Manage and use SSH keys to connect to the VMs¶
Table of Contents
SSH keys in INFN Cloud¶
SSH keys are a pair of cryptographic keys that can be used to authenticate to an SSH server as an alternative to password-based logins. A private key is stored on the client machine, while the public key is placed on the server.
Important
In all of the PaaS services in INFN Cloud, password-based login is disabled by default, thus you must to use SSH keys to connect to the VMs for the first time.
The SSH keys are used to authenticate the user to the VMs in INFN Cloud. When a VM is created, the public key is automatically injected into the VM and the user can connect to it using the corresponding private key. Therefore before deploying any service on INFN Cloud you must setup your SSH keys by at least providing the public key to the INFN Cloud Dashboard.
Please be aware that if you update your SSH key in the INFN Cloud Dashboard,
the new key will not be added into the active deployments as the injection
into the authorized keys is done only at creation. Therefore any change to the
~/.ssh/authorized_keys
file must be done manually.
To aid the users in this procedure, an easy web interface has been set up into
the INFN Cloud Dashboard to upload, create and manage SSH keys.
The following sections will guide you through the process of creating, managing and using effectively your SSH keys to connect to your deployments in INFN Cloud.
Create SSH keys on your local machine¶
You can create the key pair on your local machine and then just upload the public key to the INFN Cloud Dashboard. This is the suggested way. The process depends on the operating system you are using. In the following we will guide you through the process for Linux, macOS and Windows.
Linux and macOS¶
The following command will create will create a new key pair with the ED25519
algorithm, the -C
option is used to add a comment to the key, which is
useful to identify the key later on. The key pair will be saved in the
~/.ssh/
directory with the your_key
name for the private key
and your_key.pub
for the public key:
$ ssh-keygen -t ed25519 -C "INFNCloud-your_mail@infn.it" -f $HOME/.ssh/your_key
The tool will ask you to enter a passphrase to protect the private key. If you want to create a key pair without a passphrase, you can simply press the Enter key when prompted.
Windows¶
On Windows, you can use the OpenSSH client utilities to create a new key pair in the same way it can be done on Linux and macOS. We suggest you to use this tool, however there are also third party clients that offers utilities that can be used to create the key pair. For more detailed information you should refer to the documentation of the specific client you will be using. In this guide we will show you how to use the OpenSSH client and, as an example for third-party clients, MobaXterm (https://mobaxterm.mobatek.net/) to create an OpenSSH-compatible key pair.
OpenSSH Client¶
The OpenSSH client is included in Windows 10 starting from version 1809. To enable it, open the “Settings” app, go to “Apps” and then “Optional features”.
Click on “Add a feature” and select “OpenSSH Client” from the list.
Otherwise you can use the following PowerShell command:
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~
Open the PowerShell and use the following command:
ssh-keygen -t ed25519 -C "INFNCloud-your_mail@infn.it" -f %userprofile%/.ssh/your_key
The tool will ask you to enter a passphrase to protect the private key. If you want to create a key pair without a passphrase, you can simply press the Enter key when prompted.
MobaXterm¶
MobaXterm offers a builtin tool to create a new key pair. Open MobaXterm and click on the “Tools” item in the menu bar, select “MobaKeyGen (SSH key generator)” from the dropdown.
In the new window that just opened, click on the “Generate” button to create a new key pair. The program will instruct you to move your mouse cursor inside the window in order to generate enough entropy to create the key pair.
Once the key pair is created, you can see the public key in the text box at the top of the window and the private key in the “key fingerprint” text box. If you want to protect the private key with a password, you can enter it in the “Key passphrase” and “Confirm passphrase” text boxes. Instead, if you want to create a key pair without a passphrase, you can leave these text boxes empty. You can then save the private key by clicking on the “Save private key” button and the public key by clicking on the “Save public key” button.
