SSH Keys

What are SSH Keys?

SSH keys provide a secure way to authenticate yourself to an SSH server using public-key cryptography and challenge-response authentication. Unlike passwords, SSH keys help prevent brute-force attacks and do not expose valid credentials if the server is compromised. They are the preferred method for accessing the cluster because they enhance security and streamline actions that require authentication, such as logging in or transferring files.

SSH keys always come in a pair

  • a “private key” that exists on your local computer

  • a “public key” that can be transferred on to the cluster or any other system that uses keys

To learn more visit: https://wiki.archlinux.org/title/SSH_keys

Set up SSH Keys for Linux, MacOS and Windows Subsystem for Linux (WSL)

  1. To generate a key, on your local command line enter the following

    ssh-keygen -t rsa -b 4096
  2. ssh-keygen will then prompt you to protect your private key with a passphrase. You may create one or leave it blank.

Generating public/private rsa key pair. Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa): Created directory '/home/mobaxterm/.ssh'. Enter passphrase (empty for no passphrase): . . .
  1. Add the public key to the cluster (adjust path to id_rsa.pub if needed and enter your netid)

    ssh-copy-id -i ~/.ssh/id_rsa.pub yournetidhere@hpc2.storrs.hpc.uconn.edu

     

If the ssh-copy-id command fails. We have to manually copy the key onto the cluster:

  1. On a local terminal, open the id_rsa.pub file with a text editor (nano, vim, cat).

  2. Copy the content

  3. On the cluster, create a new file called ~/.ssh/authorized_keys

  4. Paste the contents of id_rsa.pub into the ~/.ssh/authorized_keys

You should now be able to access the cluster without password or duo prompts!

Set up SSH Keys for Putty/WinSCP

Obtaining and Starting PuTTYgen

PuTTYgen is included in the WinSCP installation package. You can also download it separately from the WinSCP download page.

PuTTYgen originates from PuTTY and is also part of the PuTTY installation package. It does not matter if you use PuTTYgen from WinSCP or the PuTTY installation package, they are identical.

To start PuTTYgen, go to Tools > PuTTYgen on Login dialog.

When you run PuTTYgen you will see a window where you have two main choices: Generate, to generate a new public/private key pair, or Load to load in an existing private key.

image-20250102-220210.png

After loading or generating a key the following output will be displayed.

image-20250102-220117.png

Optionally set a passphrase then save both the public and private keys.
Add the public key to the cluster (adjust path to id_rsa.pub if needed and enter your netid)

 

If the ssh-copy-id command fails. We have to manually copy the key onto the cluster:

  1. Open the key in puTTYgen

  2. copy the key output in the top box

  3. Paste the contents into the ~/.ssh/authorized_keys file

Adding SSH Key to Filezilla

“Edit” > “Settings” > “SFTP” > “Add key file…” and locate your id_rsa.pub public key.

For more details on file transfer and Filezilla: File Transfer - Storrs HPC - UConn Knowledge Base

Using Private Key for Passwordless Access on MobaXterm

Edit a saved User Session by right clicking and selecting “edit session” or create a new session.

 

In “Session Settings” > Advanced SSH settings”, select “Use private key”. Then locate the private key on your local machine. For MobaXterm, it will be under your AppData\Roaming\MobaXterm\home\.ssh labeled “Private Key File”.

 

 

Click “OK” to save and you should be able to log on the cluster with that session without password or DUO prompt!

 

SSH Keys in WinSCP

WinSCP requires the private key to be in the format PuTTY (.ppk file). Fortunately, WinSCP includes a program called PuTTYgen and allows you to generate a key pair where the private key is in the .ppk format.

Next, generate a key pair and save the private key.

Edit or create a new session. Under Advanced>SSH>Authentication, check “Allow agent forwarding” and locate the private key file that you previously generated.

You should now be able to connect without the DUO prompt!

Common Errors