Authentication keys provide a cryptographic strength that even extremely long passwords can not offer. Furthermore, they allow to automate access using password-less login in order to script interaction with the computing facilities.
It is required to use an SSH key in order to logon to a Submit Node of the Virgo cluster.
Password based athentication to the Compute Cluster is not supported!
An SSH authentication key pair is comprised by the following parts:
A public key that is copied to the Login Nodes.
A private key that remains with the user (aka. identity key).
Security policies require the use of a strong passphrase for the private key. The private key needs to be kept as secret and is not allowed to be shared with other individuals or co-workers (cf. Security Advice).
Following files are involved in the configuration of public-private key based authentication:
Private key protected with passphrase.
Public key copied to the Login Nodes.
Stores the private key located on the Login Nodes.
User can self-provision a key pair with the
ssh-keygen 1 command:
# generate a key pair in ~/.ssh ssh-keygen -q -t ed25519 -f ~/.ssh/id_ed25519
During key generation you will be prompted to enter a strong passphrase.
The passphrase will be required when the private key is used.
Change the passphrase of a private key with the
ssh-keygen -f ~/.ssh/id_ed25519 -p
Proxy jump is supported from OpenSSH 7.3 2 forward. Check the version of
your local SSH client with option
-V. Alternatives to the proxy jump option are
described in the OpenSSH Cookbook - Proxies and Jump Hosts 3.
ssh -J $USER@lxpool.gsi.de virgo-centos7.hpc.gsi.de
Connect to the target host by first making a ssh connection to the jump host.
Following command will append a custom configuration for the Login Nodes
to be used as jump hosts to your local SSH client configuration file
cat <<EOF >> ~/.ssh/config Host lxpool User $USER Hostname lxpool.gsi.de CheckHostIP no ForwardX11 yes EOF
This enables you to specify
lxpool as a shorthand to connect:
# connect using the shorthand ssh -J lxpool virgo-centos7.hpc.gsi.de
scp command is able to copy files using a jump host:
# copy a file using a proxy jump scp -o ProxyJump=lxpool \ /path/to/data* virgo-centos7.hpc:/lustre/...
Further extend you SSH configuration with login for a required Virtual Application Environment (VAE) available on the cluster:
cat <<EOF >> ~/.ssh/config host lxpool-virgo-centos7 ProxyJump lxpool User $USER Hostname virgo-centos7.hpc.gsi.de CheckHostIP no EOF
Note that tab-completion should work for SSH configurations.
ssh-agent 6 stores private keys used for SSH public key
authentication. Through use of environment variables the agent can be located
and automatically used for authentication when logging in to other machines
ssh. The SSH agent prints the required environment variables needed for
connection to standard output when started. Executing it in conjunction with the
eval command will load those variables into the current shell environment:
ssh-add 7 command loads a private key into a running SSH agent
and prompts the user for the passphrase protecting the private key:
Lists fingerprints of all identities currently represented by the agent.
# add an private key to the SSH agent ssh-add ~/.ssh/id_ed25519 # list private keys known by the SSH agent ssh-add -l
ssh supports to forward the connection to SSH agent from a login on a
remote computer. However avoid this option if possible as described in
Enables forwarding of the authentication agent connection.
# forward your SSH agent over a jump host ssh -A -J lxpool virgo-centos7.hpc
Key Agent Session¶
Depending on you client platform you may already use a program providing functionality similar to the one described in this section.
Commonly used application to store private keys for SSH public key authentication are the GNOME Keyring 8 or KDE Wallet Manager 9 on Linux and Keychain 10 on Apple MacOS X. Windows users should follow instruction about OpenSSH key management 11 in the official documentation from Microsoft.
Typically users have multiple parallel shells. Therefore, it will be very
convenient to be able to connect with a single
ssh-agent from any shell
ssh-agent-session 12 shell script provides this
Stores agent connection information.
# start the ssh-agent (if not running) » source ssh-agent-session ssh-agent started
ssh-agent is running already, then the connection information will
automatically loaded into the current shell environment:
» source ssh-agent-session ssh-agent running with process ID 19264
Source this script within the your shell profile to immediately use a shared SSH agent on all newly started shells:
echo "source ~/bin/ssh-agent-session" >> ~/.bashrc
ssh-keygen, OpenBSD Foundation
OpenSSH 7.3 Release Notes
OpenSSH Cookbook - Proxies and Jump Hosts, Wikibooks
ssh_config, OpenBSD Foundation
scp, OpenBSD Foundation
ssh-agent, OpenBSD Foundation
ssh-add, OpenBSD Foundation
GNOME Keyring, GNOME Project
KDE Wallet Manager, KDE Project
Keychain Access User Guide, Apple Support
OpenSSH key management, Microsoft User Documentation