• About
• News
• User Info
• Jobs
• Site Map

Standard SSH Key Access to TeraGrid Resources

In order to log in and interactively use a shell on any TeraGrid resource, you must use a GSI-SSH or SSH client. GSI-SSH client software such as "gsissh" may be installed on Linux, Mac OSX, or other Unix variants. GSI-SSH allows SSH access to machines using your user certificate for authentication instead of a password.

We strongly urge you to use a GSI-SSH client and a proxy grid certificate to log in to remote TeraGrid resources rather than a standard SSH client. However, if that is not possible, standard SSH may be used to some TeraGrid resources. Standard SSH clients will either require the password defined at each TeraGrid resource for your account there or may be accessed using an SSH key. If you find GSI-SSH is not available to you, you may follow the instructions below to configure standard SSH key-based access to a resource.

A standard SSH key consists of a private key and public key. The private key is kept on your local system, from which you log in, and the public key is uploaded to the remote system. Do not send your private key to anyone else (even administrators) or upload it to the remote system. If you do not have an SSH key-pair, you may generate one using most SSH software—SecureCRT or PuTTY's PuTTYgen on Windows, or "ssh-keygen" on Linux and Unix variants. If you use ssh-keygen, your generated public key should be a long single line of text similar to the following (OpenSSH format):

ssh-rsa  YYYYQ7NxN…uK+0Ko58=  yourlogin@yourhost

If you use SecureCRT or PuTTYgen, your public key should instead resemble the following (SECSSH format):

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20080702"
YYYYQ3NzaC1yc2EYYYYQJQYYYIEY5CRGNRZ2XVOcGiaEgRiIaZPcffmYdKPgpK44
zZ/q7plHY/Fqfzr7Dh5tPLuOF3S7vYq57a2o8TJw3mnF6CmsvlYlYYSYs7Kp3YWm
SE6uQk76yKVQ0C7hCiwheQmGunRY0KlsfGZTfs1rdxnVTQgLiZO2P7leyvru9Upu
K+0Ko58=
---- END SSH2 PUBLIC KEY ----

Now you will need to upload the public key portion of your key (not the private key) to the remote system you wish to access. One method of uploading your public key that does not rely on knowing the remote system-specific password or require a local GSI-SSH client is to use the TeraGrid Portal's GSI-SSH to access a remote resource and set the public key through that:

1. Log in to the TeraGrid Portal using the Portal account information from your introductory packet.
2. In the top menu, click on "My TeraGrid" -> "Accounts".
3. Log in to the remote resource desired using the GSI-SSH Portal applet.
4. Create a ".ssh" directory if one does not exist:

   mkdir -p ~/.ssh
   

5. Open your SSH public key using a basic text editor (vi, pico, Notepad), select the entire contents of this file, and copy it to the clipboard (in Notepad "Edit"->"Select All", "Edit"->"Copy").
6. Store your public key in the file "identity.pub" within the ".ssh" directory on the remote resource, creating it if necessary:

   cat > ~/.ssh/identity.pub
       (paste using button in Portal applet)
   <Control+D>
   

7. If your key is in SECSSH format (see above examples), you will need to convert your public key to an OpenSSH-compatible key. If your key is in OpenSSH format, skip this step. To convert a key from SECSSH to OpenSSH:

   mv ~/.ssh/identity.pub ~/.ssh/identity.secssh.pub
   ssh-keygen -i -f ~/.ssh/identity.secssh.pub > ~/.ssh/identity.pub
   
       (or if using an OpenSSH version prior to 2.9)
   ssh-keygen -X -f ~/.ssh/identity.secssh.pub > ~/.ssh/identity.pub
   

8. Now append the public key to the list of authorized keys for the remote resource account (the file "authorized_keys" in the ".ssh" directory):

   cat ~/.ssh/identity.pub >> ~/.ssh/authorized_keys
   

9. It is important to restrict the ".ssh" directory and all files within to only yourself:

   chmod -R go-rwx ~/.ssh
   

10. Configure your local SSH client to use the private key for the public key you just uploaded. For Linux and Unix variants, if you generated the key on your local system, this should already be done. For Windows clients, you will need to set an option to point to the correct private key file.

You should now be able to log in from the local system to the remote TeraGrid resource without being prompted for a password at all. If you are still prompted for a password, the keys are probably not setup correctly. Please check the steps above or contact us for assistance.

You can download a PDF file with a step-by-step instruction for installing your Public Key from a Linux host, using the TeraGrid User Portal, here: "How to Install Your Public Key.