Connecting to IDRIS with SSH keys

Generating private and public keys

Connections by SSH keys are authorised at IDRIS. The procedure for generating is described below. During the generating of the keys, you must enter a passphrase to protect your private key. This passphrase will then be requested at each connection or just once if you are using the agent ssh-aggent.

The keys are generated by the ssh-keygen command. You will be presented with three prompts. We advise you to press RETURN for the first prompt (“Enter file …”). For the second and third prompts, you may enter the passphrase which will protect your keys.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/machine-locale/login/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/machine-locale/login/.ssh/id_rsa.
Your public key has been saved in /home/machine-locale/login/.ssh/id_rsa.pub.
The key fingerprint is:
26:e3:d4:29:b7:5b:29:15:d7:68:39:eb:a3:12:0b:02 login@machine-locale.domaine.fr

Two files (id_rsa and id_rsa.pub) are created in the .ssh directory of the local machine. Following this, the public key must be added to the authorized_keys file of the distant machine's ~/.ssh directory.

Transferring the file containing your public key to the distant machine

The following command should be entered on your local machine. It allows you to transfer the public key into the authorized_keys file of the ~/.ssh directory.

$ ssh-copy-id rlabxxx@machine.idris.fr 


Attention : In order for the key to be recognized, your login only should have write access on the directories of $HOME and $HOME/.ssh as well as on the $HOME/.ssh/authorized_keys file. The following is an example of a connection from your local machine to an IDRIS machine:

$ ssh -X rlabxxx@machine.idris.fr
Enter passphrase for key '/home/machine-locale/login/.ssh/id_rsa':

Using the ssh-agent to only type your passphrase one time

The agent SSH-agent

You must enter the following two commands on your local machine:

$ eval 'ssh-agent'
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/machine-locale/login/.ssh/id_rsa:
Identity added: /home/machine-locale/login/.ssh/id_rsa
(/home/machine-locale/login/.ssh/id_rsa)

Attention: Connection without entering the passphrase is limited to the lifespan of the agent. You will need to re-launch the agent at each new session.

If you are in a Windows environment and you are using the client SSH Putty, you may also use the program Pageant, furnished with Putty.

IDRIS recommendations

For a higher level of security, we request that you respect the following four requests:

  • Take every precaution on your local work station to protect your private key (strong passphrase, restricted access rights).
  • Do not copy your private key on the IDRIS servers.
  • Generate RSA keys of at least 2048 bits.
  • Limit the usage of these keys to only the machines which you have declared in the IDRIS filters. To do this, you should edit the authorized_keys file of your local machine and, at the beginning of each line which contains a key generated on one of the IDRIS machines, add one of the following chains of characters:
    • from=“your_ip”
    • from=machine.domain_local.fr”
    • from=“*.machine.domain_local.fr”.

      $ cat authorised_keys
      from="machine.domain_local.fr" ssh-rsa AAAAB3NzaC1yc2EA...........