Manage and use SSH keys to connect to the VMs
SSH keys in INFN Cloud
SSH keys are a pair of cryptographic keys that can be used to authenticate to an SSH server as an alternative to password-based logins. A private key is stored on the client machine, while the public key is placed on the server.
Important
In all of the PaaS services in INFN Cloud, password-based login is disabled by default, thus you must to use SSH keys to connect to the VMs for the first time.
The SSH keys are used to authenticate the user to the VMs in INFN Cloud. When a VM is created, the public key is automatically injected into the VM and the user can connect to it using the corresponding private key. Therefore before deploying any service on INFN Cloud you must setup your SSH keys by at least providing the public key to the INFN Cloud Dashboard.
Please be aware that if you update your SSH key in the INFN Cloud
Dashboard, the new key will not be added into the active deployments
as the injection into the authorized keys is done only at creation.
Therefore any change to the ~/.ssh/authorized_keys file must be done
manually. To aid the users in this procedure, an easy web interface has
been set up into the INFN Cloud Dashboard to upload, create and manage
SSH keys.
The following sections will guide you through the process of creating, managing and using effectively your SSH keys to connect to your deployments in INFN Cloud.
Create SSH keys on your local machine
You can create the key pair on your local machine and then just upload the public key to the INFN Cloud Dashboard. This is the suggested way. The process depends on the operating system you are using. In the following we will guide you through the process for Linux, macOS and Windows.
Linux and macOS
The following command will create will create a new key pair with the
ED25519 algorithm, the -C option is used to add a comment to the key,
which is useful to identify the key later on. The key pair will be saved
in the ~/.ssh/ directory with the your_key name for the private key
and your_key.pub for the public key:
$ ssh-keygen -t ed25519 -C "INFNCloud-your_mail@infn.it" -f $HOME/.ssh/your_key
The tool will ask you to enter a passphrase to protect the private key. If you want to create a key pair without a passphrase, you can simply press the Enter key when prompted.
Windows
On Windows, you can use the OpenSSH client utilities to create a new key pair in the same way it can be done on Linux and macOS. We suggest you to use this tool, however there are also third party clients that offers utilities that can be used to create the key pair. For more detailed information you should refer to the documentation of the specific client you will be using. In this guide we will show you how to use the OpenSSH client and, as an example for third-party clients, MobaXterm (https://mobaxterm.mobatek.net/) to create an OpenSSH-compatible key pair.
OpenSSH Client
The OpenSSH client is included in Windows 10 starting from version 1809. To enable it, open the "Settings" app, go to "Apps" and then "Optional features".
Click on "Add a feature" and select "OpenSSH Client" from the list.
Otherwise you can use the following PowerShell command:
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~
Open the PowerShell and use the following command:
ssh-keygen -t ed25519 -C "INFNCloud-your_mail@infn.it" -f %userprofile%/.ssh/your_key
The tool will ask you to enter a passphrase to protect the private key. If you want to create a key pair without a passphrase, you can simply press the Enter key when prompted.
MobaXterm
MobaXterm offers a builtin tool to create a new key pair. Open MobaXterm and click on the "Tools" item in the menu bar, select "MobaKeyGen (SSH key generator)" from the dropdown.
In the new window that just opened, click on the "Generate" button to create a new key pair. The program will instruct you to move your mouse cursor inside the window in order to generate enough entropy to create the key pair.
Once the key pair is created, you can see the public key in the text box at the top of the window and the private key in the "key fingerprint" text box. If you want to protect the private key with a password, you can enter it in the "Key passphrase" and "Confirm passphrase" text boxes. Instead, if you want to create a key pair without a passphrase, you can leave these text boxes empty. You can then save the private key by clicking on the "Save private key" button and the public key by clicking on the "Save public key" button.
Manage your keys using INFN Cloud Dashboard
The INFN Cloud Dashboard provides a tool to easily manage SSH key pairs that allows the user to upload an existing public key, created as described in the previous section, or to create a new key pair that is stored securely in INFN Cloud. Providing a public key to the INFN Cloud Dashboard is mandatory as password-based logins are disabled by default on all the deployments in INFN Cloud.
To access the SSH Keys tool, open the INFN Cloud Dashboard at https://my.cloud.infn.it and login using your INFN-AAI credentials.
Once logged in, click on your name in the bottom left corner.
If this is the first time accessing this page you will be presented with the screen shown in Figure 8. Here you can upload an existing public key, either via copy and pasting the content or directly uploading the file, or create a new one using the builtin key generator.
If you have already created a key pair on your local machine, you can
now upload the public key by either copy-pasting the contet of
your_key.pub file or by directly uploading it using the blue Upload
button.
Otherwise, you can press the "Create new SSH key pair" green button at the bottom of the page. The page will then refresh and you will be presented with the screen shown in Figure 9. Here you can see, displayed in the text box, your newly created public key and you can download the private key by pressing the "Retrieve SSH private key" button.
Important
Please be aware that the key pair created using the INFN Cloud Dashboard is not protected by a password. Therefore anyone with the private key can use it to connect to the VMs. We strongly advise to store the private key in a safe place and to not share it with anyone.
In the following we will assume that you have placed your private key,
with the name your_key, in the ~/.ssh directory for Linux and macOS
or in the %UserProfile%\.ssh directory for Windows.
Important
Once created the private key will be available for download indefinitely, however the responsibility to poperly store and back it up, it is solely of the user. We strongly advise you to download it and back it up as soon as created.
Use the private key in your SSH client
The process to use the private key in your SSH client depends on the
operating system you are using and on the specific client. In all cases,
however, you first need to make sure that the permissions on the private
key file are set to 600. We will guide you through the process for
Linux, macOS and Windows. For the latter OS will be using both the
integrated OpenSSH client and MobaXterm, one of the most popular third
party clients for Windows.
Linux and macOS
Download the private key from the INFN Cloud Dashboard and save it in
the ~/.ssh directory on your local machine. Make sure the permissions
on the private key file are set to 600:
$ chmod 600 ~/.ssh/your_key
You can now use the private key to connect to the VMs. The following
command will connect to the VM with the IP address XXX.XXX.XXX.XXX
using the private key:
$ ssh -i ~/.ssh/your_key your_username@XXX.XXX.XXX.XXX
Remember to replace your_username with your INFN AAI username and
XXX.XXX.XXX.XXX with the IP address of the VM you want to connect to.
If you want to avoid to specify the private key every time you connect
to a VM, you can add the following lines to the ~/.ssh/config file:
Host XXX.XXX.XXX.XXX
User your_username
IdentityFile ~/.ssh/your_key
If you have multiple VMs to connect to you can either add multiple
Host sections to the ~/.ssh/config file, one for each VM, or you can
configure the ssh client to try to use the private key by default. To do
so, you can add the following line to your ~/.ssh/config file:
IdentityFile ~/.ssh/your_key
Important
Please be aware that this command instructs your SSH client to always try to use such key if all the previous attempt of connection failed. This means that if this is your only entry in the config file, such key will be always used on each ssh connection.
If you have protected your private key with a password you should enter
it during each connection attempt. If you want to avoid to enter the
password every time you connect to a VM, you can use the ssh-agent to
store the decrypted private key in memory. To do so, you can use the
following commands on Linux:
$ eval "$(ssh-agent -s)"
$ ssh-add ~/.ssh/your_key
If you are using macOS you need to use Apple keychain to store your password. To do so, you should replace the last command with the following:
$ ssh-add --apple-use-keychain ~/.ssh/your_key
This command works only on the Apple's standard version of ssh-add and
for macOS versions starting from Monterey (12.0). For older versions of
the macOS the --apple-use-keychain flag was used with the syntax -K.
If you encounter an error, it may be because you don't have Apple's
standard version of ssh-add installed.
Windows
On Windows, you can use the builtin OpenSSH client to connect to the VMs or you can use any third party SSH client, however each has its own way to handle the SSH key pair, so you should refer to the documentation of the specific client you will be using. In this guide we will show you how to use the OpenSSH client and, as an example for third party clients, MobaXterm.
Set key file permission
Before proceeding to setup your SSH client, you should check that the private key file has the correct permissions. To do so you can use the command line or the Windows Graphical User Interface.
If you want to use the GUI you should right-click on the file, select "Properties" and then click into the "Security" tab. Now press on the "Advanced" button in the bottom right corner of the window.
In the new window that just opened, check that the "Owner" is your current Windows account.
If not, press on the "Change" link next to the "Owner" field, a pop-up will open: enter your username in the text box and press "Check names".
If your Windows account is linked to a Microsoft account, you should enter the email address associated with the Microsoft account. Otherwise, if you are using a local only account you can just enter the username. If the checks succeded you will see your full account name in the text field. Now you can press "OK" to close the window.
Now move over the "Permission Entries" section and remove all the entries except for your username. If your username is not listed, you can add it by pressing the "Add" button and then "Select a principal" on the newly opened window.
A pop-up, similar to the one shown above in Figure 13, will appear where you have to once again enter either your username (local account) or your Microsoft email addres (Microsoft account) and press "Check names". Press "Ok" to close the pop-up and select the permission to "Full Control" if it is not already set.
Press "OK" to close the window and then "OK" again to close the properties window.
Instead if you want to use the command line, you can simply use the follwing comands for the Command Prompt:
icacls "%UserProfile%\.ssh\your_key" /c /t /Inheritance:d
icacls "%UserProfile%\.ssh\your_key" /c /t /Grant %UserName%:F
icacls "%UserProfile%\.ssh\your_key" /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
or the PowerShell:
icacls "$env:UserProfile\.ssh\your_key" /c /t /Inheritance:d
icacls "$env:UserProfile\.ssh\your_key" /c /t /Grant ${env:UserName}:F
icalcs "$env:UserProfile\.ssh\your_key" /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users
OpenSSH Client
Once the permissions are set correctly, you can use the private key with the OpenSSH client to connect to the VM by issueing the following commands in the Command Prompt:
$ ssh -i "%UserProfile%\.ssh\your_key" user@XXX.XXX.XXX.XXX
or in the PowerShell:
$ ssh -i "$env:UserProfile\.ssh\your_key" user@XXX.XXX.XXX.XXX
If you have protected your private key with a password you should enter
it during each connection attempt. If you want to avoid to enter the
password every time you connect to a VM, you can use the ssh-agent to
store the decrypted private key in memory. To do so, you need to enable
and start the ssh-agent service with the following commands:
Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service
start-ssh-agent.cmd
Now you can add the private key to the agent, with the following commands:
$ ssh-agent
$ ssh-add "$env:UserProfile\.ssh\your_key"
MobaXterm
Open MobaXterm and click on the "Session" button in the top left corner.
Select "SSH" from the list of available sessions and enter the IP
address of the VM in the "Remote host" field. Flag the "Specify
username" option and insert your INFN-AAI username. Now click on the
"Advanced SSH settings" tab and then on the "Use private key" checkbox.
To import your key you should now click on the button at the righ-end of
the text field (labeled as "Import key button" in Figure 11) and select
your key from the file chooser window that just opened. Otherwise you
can paste the path of the private key in the text box (in our example
should be %UserProfile%.sshyour_key). Finally you can press the "OK"
button to save the settings.
To connect to the VM you can now double click on the corresponding entry in the left panel of the main MobaXterm window.