Skip to content

Commit

Permalink
removing section on SSH keys in ep11
Browse files Browse the repository at this point in the history
  • Loading branch information
@cagancayco
cagancayco authored Aug 23, 2024
1 parent 522013f commit aaae732
Showing 1 changed file with 0 additions and 247 deletions.
247 changes: 0 additions & 247 deletions _episodes/11-connecting.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,253 +65,6 @@ Even if your cluster does not require it, the next section will guide you
through the use of SSH keys and an SSH agent to both strengthen your security
_and_ make it more convenient to log in to remote systems.

### Better Security With SSH Keys

The [Lesson Setup]({{ page.root }}/setup) provides instructions for installing
a shell application with SSH. If you have not done so already, please open that
shell application with a Unix-like command line interface to your system.

SSH keys are an alternative method for authentication to obtain access to
remote computing systems. They can also be used for authentication when
transferring files or for accessing remote version control systems (such as
[GitHub][gh-ssh]).
In this section you will create a pair of SSH keys:

* a private key which you keep on your own computer, and
* a public key which can be placed on any remote system you will access.

> ## Private keys are your secure digital passport
>
> A private key that is visible to anyone but you should be considered
> compromised, and must be destroyed. This includes having improper permissions
> on the directory it (or a copy) is stored in, traversing any network that is
> not secure (encrypted), attachment on unencrypted email, and even displaying
> the key on your terminal window.
>
> Protect this key as if it unlocks your front door. In many ways, it does.
{: .caution}

Regardless of the software or operating system you use, _please_ choose a
strong password or passphrase to act as another layer of protection for your
private SSH key.

> ## Considerations for SSH Key Passwords
>
> When prompted, enter a strong password that you will remember. There are two
> common approaches to this:
>
> 1. Create a memorable passphrase with some punctuation and number-for-letter
> substitutions, 32 characters or longer. Street addresses work well; just
> be careful of social engineering or public records attacks.
> 2. Use a password manager and its built-in password generator with all
> character classes, 25 characters or longer. [KeePass][keepass] and
> [BitWarden][bitwarden] are two good options.
> 3. Nothing is _less_ secure than a private key with no password. If you
> skipped password entry by accident, go back and generate a new key pair
> _with_ a strong password.
{: .callout}

#### SSH Keys on Linux, Mac, MobaXterm, and Windows Subsystem for Linux

Once you have opened a terminal, check for existing SSH keys and filenames
since existing SSH keys are overwritten.

```
{{ site.local.prompt }} ls ~/.ssh/
```
{: .language-bash}

If `~/.ssh/id_ed25519` already exists, you will need to specify
a different name for the new key-pair.

Generate a new public-private key pair using the following command, which will
produce a stronger key than the `ssh-keygen` default by invoking these flags:

* `-a` (default is 16): number of rounds of passphrase derivation; increase to
slow down brute force attacks.
* `-t` (default is [rsa][wiki-rsa]): specify the "type" or cryptographic
algorithm. `ed25519` specifies [EdDSA][wiki-dsa] with a 256-bit key;
it is faster than RSA with a comparable strength.
* `-f` (default is /home/user/.ssh/id_algorithm): filename to store your
private key. The public key filename will be identical, with a `.pub`
extension added.

```
{{ site.local.prompt }} ssh-keygen -a 100 -f ~/.ssh/id_ed25519 -t ed25519
```
{: .language-bash}

When prompted, enter a strong password with the
[above considerations in mind](#considerations-for-ssh-key-passwords).
Note that the terminal will not appear to change while you type the password:
this is deliberate, for your security. You will be prompted to type it again,
so don't worry too much about typos.

Take a look in `~/.ssh` (use `ls ~/.ssh`). You should see two new files:

* your private key (`~/.ssh/id_ed25519`): _do not share with anyone!_
* the shareable public key (`~/.ssh/id_ed25519.pub`): if a system administrator
asks for a key, this is the one to send. It is also safe to upload to
websites such as GitHub: it is meant to be seen.

