Connecting to IDRIS with SSH keys

Connections by SSH keys are authorised at IDRIS. The procedure for generating keys is described below. When generating your keys, you must enter a passphrase to protect your private key. This passphrase will then be requested at each connection or only one time if you are using the agent ssh-aggent.

The keys are generated by the ssh-keygen command. You will be presented with three prompts. We advise you to press RETURN for the first prompt (“Enter file …”). For the second and third prompts, you may enter the passphrase which will protect your keys.

$ ssh-keygen -t rsa 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/machine-locale/login/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/machine-locale/login/.ssh/id_rsa.
Your public key has been saved in /home/machine-locale/login/.ssh/id_rsa.pub.
The key fingerprint is:
26:e3:d4:29:b7:5b:29:15:d7:68:39:eb:a3:12:0b:02 [email protected]

Two files (id_rsa and id_rsa.pub) are created in the .ssh directory of the local machine. Following this, the public key must be added to the authorized_keys file of the distant machine's ~/.ssh directory.

The following command should be entered on your local machine. It allows you to transfer the public key into the authorized_keys file of the ~/.ssh directory.

$ ssh-copy-id [email protected] 

Attention : In order for the key to be recognized, your login only should have write access on the directories of $HOME and $HOME/.ssh as well as on the $HOME/.ssh/authorized_keys file. The following is an example of a connection from your local machine to an IDRIS machine:

$ ssh -X [email protected]
Enter passphrase for key '/home/machine-locale/login/.ssh/id_rsa':

You must enter the following two commands on your local machine:

$ eval 'ssh-agent'
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/machine-locale/login/.ssh/id_rsa:
Identity added: /home/machine-locale/login/.ssh/id_rsa
(/home/machine-locale/login/.ssh/id_rsa)

Attention: Connection without entering the passphrase is limited to the lifespan of the agent. You will need to re-launch the agent at each new session.

If you are in a Windows environment and you are using the client SSH Putty, you may also use the program Pageant, furnished with Putty.

For a higher level of security, we request that you respect the following five requests:

• Take every precaution on your local work station to protect your private key (strong passphrase, restricted access rights).
• Do not copy your private key on the IDRIS servers.
• Generate RSA keys of at least 4096 bits, or use elliptic curve based algorithms (ECDSA, ed25519).
• Verify that the public key fingerprints of the IDRIS SSH servers on which you are connecting are referenced on the IDRIS website list. For example, during your first connection, you will have to check that the SHA256 fingerprint below is indeed that of the jean-zay frontal in this list and answer “yes” if this is the case:
  
  

  $ ssh login_jean-zay@jean-zay.idris.fr
  The authenticity of host 'jean-zay.idris.fr (130.84.132.18)' can not be established.
  ECDSA key fingerprint is SHA256:vJ+SJBxXvPqnPd3/clChlrHI59a06vZxsxUHrA2jZ+k.
  Are you sure you want to continue connecting (yes/no/[fingerprint])? 

• Limit the usage of these keys to only the machines which you have declared in the IDRIS filters. To do this, you should edit the authorized_keys file of your local machine and, at the beginning of each line which contains a key generated on one of the IDRIS machines, add one of the following chains of characters:
  • from=“your_ip”
  • from=machine.domain_local.fr
  • from=“*.machine.domain_local.fr”.
    
    

    $ cat authorized_keys
    from="machine.domain_local.fr" ssh-rsa AAAAB3NzaC1yc2EA...........