Note: These commands are intended to be run on a host in the openlab cluster.

Use the ssh-keygen command to generate a set of SSH keys suitable for logging in in via ssh. This command will generate a private and public key combinations. You need to generate the keys from the computer you wish to connect to openlab from. If you haven't created SSH keys before, you will want to use the default file name. If you are creating additional keys, you will want to change the name of the file.

% ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/icsuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/icsuser/.ssh/id_rsa.
Your public key has been saved in /home/isuser/.ssh/id_rsa.pub.
The key fingerprint is:
28:c8:58:6a:08:59:a0:fd:31:9d:8d:25:59:93:18:28 ics_user@openlab

Choose a strong passphrase. Do not, under any circumstances, leave an empty passphrase. Learn to use ssh-agent if typing in a passphrase is too onerous.

Note the location of the private portion of the key. This is the one that your SSH client will use.

Now that you have our public/private key pair, add the public key pair into your ~/.ssh/authorized_keys file:

cat ~/.ssh/id_rsa.pub>> ~/.ssh/authorized_keys

If the key is named id_rsa or id_dsa, then the key will be used automatically when running ssh. If this key is named differently then you will need to specify which key to use when calling ssh:

ssh -i ~/.ssh/altkeyname_rsa icsuser@openlab.ics.uci.edu

SSH keys can be used to access any account, including Groupleader (a.k.a. gsu) accounts. The principal is the same, add your public half of your key pair to the ssh accounts authorized_keys file. Follow similar steps to those above:

1. Create the private/public key pair
2. Add the public portion of the key pair to the groupleader account authorized_key file.
3. ssh using the new key.

This is the same process as creating your own key pair. Execute the `ssh-keygen` as the user on the host you will be ssh from. The process is the same for any Linux host, both ICS and your own personal system.

In the following example, replace “your_user” with your own local username and icsgroupleader with the name of the groupleader account you wish to ssh into.

% ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/your_user/.ssh/id_rsa): /home/your_user/.ssh/icsgroupleader_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/your_user/.ssh/icsgroupleader_rsa.
Your public key has been saved in /home/your_user/.ssh/icsgroupleader_rsa.
The key fingerprint is:
28:c8:58:6a:08:59:a0:fd:31:9d:8d:25:59:93:18:28 ics_user@openlab

The private ~/.ssh/icsgroupleader_rsa and the public ~/.ssh/icsgroupleader_rsa.pub are created.

Keep the private portion of the key secure. It should be set mode 600 (`chmod 600 ~/.ssh/ics_groupleader_rsa).

Add the public key into the gsu or groupleader account's authorized_keys file. Often times it is easiest to open a shell on an ICS host as yourself, use gsu become the groupleader account and then copy/paste the public portion of the key into the groupleader's ~/.ssh/authorized_keys file.

The public portion is typically one line long and begins with ssh-rsa

At this point you should be able use your new key to authenticate as the icsgroupleader account. The command will typically look like this:

your_user@your_machine% ssh -i ~/.ssh/icsgroupleader_rsa icsgroupleader@openlab.ics.uci.edu

You can also use this key in many applications that use ssh to connect to ICS servers including vscode, cyberduck, and moboxterm.

Follow these directions to convert your key to a format usable by Putty (if you choose another SFTP client, google the relevant directions for that particular client):

or these directions (note the need to convert keys generated on the ICS servers)

Check: Putty

Check permissions. The home directory should be no better than 751. The .ssh directory should be 700 and the authorized key file should be 600.