Jean Zay: SSH access and certificates

With the objective of reinforcing the security when accessing Jean Zay, we ask you to test the use of certificates for your SSH connections instead of the usual public/private SSH key pairs.

Password authentication is not impacted by this change and will still be possible. During the test phase, connections via classic SSH keys will remain possible. We will announce the date of end of support for classic SSH keys when all blocking known issues are resolved.

Please let us know of any problems you may encounter with the use of certificates (please check the list below for known issues).

Please note that you currently cannot use the SSH certificates to log in on the pre/post-processing nodes of Jean Zay.

We explain here the procedures to follow in order to define your certificates via the IDRIS idr_keygen tool and also to implement them for usage.

Note that you can define two certificates:

• One (valid for 1 year) enables all type of connections (interactive or not, in particular via the « ssh » command) and must be protected by a passphrase.
• The other (valid for 7 days) enables only your file transfers (scp, sftp, bbcp, bbftp and rsync commands) and does not require a passphrase.

Warning, there are some known issues we are currently trying to solve:

• The versions of OpenSSH older than version 7.8 (released in August 2018) do not support the SSH certificates created by idr_keygen.
• Our certificates do not seem to work on macOS.
• On Windows, SSH certificates are only supported starting with version 0.78 of Putty (released in October 2022) and will only be supported starting with version 6 of WinSCP (not yet released).
• Some diacritics (such as é, è, à, ç, …) are causing issues:
  • if your passphrase contains such character, your certificat will not work
  • if Jean Zay password contains such character, idr_keygen might reject it even if it is actually correct.

The IDRIS command idr_keygen, available on Jean Zay, enables you to generate both of the certificates by using the options -t interactive or -t transfert-only (or their equivalents in long format --type ...) depending on the desired type of certificate.
The -o OUTPUT option (or the --output OUTPUT long format) allows indicating a file name (zip format) which will contain the private and public components of the generated certificate.
The command syntax is provided by one of the -h or --help options:

$ idr_keygen --help
usage: idr_keygen [-h] [-t {interactive,transfert-only}] [-o OUTPUT] [-v]
 
Generates authentication keys for SSH that are signed by a Certification
Authority. The type of key to be generated is specified with the -t option. If
invoked without any arguments, idr_keygen will generate an RSA key for use in
SSH protocol 2 interactive connections.
 
optional arguments:
  -h, --help            show this help message and exit
  -t {interactive,transfert-only}, --type {interactive,transfert-only}
                        selects SSH certificate type:
                          interactive : for login sessions (ssh)
                          transfert-only : for data transferts (scp, sftp, bbcp, bbftp and rsync)
                         (default: interactive)
  -o OUTPUT, --output OUTPUT
                        ZIP Downloaded filename and location (default: /path/to/your/home/sshkey.zip)
  -v, --verbose         Increase verbosity output (default: False)

For connections via the ssh command, you must generate an interactive-type certificate on Jean Zay which you must protect with a passphrase. This certificate has a duration validity of 365 days and must, therefore, be renewed once a year. It also authorizes non-interactive connections.

For example, to generate an interactive-type certificate and save it in the interactive_certif.zip file (in the HOME of Jean Zay, in below example), you must use the command:

$ idr_keygen -t interactive -o ~/interactive_certif.zip
Generating SSH signed key (type interactive will be used ; use help option -h to know more)
 
Please enter the certificate s passphrase:
Confirm the certificate s passphrase:
 
Request server to get your SSH certificate
Please enter login_idris s password:
Success. /path/to/your/home/interactive_certif.zip was successfully downloaded.

Note that this command requests that you enter a passphrase to protect the certificate, as well as your Jean Zay password in order to ensure that you are the person initializing this generation.

You must provide the passphrase a second time to confirm the first entry and the passphrase must respect the following rules:

• It must contain a minimum of 20 characters (no restrictions on the type of font to use).
• It must not contain words found in dictionaries nor trivial combinations (1234, azerty, …).

To test an ssh connection to Jean Zay via this certificate from the local machine from which you want to reach Jean Zay, you must copy the certificate (in the zip format previously generated on Jean Zay) onto this local machine:

login_local@machine_locale:~$ scp login_idris@jean-zay.idris.fr:~/interactive_certif.zip ./. 
login_idris@jean-zay.idris.fr s password:
interactive_certif.zip                                100% ...

Then, you must decompress it to obtain the private and public components of the certificate which must be saved in the ~/.ssh directory of your local machine :

login_local@machine_locale:~$ unzip ~/interactive_certif.zip -d ~/.ssh
Archive: /path/to/your/home/interactive_certif.zip
inflating: /path/to/your/home/.ssh/id_ecc_pty
inflating: /path/to/your/home/.ssh/id_ecc_pty.pub

Note that, contrary to classic SSH keys, it is not necessary to add the public component (.pub file) of the certificate to the Jean Zay ~/.ssh/authorized_keys file.

