Manage and use SSH keys to connect to the VMs

SSH keys in INFN Cloud

SSH keys are a pair of cryptographic keys that can be used to authenticate to an SSH server as an alternative to password-based logins. A private key is stored on the client machine, while the public key is placed on the server.

Important

In all of the PaaS services in INFN Cloud, password-based login is disabled by default, thus you must to use SSH keys to connect to the VMs for the first time.

The SSH keys are used to authenticate the user to the VMs in INFN Cloud. When a VM is created, the public key is automatically injected into the VM and the user can connect to it using the corresponding private key. Therefore before deploying any service on INFN Cloud you must setup your SSH keys by at least providing the public key to the INFN Cloud Dashboard.

Please be aware that if you update your SSH key in the INFN Cloud Dashboard, the new key will not be added into the active deployments as the injection into the authorized keys is done only at creation. Therefore any change to the ~/.ssh/authorized_keys file must be done manually. To aid the users in this procedure, an easy web interface has been set up into the INFN Cloud Dashboard to upload, create and manage SSH keys.

The following sections will guide you through the process of creating, managing and using effectively your SSH keys to connect to your deployments in INFN Cloud.

Create SSH keys on your local machine

You can create the key pair on your local machine and then just upload the public key to the INFN Cloud Dashboard. This is the suggested way. The process depends on the operating system you are using. In the following we will guide you through the process for Linux, macOS and Windows.

Linux and macOS

The following command will create will create a new key pair with the ED25519 algorithm, the -C option is used to add a comment to the key, which is useful to identify the key later on. The key pair will be saved in the ~/.ssh/ directory with the your_key name for the private key and your_key.pub for the public key:

$ ssh-keygen -t ed25519 -C "INFNCloud-your_mail@infn.it" -f $HOME/.ssh/your_key

The tool will ask you to enter a passphrase to protect the private key. If you want to create a key pair without a passphrase, you can simply press the Enter key when prompted.

Windows

On Windows, you can use the OpenSSH client utilities to create a new key pair in the same way it can be done on Linux and macOS. We suggest you to use this tool, however there are also third party clients that offers utilities that can be used to create the key pair. For more detailed information you should refer to the documentation of the specific client you will be using. In this guide we will show you how to use the OpenSSH client and, as an example for third-party clients, MobaXterm (https://mobaxterm.mobatek.net/) to create an OpenSSH-compatible key pair.

OpenSSH Client

The OpenSSH client is included in Windows 10 starting from version 1809. To enable it, open the “Settings” app, go to “Apps” and then “Optional features”.

Windows optional features

Figure 1. Windows optional features

Click on “Add a feature” and select “OpenSSH Client” from the list.

Windows add OpenSSH client

Figure 2. Windows add OpenSSH client

Otherwise you can use the following PowerShell command:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~

Open the PowerShell and use the following command:

ssh-keygen -t ed25519 -C "INFNCloud-your_mail@infn.it" -f %userprofile%/.ssh/your_key

The tool will ask you to enter a passphrase to protect the private key. If you want to create a key pair without a passphrase, you can simply press the Enter key when prompted.

MobaXterm

MobaXterm offers a builtin tool to create a new key pair. Open MobaXterm and click on the “Tools” item in the menu bar, select “MobaKeyGen (SSH key generator)” from the dropdown.

MobaXterm menu

Figure 3. MobaXterm menu

In the new window that just opened, click on the “Generate” button to create a new key pair. The program will instruct you to move your mouse cursor inside the window in order to generate enough entropy to create the key pair.

MobaXterm key generator

Figure 4. MobaXterm key generator

Once the key pair is created, you can see the public key in the text box at the top of the window and the private key in the “key fingerprint” text box. If you want to protect the private key with a password, you can enter it in the “Key passphrase” and “Confirm passphrase” text boxes. Instead, if you want to create a key pair without a passphrase, you can leave these text boxes empty. You can then save the private key by clicking on the “Save private key” button and the public key by clicking on the “Save public key” button.

MobaXterm key generated

Figure 5. MobaXterm key generated

Manage your keys using INFN Cloud Dashboard

The INFN Cloud Dashboard provides a tool to easily manage SSH key pairs that allows the user to upload an existing public key, created as described in the previous section, or to create a new key pair that is stored securely in INFN Cloud. Providing a public key to the INFN Cloud Dashboard is mandatory as password-based logins are disabled by default on all the deployments in INFN Cloud.

To access the SSH Keys tool, open the INFN Cloud Dashboard at https://my.cloud.infn.it and login using your INFN-AAI credentials.

INFN Cloud Dashboard

Figure 6. INFN Cloud Dashboard

Once logged in, click on your name in the bottom left corner.

User menu

Figure 7. User menu

If this is the first time accessing this page you will be presented with the screen shown in Figure 8. Here you can upload an existing public key, either via copy and pasting the content or directly uploading the file, or create a new one using the builtin key generator.

SSH keys page

Figure 8. SSH keys page

If you have already created a key pair on your local machine, you can now upload the public key by either copy-pasting the contet of your_key.pub file or by directly uploading it using the blue Upload button.

Otherwise, you can press the “Create new SSH key pair” green button at the bottom of the page. The page will then refresh and you will be presented with the screen shown in Figure 9. Here you can see, displayed in the text box, your newly created public key and you can download the private key by pressing the “Retrieve SSH private key” button.

SSH keys created

Figure 9. SSH keys created

Important

Please be aware that the key pair created using the INFN Cloud Dashboard is

not protected by a password. Therefore anyone with the private key can use it to connect to the VMs. We strongly advise to store the private key in a safe place and to not share it with anyone.

In the following we will assume that you have placed your private key, with the name your_key, in the ~/.ssh directory for Linux and macOS or in the %UserProfile%\.ssh directory for Windows.

Important

Once created the private key will be available for download indefinitely,

however the responsibility to poperly store and back it up, it is solely of the user. We strongly advise you to download it and back it up as soon as created.

Use the private key in your SSH client

The process to use the private key in your SSH client depends on the operating system you are using and on the specific client. In all cases, however, you first need to make sure that the permissions on the private key file are set to 600. We will guide you through the process for Linux, macOS and Windows. For the latter OS will be using both the integrated OpenSSH client and MobaXterm, one of the most popular third party clients for Windows.

Linux and macOS

Download the private key from the INFN Cloud Dashboard and save it in the ~/.ssh directory on your local machine. Make sure the permissions on the private key file are set to 600:

$ chmod 600 ~/.ssh/your_key

You can now use the private key to connect to the VMs. The following command will connect to the VM with the IP address XXX.XXX.XXX.XXX using the private key:

$ ssh -i ~/.ssh/your_key your_username@XXX.XXX.XXX.XXX

Remember to replace your_username with your INFN AAI username and XXX.XXX.XXX.XXX with the IP address of the VM you want to connect to.

If you want to avoid to specify the private key every time you connect to a VM, you can add the following lines to the ~/.ssh/config file:

Host XXX.XXX.XXX.XXX
    User your_username
    IdentityFile ~/.ssh/your_key

If you have multiple VMs to connect to you can either add multiple Host sections to the ~/.ssh/config file, one for each VM, or you can configure the ssh client to try to use the private key by default. To do so, you can add the following line to your ~/.ssh/config file:

IdentityFile ~/.ssh/your_key

Important

Please be aware that this command instructs your SSH client to always try to

use such key if all the previous attempt of connection failed. This means that if this is your only entry in the config file, such key will be always used on each ssh connection.

If you have protected your private key with a password you should enter it during each connection attempt. If you want to avoid to enter the password every time you connect to a VM, you can use the ssh-agent to store the decrypted private key in memory. To do so, you can use the following commands on Linux:

$ eval "$(ssh-agent -s)"
$ ssh-add ~/.ssh/your_key

If you are using macOS you need to use Apple keychain to store your password. To do so, you should replace the last command with the following:

$ ssh-add --apple-use-keychain ~/.ssh/your_key

This command works only on the Apple’s standard version of ssh-add and for macOS versions starting from Monterey (12.0). For older versions of the macOS the --apple-use-keychain flag was used with the syntax -K. If you encounter an error, it may be because you don’t have Apple’s standard version of ssh-add installed.

Windows

On Windows, you can use the builtin OpenSSH client to connect to the VMs or you can use any third party SSH client, however each has its own way to handle the SSH key pair, so you should refer to the documentation of the specific client you will be using. In this guide we will show you how to use the OpenSSH client and, as an example for third party clients, MobaXterm.

Set key file permission

Before proceeding to setup your SSH client, you should check that the private key file has the correct permissions. To do so you can use the command line or the Windows Graphical User Interface.

If you want to use the GUI you should right-click on the file, select “Properties” and then click into the “Security” tab. Now press on the “Advanced” button in the bottom right corner of the window.

Private keyfile properties

Figure 10. Private keyfile Windows properties

In the new window that just opened, check that the “Owner” is your current Windows account.

Advanced security settings

Figure 11. Advanced security settings

If not, press on the “Change” link next to the “Owner” field, a pop-up will open: enter your username in the text box and press “Check names”.

Windows select user pop-up

Figure 12. Windows select user pop-up

If your Windows account is linked to a Microsoft account, you should enter the email address associated with the Microsoft account. Otherwise, if you are using a local only account you can just enter the username. If the checks succeded you will see your full account name in the text field. Now you can press “OK” to close the window.

Now move over the “Permission Entries” section and remove all the entries except for your username. If your username is not listed, you can add it by pressing the “Add” button and then “Select a principal” on the newly opened window.

User permissions not set

Figure 13. User permissions not set

A pop-up, similar to the one shown above in Figure 13, will appear where you have to once again enter either your username (local account) or your Microsoft email addres (Microsoft account) and press “Check names”. Press “Ok” to close the pop-up and select the permission to “Full Control” if it is not already set.

User permissions set

Figure 14. User permissions set

Press “OK” to close the window and then “OK” again to close the properties window.

Instead if you want to use the command line, you can simply use the follwing comands for the Command Prompt:

icacls "%UserProfile%\.ssh\your_key" /c /t /Inheritance:d
icacls "%UserProfile%\.ssh\your_key" /c /t /Grant %UserName%:F
icacls "%UserProfile%\.ssh\your_key" /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

or the PowerShell:

icacls "$env:UserProfile\.ssh\your_key" /c /t /Inheritance:d
icacls "$env:UserProfile\.ssh\your_key" /c /t /Grant ${env:UserName}:F
icalcs "$env:UserProfile\.ssh\your_key" /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

OpenSSH Client

Once the permissions are set correctly, you can use the private key with the OpenSSH client to connect to the VM by issueing the following commands in the Command Prompt:

$ ssh -i "%UserProfile%\.ssh\your_key" user@XXX.XXX.XXX.XXX

or in the PowerShell:

$ ssh -i "$env:UserProfile\.ssh\your_key" user@XXX.XXX.XXX.XXX

If you have protected your private key with a password you should enter it during each connection attempt. If you want to avoid to enter the password every time you connect to a VM, you can use the ssh-agent to store the decrypted private key in memory. To do so, you need to enable and start the ssh-agent service with the following commands:

Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service
start-ssh-agent.cmd

Now you can add the private key to the agent, with the following commands:

$ ssh-agent
$ ssh-add "$env:UserProfile\.ssh\your_key"

MobaXterm

Open MobaXterm and click on the “Session” button in the top left corner.

MobaXterm main window

Figure 10. MobaXterm main window

Select “SSH” from the list of available sessions and enter the IP address of the VM in the “Remote host” field. Flag the “Specify username” option and insert your INFN-AAI username. Now click on the “Advanced SSH settings” tab and then on the “Use private key” checkbox. To import your key you should now click on the button at the righ-end of the text field (labeled as “Import key button” in Figure 11) and select your key from the file chooser window that just opened. Otherwise you can paste the path of the private key in the text box (in our example should be “%UserProfile%.sshyour_key”). Finally you can press the “OK” button to save the settings.

MobaXterm new SSH session

Figure 11. MobaXterm new SSH session

To connect to the VM you can now double click on the corresponding entry in the left panel of the main MobaXterm window.