COMS 3157 Advanced Programming

SSH Keys

This is not required material

SSH keys allow you to log on to a remote server (like CLAC!) using a public-key cryptosystem for authentication. This allows you to log on without typing your password!

In a public-key cryptosystem your local machine has an encrypted private key (which should be kept secret) while the server has a corresponding encrypted public key. This keypair lets you log in securely without a password. These keys are traditionally encrypted using RSA encryption, but in recent years a newer encryption algorithm, Ed25519, has gained in popularity.

Generating ssh keys

We recommend Github’s SSH key guide. You should follow the steps up to (but not including) the section titled “Generating a new SSH key for a hardware security key”.

Please note the following:

• Make sure to choose the version corresponding to your local machine’s operating system.
• All commands in the guide should be run on your local machine
  • Your keys should be generated on your local machine so that you can reuse your public key on multiple servers, including CLAC
• When the ssh-keygen command prompts you for a password, you should leave it blank (unless you know what you’re doing)
• If your machine does not support the Ed25519 algorithm, you can use the RSA algorithm, as specified in the guide.

Copying your public key to CLAC

Once you have created your keypair, you’ll need to copy your public key over to CLAC, using the following command. Make sure you replace your uni in the commands below and note that it will prompt you for your password.

Replace the public key path with your own path (most likely something like ~/.ssh) and make sure you are copying over id_ed25519.pub

ssh-copy-id -i ~/.ssh/id_ed25519.pub uni@clac.cs.columbia.edu

If you do not have the ssh-copy-id command on your system you can run the following command to copy the public key over:

cat ~/.ssh/id_ed25519.pub | ssh uni@clac.cs.columbia.edu “mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys”

Again, if you created an RSA keypair instead of an Ed25519 keypair, replace all instances of ‘ed25519’ with ‘rsa’.

Now you should be able to type ssh uni@clac.cs.columbia.edu and it will log in without requiring a password! You can copy over one public key to many computers if you are logging into many different computers/accounts from one main computer.

Setting up an ssh config file

It is also recommended to set up a config file for ssh on your local machine. This config file will allow you to use ssh clac as a shorthand to ssh into your CLAC account. In addition, this will allow commands built on top of the SSH protocol (such as SFTP and rsync) to authenticate using your SSH keys instead of a password.

Please add the following lines to a file called config in your ~/.ssh directory (on your local machine):

Host clac
  HostName clac.cs.columbia.edu
  User <your-UNI-here> 
  AddKeysToAgent yes

The AddKeysToAgent option tells your local computer to add any keys you have to its ssh-agent which is a program used to determine which keys can be used as authentication when ssh-ing.

As always, feel free to stop by during office hours or start a thread on the listserv if you want help setting any of this up.