Important: If you already use SSH keys, you should ensure that you are really testing an SSH connection on Jean Zay via the generated certificate. To do this, rename your ~/.ssh/authorized_keys file on Jean Zay to ~/.ssh/authorized_keys.bk (for example) in order to deactivate the support of the usual ssh keys:

$ mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bk 

You can then establish an ssh connection to Jean Zay from your local machine by using the identity of this certificate (~/.ssh/id_ecc_pty, for this example) via the ssh -i option:

login_local@machine_locale:~$ ssh -i ~/.ssh/id_ecc_pty login_idris@jean-zay.idris.fr 
Enter passphrase for key /path/to/your/home/.ssh/id_ecc_pty:
...
login_idris@jean-zay.idris.fr:~$

Comments:

• With this certificate, you can enable X11 display forwarding (ssh -X option):

  login_local@machine_locale:~$ ssh -X -i ~/.ssh/id_ecc_pty login_idris@jean-zay.idris.fr 
  Enter passphrase for key /path/to/your/home/.ssh/id_ecc_pty:
  ...
  login_idris@jean-zay.idris.fr:~$

• If you do not use the ssh-agent on your local machine, the passphrase protecting your certificate will be requested. However, you can add the passphrase to the ssh-agent on your local machine so that you don't need to provide it each time you use this certificate:

  login_local@machine_locale:~$ ssh-add ~/.ssh/id_ecc_pty 
  Enter passphrase for ~/.ssh/id_ecc_pty:
  Identity added: ~/.ssh/id_ecc_pty (~/.ssh/id_ecc_pty)

• It is possible to define the certificate to be used in your SSH configuration file (~/.ssh/config file on the machine used to establish the connection):

  Host jean-zay
      HostName jean-zay.idris.fr
      User <login_idris>
      CertificateFile /path/to/private/part/id_ecc_pty

For your data transfers, you can generate a transfer-only certificate on Jean Zay. This certificate does not require a passphrase for an easier non-interactive usage. However, its validity duration is limited to 7 days.

For example, to generate a transfer-only certificate and save it in the transfert_certif.zip file (in the HOME of Jean Zay in the example below), the command to use is:

$ idr_keygen -t transfert-only -o ~/transfert_certif.zip
Generating SSH signed key (type transfert-only will be used ; use help option -h to know more)
 
Request server to get your SSH certificate
Please enter login_idris s password:
Success! /path/to/your/home/transfert_certif.zip was successfully downloaded.

Note that this command does not request that you enter a passphrase since the transfer-only certificate does not require being protected. Nevertheless, your Jean Zay password is requested in order to ensure that you are the person doing this operation.

Next, you must copy the certificate onto your local machine (from which you want to reach Jean Zay) in the zip format previously generated on Jean Zay:

login_local@machine_locale:~$ scp login_idris@jean-zay.idris.fr:~/transfert_certif.zip .
login_idris@jean-zay.idris.fr s password:
transfert_certif.zip                                  100% ...

Then, you must decompress it to obtain the private and public components of the certificate which must be saved in the ~/.ssh directory of your local machine:

login_local@machine_locale:~$ unzip ~/transfert_certif.zip -d ~/.ssh
Archive: /path/to/your/home/transfert_certif.zip
inflating: /path/to/your/home/.ssh/id_ecc_rsync
inflating: /path/to/your/home/.ssh/id_ecc_rsync.pub

Note that, contrary to the classic SSH keys, it is not necessary to add the public component (.pub file) of the certificate to the Jean Zay ~/.ssh/authorized_keys file.

Important: If you already use SSH keys, you should ensure that you are really testing an SSH connection on Jean Zay via the generated certificate. To do this, rename your ~/.ssh/authorized_keys file on Jean Zay to ~/.ssh/authorized_keys.bk (for example) in order to deactivate the support of the usual ssh keys:

$ mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bk 

You can then realize data exchanges between your local machine and Jean Zay by using the identity of this certificate (~/.ssh/id_ecc_rsync, for this example) via the -i option of scp.

As example, the following command, executed on your local machine, transfers the local_data file of your local machine into the Jean Zay /path/to/. directory:

login_local@machine_locale:~$ scp -i ~/.ssh/id_ecc_rsync local_data login_idris@jean-zay.idris.fr:/path/to/.
local_data                              100% ...

Inversely, the following command, executed on your local machine, transfers the jean-zay_data file from the Jean Zay /path/to/. directory into the current directory of your local machine:

login_local@machine_locale:~$ scp -i ~/.ssh/id_ecc_rsync login_idris@jean-zay.idris.fr:/path/to/idris_data ./.
idris_data                              100% ...

This type of certificate is not protected by a passphrase and no password is requested during the transfers.

No notification is currently sent to inform you about the expiry of your SSH certificate. To retrieve the expiry date of your certificate, you can run the following command:

# example for the interactive-type certificate ~/.ssh/id_ecc_pty.pub
ssh-keygen -Lf .ssh/id_ecc_pty.pub 

This command will return information in the format below, where you can find the validity date of the certificate at the line Valid:… :

id_ecc_pty.pub:
        Type: 
        Public key: 
        Signing CA: 
        Key ID: 
        Serial: 
        Valid: from 2023-05-31T10:12:10 to 2024-05-30T10:12:40
        Principals: 
        Critical Options: (none)
        Extensions: