Versionen im Vergleich

Alte Version 25

changes.mady.by.user Sebastian Krey

Gespeichert am

verglichen mit

Neue Version Aktuell

changes.mady.by.user Christian Tuma

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.

...

This page aims to provide you with a step-by-step guide on how to use public key authentication for external login to the NHR systems at the Berlin (NHR@ZIB system "Lise") and Göttingen ("Emmy") sites. It also provides information for internal login to connect between NHR nodes in Berlin/Göttingen.

Summary

  1. Create an SSH key pair with a passphrase that is not used anywhere else.
  2. Upload your public key on our Service Portal NHR@ZIB.
  3. Specify your private key when connecting to our login nodes (either via ssh -i <your_private_key_file> or in your local SSH configuration).

...

An SSH key pair consists of a public key and a private key. The public key is used to encrypt messages. Such messages can only be decrypted using the corresponding private key. For this reason the private key must be stored safely on the local machine - protected by a passphrase, and not accessible for by other users.

SSH Key Generation

...

Kein Format
$ ssh-keygen -t rsa -b 4096 -f $HOME/.ssh/id_rsa_hlrnnhr
Generating public/private rsa key pair. 
Enter file in which to save the key (/home/user/.ssh/id_rsa_hlrnnhr):                 
Enter passphrase (empty for no passphrase): ************************
Enter same passphrase again: ************************
Your identification has been saved in /home/user/.ssh/id_rsa_hlrnnhr.
Your public key has been saved in /home/user/.ssh/id_rsa_hlrnnhr.pub.  
The key fingerprint is:  
b8:df:d1:14:48:03:00:68:5e:46:9c:1a:b2:b2:d4:f4 user@host  
The key's random art image is:   
+--[ RSA 4096]----+ 
|   +oo....o      |  
|. +.=    . o     | 
| =o=.     . .    |  
|o.o. E .     .   |  
|o.    . S   .    | 
|.      .   o     |  
|      .   . .    |  
|       . . .     | 
|        . .      | 
+-----------------+

In this example, the private key is saved in the file /home/user/.ssh/id_rsa_hlrnnhr, the corresponding public key in the file /home/user/.ssh/id_rsa_hlrnnhr.pub. If you run this command, user will be replaced by your local username.

...

Kein Format
ssh-keygen -yf $HOME/.ssh/id_rsa_hlrnnhr
Enter passphrase:

If you are not asked for a passphrase, please use ssh-keygen =pf $HOME/.ssh/id_rsa_hlrnnhr to create a passphrase. Once you are certain that you have set a passphrase to protect the key, you can safely continue with uploading the public key as described below.

...

The current ssh host keys for

...

  • blogin[1-86].hlrn.de

are:

Codeblock
SHA256:mrwKbHEz3pJCmvU7ZEXoIKxVRz0E9/4GDp3k41x4Q8g (RSA)
SHA256:53WD36v+IjHObgS3DbjIi+zShcQ/MCAIqJNgJOlfR08 (ED25519)
SHA256:pNGlm//LyjJZi6tX0mz5SPSs4IBkuyJI/iWI10JbhgE (ECDSA)

For

  • bgnloginbgnlogin[1-2].nhr.zib.de
  • bgilogin[1-2].nhr.zib.de

the fingerprints are:

Codeblock
SHA256:rusM3G/8eG7ZFLNJtvymL/wNHFGgkOFTMYCBk3yLiL8 (ECDSA)
SHA256:8/hSIv0HfMDEy1gUQjVmb0cUMDztgacNfXSBUzcgCFM (ED25519)
SHA256:WulefLWFPRPPobUI6/+4bJpttV9SlQhZ0prEo8ELp1k (RSA)

...

  • Select: Type of key to generate: SSH-2 RSA
  • Fill in: Number of bits in a generated key: 4096
  • Press: Generate
  • Fill in: your key passphrase
  • Fill in: confirm your passphrase
  • copy the shown public key to a new textfile for upload to HLRNNHR
    (don't use "Save public key" for upload to HLRNNHR, wrong formatting here)
  • Press: Save private key
  • Please remember the path name where you saved your SSH key files!

...

Before you can log in to one of the Berlin/Göttingen NHR@ZIB login nodes, make sure you have uploaded your SSH public key (not the private one) at the Service Portal NHR@ZIB. Here you can also view or remove public keys uploaded earlier (if any).

At the Service Portal NHR@ZIB, choose the item "Manage keys" / "Verwalten Ihrer Keys". For the key management you will have to log with your user name and your portal password.

...

You can upload up to seven SSH public keys at the service portal.

Hinweis

The Your SSH public keys are stored centrally in the Berlin/Göttingen our LDAP service data base. Please do not add SSH keys discussed above here to your $HOME/.ssh/authorized_keys file in Berlin/Göttingen. This file is only used for internal authentication within the Berlin/Göttingen sitesbetween the nodes of Lise. It will not grant access from outside.

...

For external connections to the NHR NHR@ZIB login nodes in Berlin/Göttingen the private key of the SSH key pair is needed. Recall the name and the location (see above) of the file containing the private key. 

...

With the -i option to the ssh command you can specify the full path of your private SSH key file when you log in to one of the Berlin/Göttingen NHR@ZIB login nodes. You will be asked for the passphrase of your private key.

Example for a login to blogin (Berlin):

Kein Format
$ ssh -i $HOME/.ssh/id_rsa_hlrnnhr -l your_username blogin.hlrn.de
Enter passphrase for key '/<home_directory>/.ssh/id_rsa_hlrnnhr':
[...]


Alternatively, use the SSH configuration file $HOME/.ssh/config on your local machine to permanently store options for specific SSH connections so that they can be omitted on the command line.

...

Kein Format
Host blogin
    Hostname blogin.hlrn.de
    IdentityFile ~/.ssh/id_rsa_hlrnnhr
    User your_username

Now the ssh command will automatically choose the proper credentials in the future, i. e., -l your_username and -i <private_key> can be omitted from the command line so that ssh blogin  is sufficient.

...

SSH for internal connections between a Berlin and a Göttingen login node nodes of Lise works right out of the box - that is, without specifying any keys. This also applies to SSH connections between nodes of the same site. This is enabled through host-based authentication which is active by default.

...

.

...

hiddentrue

...