SSH Public Keys
SSH keys allow users to login to remote hosts without having to enter their account password. In addition to reducing the amount of time it takes for someone to log in remotely, using SSH keys adds an extra layer of security to the remote login process. This set of instructions assumes you are using macOS or Linux, but there are many tutorials available online to guide you through the same process on Windows.
Generating Keys
To get started, you’ll need to generate a pair of keys: one public and one private. Despite the fact that these are both called keys, your public key is much more comparable to a lock – one that you can attach to as many computers as you like and that can only be opened using your safeguarded private key.
To start, open up a Terminal window and use the command
$ ssh-keygen
When asked what file to save the key in, accept the default answer.
Enter a passphrase. This can be the same as your login password, but probably should not be. Changing your login password will not change your SSH key passphrase and vice versa. You may leave it blank, but we hope you won’t do so.
If you look now in your ~/.ssh
directory, you should see
id_rsa
id_rsa.pub
Copying Keys to Public Workstations
You want to install only your public key and not your private key on
machines to which you want to be able to SSH without having a password
broadcast, even encrypted, across the wire. ssh
keys can also be used to access
common accounts (e.g. class accounts) without having to share a single password
among a half dozen people.
The .pub
file should be appended to ~/.ssh/authorized_keys
for the account
you need to access. If this needs to be done for a class account, speak with the
gurus and we can do this for you. If you’re trying to add your public key to a
personal account, you can use the following command:
$ ssh-copy-id <USER>@<HOSTNAME>
where <USER> is your username on the remote host and <HOSTNAME> is the
hostname (ex. dan@diadem.cs.brandeis.edu
). If you’re a macOS user and don’t
have the latest binaries, you may have to install this command through Homebrew
using brew install ssh-copy-id
.
Respond with yes
when you’re asked whether you want to continue and enter your
user password, not the password attached to your new SSH key, when prompted.
If things are working correctly then you should be prompted for the passphrase for your RSA key the next time you login to your account on the remote host.
Copying Keys to Private Workstations
All public (and many private) CS workstations mount user home directories over the network from a central file server. As such, you only need to install your key on one public workstation for it to be usable on all public workstations and some private workstations.
If you want to install your key on a private server that does not use network
home directories, and you are connecting from off-campus, you will need to add
-o ProxyJump=$PUBLIC_WORKSTATION
to your ssh-copy-id
invocation, where
$PUBLIC_WORKSTATION
is one of the public workstations. See Tunnel to Campus for more
information.
If you have any questions, feel free to contact us.
Last Revised: 2022-07-11