SSH Certificates can be used to log into Pinnacle without using password authentication. A set of two files has to be present on the SSH client computer:
Both files are generated automatically on the Pinnacle cluster and stored in $HOME/.ssh/certs
directory for each user.
To download the SSH certificate file pair: 1. Log into https://arp-ood.hpc.uark.edu
2. In the main menu at the top select: Files→SSH Certificate Update
3. Select check boxes next to both of the listed filesand at the top click the Download button.
4. On Linux and MacOS machines make sure the file permissions for the SSH private key (key-ed25519) are read only for the owner (400):
pawel@dia:~/Downloads$ chmod 400 key-ed25519 pawel@dia:~/Downloads$ ls -l key-ed25519 -r-------- 1 pawel pawel 399 May 19 05:34 key-ed25519 pawel@dia:~/Downloads$
SSH client allows users to pass an identity file to the ssh server. On a Linux or MacOS machine include -i <SSH private key> to the ssh command:
pawel@dia:~/Downloads$ ls -l key* -r-------- 1 pawel pawel 399 May 19 05:34 key-ed25519 -rw-rw-r-- 1 pawel pawel 1227 Aug 21 16:11 key-ed25519-cert.pub pawel@dia:~/Downloads$ ssh -i key-ed25519 pwolinsk@arp-ood.hpc.uark.edu Arkansas High Performance Computing Center SSH access only using timed certificates. Download your <private_key>/<certificate> pair by logging into http://arp-ood.hpc.uark.edu Files->SSH Certificate Update chmod 400 <private_key> ssh -i <private_key> <username>@arp-ood.hpc.uark.edu Arkansas Research Platform Last login: Mon Aug 21 15:08:50 2023 from 167.224.147.47 ood-rocky:pwolinsk:~$
The SSH private key (key-ed25519), once generated and downloaded to the SSH client machine does not change. However, the SSH public certificate is valid for 12 hours. After that period it has to be regenerated and downloaded again to the SSH client machine (as described in the previous section).