SSH Certificate Access

SSH Certificates can be used to log into Pinnacle without using password authentication. A set of two files has to be present on the SSH client computer:

Both files are generated automatically on the Pinnacle cluster and stored in $HOME/.ssh/certs directory for each user.

Downloading the SSH Certificate file pair

To download the SSH certificate file pair:

1. Log into https://arp-ood.hpc.uark.edu

2. In the main menu at the top select: Files→SSH Certificate Update

3. Select check boxes next to both of the listed filesand at the top click the Download button.

4. On Linux and MacOS machines make sure the file permissions for the SSH private key (key-ed25519) are read only for the owner (400):

pawel@dia:~/Downloads$ chmod 400 key-ed25519
pawel@dia:~/Downloads$ ls -l key-ed25519
-r-------- 1 pawel pawel 399 May 19 05:34 key-ed25519
pawel@dia:~/Downloads$

Logging into Pinnacle using SSH Certificates

SSH client allows users to pass an identity file to the ssh server. On a Linux or MacOS machine include -i <SSH private key> to the ssh command form the directory containing the SSH certificate file pair:

pawel@dia:~/Downloads$ ls -l key*
-r-------- 1 pawel pawel  399 May 19 05:34 key-ed25519
-rw-rw-r-- 1 pawel pawel 1227 Aug 21 16:11 key-ed25519-cert.pub
pawel@dia:~/Downloads$ ssh -i key-ed25519 pwolinsk@arp-ood.hpc.uark.edu

      Arkansas High Performance Computing Center
 

      SSH access only using timed certificates. 
      Download your <private_key>/<certificate> pair by logging into

      http://arp-ood.hpc.uark.edu   Files->SSH Certificate Update

      chmod 400 <private_key>
      ssh -i <private_key> <username>@arp-ood.hpc.uark.edu


Arkansas Research Platform

Last login: Mon Aug 21 15:08:50 2023 from 167.224.147.47
ood-rocky:pwolinsk:~$ 

On Windows, SSH clients (including GUI) may have a different syntax for specifying an identity file. Please see documentation for your particular SSH client.

Certificate Validity Period

The SSH private key (key-ed25519), once generated and downloaded to the SSH client machine does not change. However, the SSH public certificate expires every Monday at 8 am CST. After that time it has to be regenerated and downloaded again to the SSH client machine (as described above in Downloading the SSH Certificate file pair ).