You are here: Foswiki>TIG Web>OpenStackEphVM?>OpenStackSSHKey (revision 4)EditAttach

SSH Keys for OpenStack Access

Due to our AFSHomeDirectory structure ssh public key authentication is not generally used for CSAIL login. Kerberos authentication, which SSH keys do not provide, is required to authenticate to the filesystem containing your home directory, so logging into a CSAIL system with public keys would result in logging in but having no access to your home directory.

However, SSH key authentication is the only way to access the administrative account on OpenStack instances. This page documents that specific use case.

Using an existing keypair

If you have an OpenStackAccount and an existing key pair it is extremely simple to upload your public key.

Log in to https://nimbus.csail.mit.edu and go to:
Access & Security -> Keypairs -> Import Keypair

enter an identifying name (perhaps your username) in the *Keypair Name* field and paste the contents of your public key file (likely ~/.ssh/id_rsa.pub) into the Public Key field then click Import.

Creating a new key pair

The instructions will work on GNU/Linux systems and MacOS Terminal, hopefully someone will add instructions for Windows?

Select a location for your private key

The private portion of your keypair should be kept in a secure private location. The default location ~/.ssh is suitable on Macs or on your laptop but not in your AFSHomeDirectory. AFS permissions are per directory not per file and some things in ~/.ssh require public access.

For AFSHomeDirectory you should use ~/.ssh/private you can should run fs listacl ~/.ssh/private to verify no one other than you has access rights. This directory is created with proper access controls when your CSAIL account is created.

Generate the keypair

The ssh-keygen command creates the keys for you; all you need is the location you decided on above and a good passphrase.

$ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/afs/csail.mit.edu/u/j/jon/.ssh/id_rsa): /afs/csail.mit.edu/u/j/jon/.ssh/private/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /afs/csail.mit.edu/u/j/jon/.ssh/private/id_rsa.
Your public key has been saved in /afs/csail.mit.edu/u/j/jon/.ssh/private/id_rsa.pub.
The key fingerprint is:
c5:69:83:3e:4b:f0:98:4c:d1:ca:28:fc:6b:09:90:fc jon@kvas
The key's randomart image is:
+--[ RSA 2048]----+
|      ..         |
|       ..o .     |
|.o   oo.. *      |
|o.o .oo* o .     |
| ..o  + S        |
|  .E.  . o       |
|   . o  .        |
|    +            |
|   .             |
+-----------------+

You then take the public key (~/.ssh/private/id_rsa.pub in this case) and upload it as described above.

Note on connecting with keys

Using an SSH agent you can authorize your key once with your passphrase and then have passphraseless access to systems that authorize your public key for access.

Linux desktop systems usually start an SSH agent on login, so you can use this command:

ssh-add </path/to/private_key>

(If that command says something like "Cannot connect to your agent", your session might not be configured to start an SSH agent for you on login.) You don't need an SSH agent; keypair-based SSH connections will still work without one, but without one you'll need to type your passphrase to decrypt your private key each time you issue an ssh command. Send mail to help@csail.mit.edu if you need help getting an SSH agent to start when you log in.

-- JonProulx - 19 Mar 2014

with some changes by -- JaySekora - 19 Mar 2014
Edit | Attach | Print version | History: r6 | r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit WikiText | More topic actions...
Topic revision: 19 Mar 2014, JonProulx
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology