==== SSH Certificate Access ====

SSH Certificates can be used to log into Pinnacle without using password authentication.  A set of two files has to be present on the SSH client computer:

* SSH private key (key-ed25519)
* SSH public certificate (key-ed25519-cert.pub)

Both files are generated automatically on the Pinnacle cluster and stored in ''$HOME/.ssh/certs'' directory for each user.

=== Downloading the SSH Certificate file pair === 

To download the SSH certificate file pair:

**1.** Log into **[[https://arp-ood.hpc.uark.edu]]**

{{:ssh-cert.png?400|}}

**2.** In the main menu at the top select: **Files->SSH Certificate Update**

{{:ssh-cert2.png?400|}}

**3.** Select check boxes next to both of the listed filesand at the top click the **Download** button.

**4.** On Linux and MacOS machines make sure the file permissions for the SSH private key (key-ed25519) are read only for the owner (400):
<code>
pawel@dia:~/Downloads$ chmod 400 key-ed25519
pawel@dia:~/Downloads$ ls -l key-ed25519
-r-------- 1 pawel pawel 399 May 19 05:34 key-ed25519
pawel@dia:~/Downloads$
</code> 


=== Logging into Pinnacle using SSH Certificates ===

SSH client allows users to pass an //identity file// to the ssh server.  On a Linux or MacOS machine include //-i <SSH private key>// to the ssh command form the directory containing the SSH certificate file pair:

<code>
pawel@dia:~/Downloads$ ls -l key*
-r-------- 1 pawel pawel  399 May 19 05:34 key-ed25519
-rw-rw-r-- 1 pawel pawel 1227 Aug 21 16:11 key-ed25519-cert.pub
pawel@dia:~/Downloads$ ssh -i key-ed25519 pwolinsk@arp-ood.hpc.uark.edu

      Arkansas High Performance Computing Center
 

      SSH access only using timed certificates. 
      Download your <private_key>/<certificate> pair by logging into

      http://arp-ood.hpc.uark.edu   Files->SSH Certificate Update

      chmod 400 <private_key>
      ssh -i <private_key> <username>@arp-ood.hpc.uark.edu


Arkansas Research Platform

Last login: Mon Aug 21 15:08:50 2023 from 167.224.147.47
ood-rocky:pwolinsk:~$ 
</code> 

On Windows, SSH clients (including GUI) may have a different syntax for specifying an identity file.  Please see documentation for your particular SSH client.


=== Certificate Validity Period ===
The SSH private key (key-ed25519), once generated and downloaded to the SSH client machine does not change.  However, the SSH public certificate expires every Monday at 8 am CST.  After that time it has to be regenerated and downloaded again to the SSH client machine (as described above in **Downloading the SSH Certificate file pair
**).

{{ :ssh-login.mp4 |}}