Note: This is not required material.
SSH keys allow you to log on to a remote server (like CLAC) without typing your password, using public-key cryptography.
Under a public-key cryptosystem, you will generate two keys: a private key (which should be kept secret) that is kept on your local machine, and a public key (that may be publicly shared) that is stored on CLAC. When you log in, the server will use your public key to issue a challenge that only your private key can solve. This system is secure enough to supersede the need for typing in your password.
Under a public-key cryptographic system, your local machine has a private key (which should be kept secret) while the server has a corresponding public key. This keypair lets you log in securely without a password. These keys are traditionally encrypted using RSA encryption, but in recent years a newer encryption algorithm, Ed25519, has gained in popularity.
We recommend Github’s SSH key guide. You should follow the steps up to (but not including) the section titled “Generating a new SSH key for a hardware security key”.
Please note the following:
ssh-keygen asks you which file to save the key as, we recommend
leaving the prompt blank to use the default path.
ssh-keygen prompts you for a password, we recommend leaving it blank
(unless you already know what you’re doing).
Once you have created your key pair, you’ll need to copy your public key over to CLAC, using the following command:
ssh-copy-id -i ~/.ssh/id_ed25519.pub UNI@clac.cs.columbia.edu
ssh-copy-id command is not available on your local machine, you can
instead run the following command to copy your key to CLAC:
cat ~/.ssh/id_ed25519.pub | ssh UNI@clac.cs.columbia.edu "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Make sure you replace your UNI in the shown commands, and adjust the key path
~/.ssh/id_ed25519.pub) if you didn’t use the default suggestion.
Also note that you should still be prompted for your CLAC password when you run either of these commands. You should type that in just as if you were logging into CLAC normally.
Now you should be able to run
ssh UNI@clac.cs.columbia.edu and login without
a password! Using the same command, you can also copy the same public key to
other UNIX-based servers.
We also recommend setting up an SSH config file on your local machine. It will
allow you to use
ssh clac as shorthand, instead of having to type out CLAC’s
full URL each time. Other commands built on top of SSH such as SFTP
and rsync will also pick up your configuration and no longer require
To set up your SSH config, add the following lines to
~/.ssh/config on your
AddKeysToAgent option tells your local computer to add any keys you have
ssh-agent, a program used to determine which keys can be used for SSH
Feel free to stop by during office hours or start a thread on the listserv if you want help setting any of this up.
This guide was originally written by Maÿlis Whetsel and Tal Zussman.
Maÿlis Whetsel and John Hui adapted it for the web in Spring 2022.
Last updated: 2022-08-31