SSH Usage Manual

SSH Key Authentication

Generally, the ssh key authentication is simple: if the user making the ssh request has a private key that matches an authorized public key on the host, the login proceeds without a password. The process can be put into practice in a few steps:
1. Create a private .ssh directory
   
   • mkdir ~/.ssh
   • chmod 700 ~/.ssh
2. Create a private/public key pair.
   
   • cd ~/.ssh
   • ssh-keygen -t rsa
     This will prompt for changing the default file name and will as for a passphrase and a confirmation of the passphrase. Press enter a few times and take the defaults.
3. Authorize the public key
   
   • touch authorized_keys2
   • chmod 600 authorized_keys2
   • cat id_rsa.pub >> authorized_keys2
4. Make a known hosts list
   The two ways to accomplish this are either to create you own known_hosts file or to copy an existing one.
   1. Create a known_hosts list by ssh'ing to each node to which passwordless authentication is desired.
   2. Copy the known_hosts file from hopper.
      scp cluster.earlham.edu:/root/known_hosts ~/.ssh/
5. Without NFS
   To make passwordless ssh authentication work across machines without NFS, the users that have a working passwordless authentication environment must have their .ssh directories and contents copied to their machine-specific home directories. See the C3 tools doc for information on how to easily accomplish this.
• List of Files
  • ~/.ssh/ - The default directory in which all the ssh key informatin resides. This file should be RWX to the user only.
  • id_rsa and id_dsa - These files hold the private key encrypted in RSA or DSA. Security of the private key is very important and should have RX to the user only.
  • id_rsa.pub and id_dsa.pub - These are the public keys paired with the private keys encoded in RSA or DSA. Public keys are placed in the authorized_keys2 file of the user (and specific user/machine combination if NFS is not used) to which passwordless login is to be used. This file is meant to be moved between users, so making it group or world readable would be reasonable.
  • authorized_keys2 - This file holds the public keys that match private keys that are authorized for passwordless authentication. Security of this file is important and it should have RWX permissions for the user only.
  • known_hosts - This file holds all the machine-specific public keys used to authenticate hosts. Each machine that does not have an entry in this file will cause a prompt when ssh'ing to that machine that asks if you would like to add this host to your known hosts. This impedes programs like LAM-MPI, so hosts with such dependencies should be added to this file. If a machine has an entry in known_hosts that does not match the machine's private key, ssh sends an error message and prevents authentication. If the machine is safe, delete the public key from the known_hosts file and re-authenticate the machine.
• RSA vs DSA
  RSA keys take a relatively long time to generate but take very little time to authenticate. DSA keys are quickly generated but take a long time to be authenticated. RSA seems to be the clear choice in cluster computing where the number of authentications far outweigh the number of generations.

Old information below

SSH Key Auto-authentication

• Our install uses ssh instead of rsh, so you must go through a small hoop jump to get everything configured properly. The first issue lies in the setup of automatic login though ssh. The second is that even if you are using to automatic login feature you still must confirm all host keys before you can use it with LAM.
  Here is the chicken swing:
  1. Set up ssh to do no prompt password:
     Check out the following link form LAM-MPI:
     http://www.lam-mpi.org/faq/category4.php3#question15
     or this one
     http://www.puddingonline.com/~dave/publications/SSH-with-Keys-HOWTO/
     • Create your rsa keys with no passphrase
     • Copy the public key to authorized_keys
     • Copy the later to all of the remote hosts you need to connect to
  2. cd ~
  3. ssh-keygen -t rsa
     Press enter twice for a null passphrase.
  4. chmod 700 .ssh
  5. cd .ssh
  6. cat id_rsa.pub >> authorized_keys2
  7. chmod 600 authorized_keys2
  8. Authorize all of the keys from each node. Do this for all clusters
     ssh b0
  9. cexecs -p -c "uptime"
  10. Say yes to each prompt if you would like that node to be added (and you will want them all)
  If you fail to do this Lamboot will die upon each key authorization from ssh.