Manage your keys using INFN Cloud Dashboard¶
The INFN Cloud Dashboard provides a tool to easily manage SSH key pairs that allows the user to upload an existing public key, created as described in the previous section, or to create a new key pair that is stored securely in INFN Cloud. Providing a public key to the INFN Cloud Dashboard is mandatory as password-based logins are disabled by default on all the deployments in INFN Cloud.
To access the SSH Keys tool, open the INFN Cloud Dashboard at https://my.cloud.infn.it and login using your INFN-AAI credentials.
Once logged in, click on your name in the bottom left corner.
If this is the first time accessing this page you will be presented with the screen shown in Figure 8. Here you can upload an existing public key, either via copy and pasting the content or directly uploading the file, or create a new one using the builtin key generator.
If you have already created a key pair on your local machine, you can now
upload the public key by either copy-pasting the contet of your_key.pub
file or by directly uploading it using the blue Upload button.
Otherwise, you can press the “Create new SSH key pair” green button at the bottom of the page. The page will then refresh and you will be presented with the screen shown in Figure 9. Here you can see, displayed in the text box, your newly created public key and you can download the private key by pressing the “Retrieve SSH private key” button.
Important
Please be aware that the key pair created using the INFN Cloud Dashboard is
not protected by a password. Therefore anyone with the private key can use it to connect to the VMs. We strongly advise to store the private key in a safe place and to not share it with anyone.
In the following we will assume that you have placed your private key, with the
name your_key
, in the ~/.ssh
directory for Linux and macOS or in the
%UserProfile%\.ssh
directory for Windows.
Important
Once created the private key will be available for download indefinitely,
however the responsibility to poperly store and back it up, it is solely of the user. We strongly advise you to download it and back it up as soon as created.
Use the private key in your SSH client¶
The process to use the private key in your SSH client depends on the operating
system you are using and on the specific client. In all cases, however, you
first need to make sure that the permissions on the private key file are set to
600
. We will guide you through the process for Linux, macOS and Windows.
For the latter OS will be using both the integrated OpenSSH client and
MobaXterm, one of the most popular third party clients for Windows.
Linux and macOS¶
Download the private key from the INFN Cloud Dashboard and save it in the
~/.ssh
directory on your local machine. Make sure the permissions on the
private key file are set to 600
:
$ chmod 600 ~/.ssh/your_key
You can now use the private key to connect to the VMs. The following command
will connect to the VM with the IP address XXX.XXX.XXX.XXX
using the
private key:
$ ssh -i ~/.ssh/your_key your_username@XXX.XXX.XXX.XXX
Remember to replace your_username
with your INFN AAI username and
XXX.XXX.XXX.XXX
with the IP address of the VM you want to connect to.
If you want to avoid to specify the private key every time you connect to a VM,
you can add the following lines to the ~/.ssh/config
file:
Host XXX.XXX.XXX.XXX
User your_username
IdentityFile ~/.ssh/your_key
If you have multiple VMs to connect to you can either add multiple Host
sections to the ~/.ssh/config
file, one for each VM, or you can configure
the ssh client to try to use the private key by default. To do so, you can add
the following line to your ~/.ssh/config
file:
IdentityFile ~/.ssh/your_key
Important
Please be aware that this command instructs your SSH client to always try to
use such key if all the previous attempt of connection failed. This means that if this is your only entry in the config file, such key will be always used on each ssh connection.
If you have protected your private key with a password you should enter it
during each connection attempt. If you want to avoid to enter the password
every time you connect to a VM, you can use the ssh-agent
to store the
decrypted private key in memory. To do so, you can use the following commands
on Linux:
$ eval "$(ssh-agent -s)"
$ ssh-add ~/.ssh/your_key
If you are using macOS you need to use Apple keychain to store your password. To do so, you should replace the last command with the following:
$ ssh-add --apple-use-keychain ~/.ssh/your_key
This command works only on the Apple’s standard version of ssh-add
and for
macOS versions starting from Monterey (12.0). For older versions of the macOS
the --apple-use-keychain
flag was used with the syntax -K
. If you
encounter an error, it may be because you don’t have Apple’s standard version
of ssh-add installed.
Windows¶
On Windows, you can use the builtin OpenSSH client to connect to the VMs or you can use any third party SSH client, however each has its own way to handle the SSH key pair, so you should refer to the documentation of the specific client you will be using. In this guide we will show you how to use the OpenSSH client and, as an example for third party clients, MobaXterm.
Set key file permission¶
Before proceeding to setup your SSH client, you should check that the private key file has the correct permissions. To do so you can use the command line or the Windows Graphical User Interface.
If you want to use the GUI you should right-click on the file, select “Properties” and then click into the “Security” tab. Now press on the “Advanced” button in the bottom right corner of the window.
In the new window that just opened, check that the “Owner” is your current Windows account.
If not, press on the “Change” link next to the “Owner” field, a pop-up will open: enter your username in the text box and press “Check names”.
If your Windows account is linked to a Microsoft account, you should enter the email address associated with the Microsoft account. Otherwise, if you are using a local only account you can just enter the username. If the checks succeded you will see your full account name in the text field. Now you can press “OK” to close the window.
Now move over the “Permission Entries” section and remove all the entries except for your username. If your username is not listed, you can add it by pressing the “Add” button and then “Select a principal” on the newly opened window.
A pop-up, similar to the one shown above in Figure 13, will appear where you have to once again enter either your username (local account) or your Microsoft email addres (Microsoft account) and press “Check names”. Press “Ok” to close the pop-up and select the permission to “Full Control” if it is not already set.
Press “OK” to close the window and then “OK” again to close the properties window.
Instead if you want to use the command line, you can simply use the follwing comands for the Command Prompt:
icacls "%UserProfile%\.ssh\your_key" /c /t /Inheritance:d
icacls "%UserProfile%\.ssh\your_key" /c /t /Grant %UserName%:F
icacls "%UserProfile%\.ssh\your_key" /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
or the PowerShell:
icacls "$env:UserProfile\.ssh\your_key" /c /t /Inheritance:d
icacls "$env:UserProfile\.ssh\your_key" /c /t /Grant ${env:UserName}:F
icalcs "$env:UserProfile\.ssh\your_key" /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
OpenSSH Client¶
Once the permissions are set correctly, you can use the private key with the OpenSSH client to connect to the VM by issueing the following commands in the Command Prompt:
$ ssh -i "%UserProfile%\.ssh\your_key" user@XXX.XXX.XXX.XXX
or in the PowerShell:
$ ssh -i "$env:UserProfile\.ssh\your_key" user@XXX.XXX.XXX.XXX
If you have protected your private key with a password you should enter it
during each connection attempt. If you want to avoid to enter the password
every time you connect to a VM, you can use the ssh-agent
to store the
decrypted private key in memory. To do so, you need to enable and start the
ssh-agent service with the following commands:
Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service
start-ssh-agent.cmd
Now you can add the private key to the agent, with the following commands:
$ ssh-agent
$ ssh-add "$env:UserProfile\.ssh\your_key"
MobaXterm¶
Open MobaXterm and click on the “Session” button in the top left corner.
Select “SSH” from the list of available sessions and enter the IP address of the VM in the “Remote host” field. Flag the “Specify username” option and insert your INFN-AAI username. Now click on the “Advanced SSH settings” tab and then on the “Use private key” checkbox. To import your key you should now click on the button at the righ-end of the text field (labeled as “Import key button” in Figure 11) and select your key from the file chooser window that just opened. Otherwise you can paste the path of the private key in the text box (in our example should be “%UserProfile%.sshyour_key”). Finally you can press the “OK” button to save the settings.
To connect to the VM you can now double click on the corresponding entry in the left panel of the main MobaXterm window.