each individual invocation of ssh or scp will need the passphrase in order to decrypt your private key before authentication can proceed.

An SSH agent is a program which caches your decrypted private keys and provides them to SSH client programs on your behalf. In this arrangement, you must only provide your passphrase once, when adding your private key to the agent's cache. This facility can be of great convenience when making frequent SSH connections.

An agent is typically configured to run automatically upon login on your laptop/workstation running Linux and persist for the duration of your login session. A variety of agents, front-ends, and configurations exist to achieve this effect. This section provides an overview of a number of different solutions which can be adapted to meet your specific needs.

Once ssh-agent is running, you will need to add your private key to its cache.

$ ssh-add 
Enter passphrase for /home/user/.ssh/id_ed25519:
Identity added: /home/user/.ssh/id_ed25519 (/home/user/.ssh/id_ed25519)

If your key is not having the default name or you have more than one key you must specify which key is to be used.

$ ssh-add ~/.ssh/anothername
Enter passphrase for /home/user/.ssh/anothername:
Identity added: /home/user/.ssh/anothername (/home/user/.ssh/anothername)

After the identity is successfully added, the ssh-agen will automatically provide your private key for authentication when you ssh or scp to UPPMAX.

Note: If you use GNOME, during the first attempt to login, the "Password and Encription Keys" program will automatically find your key and ask you for the key's password. This is equivalent to the ssh-add command described above.

More information can be found on the ArchLinux wiki page for SSH keys.

Please refer to the following guide about how to use ssh-keys under Windows using PuTTY. If you are using MobaXterm to connect to UPPMAX it has a built in tool for SSH key generation called MobaKeyGen, which can be accessed in the "Tools" menu.

Last modified: 2022-04-07