SSH Configuration

SSH can be configured so that you are not prompted for a passphrase when you slogin or ssh to another host when combined with the ssh-agent and ssh-add command.

The UIowa Enterprise Password Policy has strict minimum standards for passwords/passphrases that also apply to SSH keys.

When following the instructions below, it helps to think about the SSH connections in terms of a "source" machine (the machine you're on) and a "destination" machine (the machine you're trying to login to). The ssh-agent and ssh-add commands manages the private key exchange.

Generate a set of private and public keys (on the source machine)

[user@serv15]% ssh-keygen -t rsa

You will be asked for the file in which to save the key. Take the default by simply pressing the Enter key. You will then be asked for a passphrase. Choose a good passphrase; then type it in again to confirm the passphrase. This will generate you public and private keys. You'll now be prompted for the SSH passphrase instead of your HawkID passhrase when SSHing between hosts. Choosing an empty passphase is not recommended and is a potential security risk.

Make your new public key an authorized key (on the destination machine)

If you do not need to use public key authentication from any host outside of the university, then you can link the public key file to the authorized keys file (this works because your home directory's .ssh directory is shared between all Linux hosts managed by the CLAS Linux Group:

[user@serv15]% ln -s ~/.ssh/ ~/.ssh/authorized_keys

If you are using public key authentication from a host outside of the university, then you will need to copy the contents of ~/.ssh/ to the file ~/.ssh/authorized_keys. You can use a text editor to do this, or you can use the commands (you'll have to substitute appropriately for username, remote_host and path) below:

[user@serv15]% cat ~/.ssh/ >> ~/.ssh/authorized_keys
The following command WILL overwrite your authorized_keys file on the dest host if it exists!!!
[user@serv15]% scp ~/.ssh/authorized_keys username@remote_host:/path/.ssh

Make sure your SSH files are not publically readable (on both source and dest machine)

To ensure security, change permissions on your SSH files so that they are not readable by any other user:

chmod og-rwx ~/.ssh/*

Silently handle passphrases in the background using ssh-agent and ssh-add

In Unix, ssh-agent is a background program that handles SSH private keys exchanges. The ssh-add command prompts the user for a private key password and adds it to the list maintained by ssh-agent. Once you add a private key passphrase to ssh-agent, you will not be prompted for it when using ssh/slogin or scp to connect to hosts where you've copied your public key as an authorized_keys. All managed Linux hosts have already run the ssh-agent as a part of the login process.

The ssh-agent command below is only required on hosts not managed by the CLAS Linux Group. It only has to by done once (per unique machine login) and is valid until you logout or the ssh-agent process is killed.

[user@remote_host]% eval `ssh-agent`

The ssh-add is required on both managed and remote hosts. When prompted, enter your private key passphrase generated in step 1.

[user@remote_host]% ssh-add

When you log out, kill the ssh-agent process (not required on managed hosts).

[user@remote_host]% ssh-agent -k

You should now be able to ssh/slogin/scp to remote hosts with out typing in your SSH passphrase for the duration that the ssh-agent process is running.

By-passing port 22/ssh block at the campus border...

The University blocks port 22/ssh at the campus border. This means you need to use the campus VPN product to establish a VPN connection before you can use ssh/slogin/scp from off campus. See Configuring AnyConnect Client for details.

Or, from your remote machine, you can configure ssh/slogin/scp to always connect to an alternate port that the CLAS No Machine servers have SSH listening on to by-pass the port 22 border block. This port may or may not work for other hosts at the University.

[user@remotehost]% cat << EOF > ~/.ssh/config
Port 40

This will allow you to type ssh instead of ssh -p 40 and connect to with out having to establish a VPN connection. It will also work with the file transfer command scp.

The only CLAS Linux host that listens on port 40 is the host, NOT the other Linux lab machines, research clusters or any other Linux hosts or servers managed by the CLAS Linux Group.

Learn more about SSH

More information is available by using the man command. Do a man slogin or man ssh-keygen or man ssh or man scp or man ssh-agent or man ssh-add for more information.