> ## Use RSA for Older Systems
>
> If key generation failed because ed25519 is not available, try using the older
> (but still strong and trustworthy) [RSA][wiki-rsa] cryptosystem. Again, first
> check for an existing key:
>
> ```
> {{ site.local.prompt }} ls ~/.ssh/
> ```
> {: .language-bash}
>
> If `~/.ssh/id_rsa` already exists, you will need to specify choose a different
> name for the new key-pair. Generate it as above, with the following extra flags:
>
> * `-b` sets the number of bits in the key. The default is 2048.
> EdDSA uses a fixed key length, so this flag would have no effect.
> * `-o` (no default): use the OpenSSH key format,
> rather than PEM.
>
> ```
> {{ site.local.prompt }} ssh-keygen -a 100 -b 4096 -f ~/.ssh/id_rsa -o -t rsa
> ```
> {: .language-bash}
>
> When prompted, enter a strong password with the
> [above considerations in mind](#considerations-for-ssh-key-passwords).
>
> Take a look in `~/.ssh` (use `ls ~/.ssh`). You should see two new files:
>
> * your private key (`~/.ssh/id_rsa`): _do not share with anyone!_
> * the shareable public key (`~/.ssh/id_rsa.pub`): if a system administrator
> asks for a key, this is the one to send. It is also safe to upload to
> websites such as GitHub: it is meant to be seen.
{: .callout}
#### SSH Keys on PuTTY
If you are using PuTTY on Windows, download and use `puttygen` to generate the
key pair. See the [PuTTY documentation][putty-gen] for details.
* Select `EdDSA` as the key type.
* Select `255` as the key size or strength.
* Click on the "Generate" button.
* You do not need to enter a comment.
* When prompted, enter a strong password with the
[above considerations in mind](#considerations-for-ssh-key-passwords).
* Save the keys in a folder no other users of the system can read.
Take a look in the folder you specified. You should see two new files:
* your private key (`id_ed25519`): _do not share with anyone!_
* the shareable public key (`id_ed25519.pub`): if a system administrator
asks for a key, this is the one to send. It is also safe to upload to
websites such as GitHub: it is meant to be seen.
### SSH Agent for Easier Key Handling
An SSH key is only as strong as the password used to unlock it, but on the
other hand, typing out a complex password every time you connect to a machine
is tedious and gets old very fast. This is where the [SSH Agent][ssh-agent]
comes in.
Using an SSH Agent, you can type your password for the private key once, then
have the Agent remember it for some number of hours or until you log off.
Unless some nefarious actor has physical access to your machine, this keeps the
password safe, and removes the tedium of entering the password multiple times.
Just remember your password, because once it expires in the Agent, you have to
type it in again.
#### SSH Agents on Linux, macOS, and Windows
Open your terminal application and check if an agent is running:
```
{{ site.local.prompt }} ssh-add -l
```
{: .language-bash}
* If you get an error like this one,
```
Error connecting to agent: No such file or directory
```
{: .error}
... then you need to launch the agent as follows:
```
{{ site.local.prompt }} eval $(ssh-agent)
```
{: .language-bash}
> ## What's in a `$(...)`?
>
> The syntax of this SSH Agent command is unusual, based on what we've seen
> in the UNIX Shell lesson. This is because the `ssh-agent` command creates
> opens a connection that only you have access to, and prints a series of
> shell commands that can be used to reach it -- but _does not execute them!_
>
> ```
> {{ site.local.prompt }} ssh-agent
> ```
> {: .language-bash}
> ```
> SSH_AUTH_SOCK=/tmp/ssh-Zvvga2Y8kQZN/agent.131521;
> export SSH_AUTH_SOCK;
> SSH_AGENT_PID=131522;
> export SSH_AGENT_PID;
> echo Agent pid 131522;
> ```
> {: .output}
>
> The `eval` command interprets this text output as commands and allows you
> to access the SSH Agent connection you just created.
>
> You could run each line of the `ssh-agent` output yourself, and
> achieve the same result. Using `eval` just makes this easier.
{: .callout}
* Otherwise, your agent is already running: don't mess with it.
Add your key to the agent, with session expiration after 8 hours:
```
{{ site.local.prompt }} ssh-add -t 8h ~/.ssh/id_ed25519
```
{: .language-bash}
```
Enter passphrase for .ssh/id_ed25519:
Identity added: .ssh/id_ed25519
Lifetime set to 86400 seconds
```
{: .output}
For the duration (8 hours), whenever you use that key, the SSH Agent will
provide the key on your behalf without you having to type a single keystroke.
#### SSH Agent on PuTTY
If you are using PuTTY on Windows, download and use `pageant` as the SSH agent.
See the [PuTTY documentation][putty-agent].
### Transfer Your Public Key
{% if site.remote.portal %}
Visit [{{ site.remote.portal }}]({{ site.remote.portal }}) to upload your SSH
public key. (Remember, it's the one ending in `.pub`!)
{% else %}
Use the **s**ecure **c**o**p**y tool to send your public key to the cluster.
```
{{ site.local.prompt }} scp ~/.ssh/id_ed25519.pub {{ site.remote.user }}@{{ site.remote.login }}:~/
```
{: .language-bash}
{% endif %}
## Log In to the Cluster

Go ahead and open your terminal or graphical SSH client, then log in to the
Expand Down

0 comments on commit aaae732

Please sign in to comment.