User Tools

Site Tools


ssh_certificates

**This is an old revision of the document!**

SSH Certificate Access

SSH Certificates can be used to log into Pinnacle without using password authentication. A set of two files has to be present on the SSH client computer:

  • SSH private key (key-ed25519)
  • SSH public certificate (key-ed25519-cert.pub)

Both files are generated automatically on the Pinnacle cluster and stored in $HOME/.ssh/certs directory for each user.

Downloading the SSH Certificate file pair

To download the SSH certificate file pair:

  • In the main menu at the top select: Files→SSH Certificate Update

  • Select check boxes next to both of the listed filesand at the top click the Download button.
  • On Linux and MacOS machines make sure the file permissions for the SSH private key (key-ed25519) are read only for the owner (400):
pawel@dia:~/Downloads$ chmod 400 key-ed25519
pawel@dia:~/Downloads$ ls -l key-ed25519
-r-------- 1 pawel pawel 399 May 19 05:34 key-ed25519
pawel@dia:~/Downloads$

Logging into Pinnacle using SSH Certificates

SSH client allows users to pass an identity file to the ssh server. On a Linux or MacOS machine include -i <SSH private key> to the ssh command:

pawel@dia:~/Downloads$ ls -l key*
-r-------- 1 pawel pawel  399 May 19 05:34 key-ed25519
-rw-rw-r-- 1 pawel pawel 1227 Aug 21 16:11 key-ed25519-cert.pub
pawel@dia:~/Downloads$ ssh -i key-ed25519 pwolinsk@arp-ood.hpc.uark.edu

      Arkansas High Performance Computing Center
 

      SSH access only using timed certificates. 
      Download your <private_key>/<certificate> pair by logging into

      http://arp-ood.hpc.uark.edu   Files->SSH Certificate Update

      chmod 400 <private_key>
      ssh -i <private_key> <username>@arp-ood.hpc.uark.edu


Arkansas Research Platform

Last login: Mon Aug 21 15:08:50 2023 from 167.224.147.47
ood-rocky:pwolinsk:~$ 

Certificate Validity Period

The SSH private key (key-ed25519), once generated and downloaded to the SSH client machine does not change. However, the SSH public certificate is valid for 12 hours. After that period it has to be regenerated and downloaded again to the SSH client machine (as described in the previous section).

ssh_certificates.1692652314.txt.gz · Last modified: 2023/08/21 21:11 by pwolinsk