Log in without Password

These instructions explains how to set up your local computer such that you can log into the compute cluster, or copy files to and from the cluster, without having to enter your password each time.

Instruction

In summary, the steps are:

On your local computer: Generate private-public key pair
On the cluster: Add public key
On your local computer: Verify password-free access
On your local computer: Edit ~/.ssh/config for setting default SSH options per remote host/server

Expected time: < 10 minutes.

These instructions are primarily written for Linux, macOS, and Windows 10 users. If you are on a pre-Windows 10, using the PuTTY SSH client, the overall idea is similar. Please consult the PuTTY user forums for further instructions.

Step 1: Generate private-public SSH key pair (on local machine)

On your local machine, open a terminal. If missing, create a private ~/.ssh/ folder:

{local}$ mkdir ~/.ssh
{local}$ chmod u=rwx,go= ~/.ssh
{local}$ stat --format=%A ~/.ssh
drwx------

Explanation: The above chmod settings specify that you as a user (u) have read (r) and write (w) permissions for this directory. In addition, you have executable (x) permission, which also means you can set it as your working directory. Continuing, the settings also specify that other users in your group (g) as well as all other (o) users on the system have no access at all (empty permission). The stat output, which confirms this, consists of four parts: d tells us it is a directory, rw- specifies the permission for the user (u), and the following --- and --- specifies the permissions for the group (g), and all others (o), respectively.

Next, we will generate a private-public SSH key pair (stored in two files) that is unique for accessing the cluster:

{local}$ cd ~/.ssh   ## <== IMPORTANT
{local}$ ssh-keygen -f laptop_to_wynton
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in laptop_to_wynton
Your public key has been saved in laptop_to_wynton.pub.
he key fingerprint is:
SHA256:2MpJL+I6rQbfhvLZAyC6fa6Y40yZhwG+FYOiHCQ94Fw alice@my_laptop
The key\'s randomart image is:
+---[RSA 2048]----+
|o+ E             |
|= =              |
|o= +             |
|O . o  o         |
|+= .  o S        |
|o O  o +         |
| @ *. = .        |
|*oB+*. .         |
|+B*O+.           |
+----[SHA256]-----+

If you specify a passphrase, your local operating system will ask for the passphrase the first time you try to log in to the cluster. All other login attempts will be passphrase (and password) free (until you reboot the machine). This should work out of the box on macOS and most Linux distributions - on Windows you need to set up your SSH agent manually (or use an empty passphrase). If you choose to use an empty passphrase, make sure that your machine is safe and uses a highly secure local login password.

The public key you can safely share with the world, but treat your private key as a password; anyone who has access to it will have access to your account if it does not have a passphrase!

Step 2: Add the public SSH key (on cluster)

Next, we will set up the cluster to recognize your public SSH key. For this we will have to log in to the cluster.

First, assuming your cluster user name is alice, copy the public key file to ~/.ssh on the cluster:

{local}$ scp ~/.ssh/laptop_to_wynton.pub alice@log2.wynton.ucsf.edu:.ssh/
laptop_to_wynton.pub           100%  390     0.4KB/s   00:00

Second, log into the cluster (still using a password) and append the public key to ~/.ssh/authorized_keys:

{local}$ ssh -o PreferredAuthentications=password alice@log2.wynton.ucsf.edu
alice1@169.230.134.15\'s password: XXXXXXXXXXXXXXXXXXX
[alice@wynlog2 ~]$ cd .ssh
[alice@wynlog2 .ssh]$ cat laptop_to_wynton.pub >> authorized_keys

Third, make sure that ~/.ssh/authorized_keys is only accessible to you (otherwise that file will be completely ignored);

[alice@wynlog2 .ssh]$ chmod u=rw,go= ~/.ssh/authorized_keys
[alice@wynlog2 .ssh]$ stat --format=%A ~/.ssh/authorized_keys
-rw-------

Lastly, log out from the cluster:

[alice@wynlog2 .ssh]$ exit
{local}$ 

Step 3: Test

You should now be able to log into the cluster from your local computer without having to enter the cluster password. Try the following:

{local}$ ssh -o PreferredAuthentications=publickey -o IdentitiesOnly=yes -i ~/.ssh/laptop_to_wynton alice@log2.wynton.ucsf.edu
[alice@wynlog2 ~]$ 

You will be asked to enter your passphrase, if you chose one above.

If you get

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

then make sure you use the correct user name and that the file permissions on ~/.ssh are correct on your local machine (see Step 1). If it still does not work, check the ~/.ssh permissions on the cluster (analogously to Step 1).

The reason why we use -o PreferredAuthentications=publickey -o IdentitiesOnly=yes in the above test, is so that we can make sure no alternative login mechanisms than our SSH keypair are in play. After having validated the above, these options can be dropped and you can now use:

{local}$ ssh -i ~/.ssh/laptop_to_wynton alice@log2.wynton.ucsf.edu
[alice@wynlog2 ~]$ 

Step 4: Avoid having to specify SSH option `-i` (on local machine)

It is rather tedious having to specify what private key file to use (-i ~/.ssh/laptop_to_wynton) each time you use SSH. As a last step, we will set the default options for alice@log2.wynton.ucsf.edu. On your local machine, add the following entry to ~/.ssh/config (if you don’t have the file, create it):

Host log2.wynton.ucsf.edu
  User alice
  IdentityFile ~/.ssh/laptop_to_wynton

With all of the above, you should now be able to log in to the cluster using: