SSH Keys

Note: This is not required material.

SSH keys allow you to log on to a remote server (like CLAC) without typing your password, using public-key cryptography.

Under a public-key cryptosystem, you will generate two keys: a private key (which should be kept secret) that is kept on your local machine, and a public key (that may be publicly shared) that is stored on CLAC. When you log in, the server will use your public key to issue a challenge that only your private key can solve. This system is secure enough to supersede the need for typing in your password.

Under a public-key cryptographic system, your local machine has a private key (which should be kept secret) while the server has a corresponding public key. This keypair lets you log in securely without a password. These keys are traditionally encrypted using RSA encryption, but in recent years a newer encryption algorithm, Ed25519, has gained in popularity.

Generating ssh keys

We recommend Github’s SSH key guide. You should follow the steps up to (but not including) the section titled “Generating a new SSH key for a hardware security key”.

Please note the following:

  • Make sure to read the version of the guide corresponding to your local machine’s operating system (i.e., Mac, Windows, or Linux).
  • All commands in the guide should be run on your local machine. Your keys should be generated on your local machine so that you can reuse your public key on multiple servers, including CLAC.
  • When ssh-keygen asks you which file to save the key as, we recommend leaving the prompt blank to use the default path.
  • When ssh-keygen prompts you for a password, we recommend leaving it blank (unless you already know what you’re doing).
  • If your machine does not support the Ed25519 algorithm, you can use the RSA algorithm, as specified in the guide.

Copying your public key to CLAC

Once you have created your key pair, you’ll need to copy your public key over to CLAC, using the following command:

ssh-copy-id -i ~/.ssh/id_ed25519.pub UNI@clac.cs.columbia.edu

If the ssh-copy-id command is not available on your local machine, you can instead run the following command to copy your key to CLAC:

cat ~/.ssh/id_ed25519.pub | ssh UNI@clac.cs.columbia.edu "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Make sure you replace your UNI in the shown commands, and adjust the key path (~/.ssh/id_ed25519.pub) if you didn’t use the default suggestion.

Also note that you should still be prompted for your CLAC password when you run either of these commands. You should type that in just as if you were logging into CLAC normally.

Now you should be able to run ssh UNI@clac.cs.columbia.edu and login without a password! Using the same command, you can also copy the same public key to other UNIX-based servers.

Setting up an SSH config file

We also recommend setting up an SSH config file on your local machine. It will allow you to use ssh clac as shorthand, instead of having to type out CLAC’s full URL each time. Other commands built on top of SSH such as SFTP and rsync will also pick up your configuration and no longer require passwords.

To set up your SSH config, add the following lines to ~/.ssh/config on your local machine:

Host clac
  HostName clac.cs.columbia.edu
  User UNI
  AddKeysToAgent yes

The AddKeysToAgent option tells your local computer to add any keys you have to its ssh-agent, a program used to determine which keys can be used for SSH authentication.

Feel free to stop by during office hours or start a thread on the listserv if you want help setting any of this up.


Acknowledgements

This guide was originally written by Maÿlis Whetsel and Tal Zussman.

Maÿlis Whetsel and John Hui adapted it for the web in Spring 2022.

Last updated: 2022-08-31