SSH Public Keys

SSH keys allow users to login to remote hosts without having to enter their account password. In addition to reducing the amount of time it takes for someone to log in remotely, using SSH keys adds an extra layer of security to the remote login process. This set of instructions assumes you are using macOS or Linux, but there are many tutorials available online to guide you through the same process on Windows.

Generating Keys

To get started, you’ll need to generate a pair of keys: one public and one private. Despite the fact that these are both called keys, your public key is much more comparable to a lock – one that you can attach to as many computers as you like and that can only be opened using your safeguarded private key.

  1. To start, open up a Terminal window and use the command

    $ ssh-keygen
    
  2. When asked what file to save the key in, accept the default answer.

  3. Enter a passphrase. This can be the same as your login password, but probably should not be. Changing your login password will not change your SSH key passphrase and vice versa. You may leave it blank, but we hope you won’t do so.

If you look now in your ~/.ssh directory, you should see

Copying Keys to Public Workstations

You want to install only your public key and not your private key on machines to which you want to be able to SSH without having a password broadcast, even encrypted, across the wire. ssh keys can also be used to access common accounts (e.g. class accounts) without having to share a single password among a half dozen people.

The .pub file should be appended to ~/.ssh/authorized_keys for the account you need to access. If this needs to be done for a class account, speak with the gurus and we can do this for you. If you’re trying to add your public key to a personal account, you can use the following command:

$ ssh-copy-id <USER>@<HOSTNAME>

where <USER> is your username on the remote host and <HOSTNAME> is the hostname (ex. dan@diadem.cs.brandeis.edu). If you’re a macOS user and don’t have the latest binaries, you may have to install this command through Homebrew using brew install ssh-copy-id.

Respond with yes when you’re asked whether you want to continue and enter your user password, not the password attached to your new SSH key, when prompted.

If things are working correctly then you should be prompted for the passphrase for your RSA key the next time you login to your account on the remote host.

Copying Keys to Private Workstations

All public (and many private) CS workstations mount user home directories over the network from a central file server. As such, you only need to install your key on one public workstation for it to be usable on all public workstations and some private workstations.

If you want to install your key on a private server that does not use network home directories, and you are connecting from off-campus, you will need to add -o ProxyJump=$PUBLIC_WORKSTATION to your ssh-copy-id invocation, where $PUBLIC_WORKSTATION is one of the public workstations. See Tunnel to Campus for more information.

If you have any questions, feel free to contact us.


Last Revised: 2022-07-11