0. GENERATING YOUR SSH KEY PAIR
NOTE: If you have already generated a public/private key pair for use
on galaxy, you may use the same 'galaxy.pub' file, but you must send
it to the seawulf administrators mailing list and let us know that you
want to use it on seawulf also.
To generate your SSH key pair for use on seawulf, execute the following
command on your desktop or whatever machine you want to use to connect
to seawulf (do not run this on seawulf itself!):
NOTE: This assumes that your home directory is not on a networked file
system. If this is the case, you must modify the path (~/.ssh/seawulf)
to point to a local one. Storing your private keys on a networked file
system compromises the security of your user account and data.
ssh-keygen -q -b 2048 -t rsa -f ~/.ssh/seawulf
This will quietly create a 2048-bit RSA key pair. This consists of 2
keys you'll find in the current, one public (named 'seawulf.pub') and
one private (named 'seawulf').
1. KEY PAIR SECURITY
You will be asked for a password or given the option to not pick a
password for this key pair. You MUST choose a password! If you do not,
and your private key falls into someone else's hands, they will be
able to log in as you with no trouble at all.
Your private key, named 'seawulf', should NEVER be shared or
transmitted over an insecure channel (e.g.: email.) This file should
reside on the single workstation from which you will connect to seawulf
and should not exist on any shared user machine or file system (e.g.:
Your public key, named 'seawulf.pub', should be emailed to the seawulf
admin mailing list so that we can setup key-based access for you.
2. LOGGING IN USING YOUR KEY
Log in to seawulf using the following command:
ssh -i ~/.ssh/seawulf firstname.lastname@example.org
After the '-i' option you should provide the path to your private key
file. When you connect to seawulf you will be prompted, not for your
seawulf password, but for the password you chose for your RSA key pair.
3. CHANGING YOUR PRIVATE KEY PASSPHRASE
To change the passphrase for your private key , use the following command:
ssh-keygen -p -f ~/.ssh/seawulf
Where '-i' is again followed by the path to your private key file.
4. PRIVATE KEY PERMISSIONS
Please set the permissions on your private key file to 600 like so:
chown `whoami`:`whoami` ~/.ssh/seawulf && chmod 600 ~/.ssh/seawulf
5. USING AGENT FORWARDING
ssh-agent allows your credentials to be used anywhere on the network and MUST
be used if you have to go through another machine before accessing seawulf,
since your private key should only be stored on a single machine.
eval `ssh-agent -c` will start an ssh-agent properly on a C-style shell (csh,
tcsh) eval `ssh-agent -b` will start an ssh-agent properly on a Bourne-style
shell (sh, bash)
Once the agent is started, add your private key.
You will be prompted once for your passphrase. After this prompt you will not
need to retype your passphrase for this key until the ssh-agent process dies.
Now you can log in to seawulf through multiple machines without having your
private key anywhere but on your workstation.
[forwarding your credentials from your workstation to somewhere]
ssh -A -i ~/.ssh/seawulf email@example.com
[ssh'ing from somewhere to elsewhere, forwarding your credentials]
ssh -A firstname.lastname@example.org
[finally, ssh'ing from elsewhere to seawulf]
If you don't want to ssh out from seawulf using the same credentials as you
use to log in, you can omit '-A' as shown in the example.