License : Creative Commons Attribution 4.0 International (CC BY-NC-SA 4.0)
Copyright :
Jérémy Fix,
CentraleSupelec
Last modified : April 27, 2024 02:04
Link to the source : index.md
When you want to log on services for which you need to authenticate yourself, there are several alternatives. One is a password based authentication, another, described below is a public key based authentication.
In a password based authentication, you send in your password sometimes in plain text (which is the case for unsecured protocols such as http), sometimes encrypted (which is the case for secured protocols such as https). This password is matched against the one stored in the server to which you connect and if they match, you get your access.
A public key authentication relies on a pair of so called keys which are nothing more than a sequence of bits (say 2048 or 4096 bits for example). We call them the public key and the private key. The private key is your secret that should not be shared with anyone. The private key is the element that will be used to prove that you are who you claim to be. The public key is the key you can freely share (post on your website, link to your emails, add to your github/gitlab/… profiles). Actually, if you want to use public key authentication, you must explicitly share the public key with the service on which you want to authenticate.
Now, how do you get authenticated with public key authentication. Let us explain that in simple terms; Suppose Bob wants to prove its identity to Alice. Beforehand, we suppose that Bob sent its public key to Alice. Then Bob sends to Alice the message “I’m Bob”. In response, Alice will generate a message and encrypt it with the public key of Bob that she possesses. In addition to her message, she may send her public key to Bob. Bob receives the message, decrypt the message with its private key (that he is supposed to be the only one to possess!). He will then encrypt the message he decrypted with the public key of Alice and sends it back to Alice. Alice then decrypts the message with her own private key and if both matches, Bob is Bob.
When you have to authenticate yourself when communicating with servers such as file servers, gitlab, github, .. you can type in your password all the time but there are two issues; The first is that your password, even if encrypted, is sent to the server everytime. The second is that you type your password everytime. Let us see together how to setup an SSH key for secure communications.
An ssh key is a password protected file which contain a piece of characters. That passwors is requested, somehow one time per session by your ssh-agent but you do not have to bother about this for now.
To create a ssh-key (in case you want to tag your key with a specifc comment, you can add -C "a comment to tag my key" to the following command):
mylogin@mymachine:~$ ssh-keygen -t rsa -b 4096
You will be requested a password, that’s the password that will allow you to unlock the key (in some specific cases, you can let this field empty but that’s not recommanded1) and that you will have to remember. The ssh-keyen command will generate two files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub which are respectively the private key and the public key.
You can share one of these two files with external services… but you should never share the two and by convention, the private key must stay private. Easy enough right ?
For using your ssh keys with the CentraleSupélec servers, you need to copy your public key2 on them. These servers will make use of your public key to authenticate yourself (given you are the only one to have the private key). Depending on the type of account you gave, the key needs to be copied on a different server :
Once you know on which SERVER to copy the key, you can trigger the command :
mylogin@mymachine:~$ ssh-copy-id logincentralesupelec@SERVER
and if you now issue a SSH connection to SERVER, you should be requested your SSH password, not the password of your account.
mylogin@mymachine:~$ ssh logincentralesupelec@SERVER
If you close the SSH connection and issue a new one, tadam, you are not asked your password anymore. If you are still asked your password, it means the ssh-agent is not running correctly.
If you want to register your key on your www.github.com account, go to Profile / Personal settings / SSH and GPG keys and you can copy/paste your public key.
If you want to register your key on your Gitlab (either gitlab.com, gitlab-student.centralesupelec.fr , gitlab-research.centralesupelec.fr ), go to Profile / Settings / SSH Keys and copy/paste your public key.
After registering on github or gitlab, you can clone the repositories using Clone with SSH.
It appears from time to time, on different systems (MacOS, Windows WSL) that the password kept on being asked even if you correctly set up your ssh key. In that case, a hack is to manually register your ssh key by issuing the following commands:
mylogin@mymachine:~$ eval `ssh-agent`
mylogin@mymachine:~$ ssh-add ~/.ssh/id_rsa
With the last command, you have to fill in your ssh key passphrase and after that, you should not be asked your password anymore. You can try by issuing a ssh connection to an access node of the cluster. It should ask your password anymore. Otherwise, you get another issue and you should let us know.
ssh accessIf you need to log on a machine that is possibly behind some proxys (firewall or so), it can be cumbersome to type in all the individual ssh commands. Hopefully, you can define aliases for ssh in your ~/.ssh/config file.
Suppose that to connect to a machine called kyle68 I would first need to connect to a machine called phome, given my login is chou_mich, here is the content I would add to my ~/.ssh/config file
Host kyle68
hostname kyle68
port 22
user chou_mich
ProxyCommand ssh chou_mich@phome.metz.supelec.fr -W %h:%p
You can now login typing directly
mylogin@mymachine:~$ ssh kyle68
We all have thousands of passwords to remember. Every single online service request a new account and a new password and nobody can remember them all, especially if you want to have secured passwords.
I advise you to have a look to GNU Pass. It is really fantastic : your passwords are stored encrypted on your drive using a GPG key, can be saved on a remote GIT repository (hopefully private); It can generate passwords on the fly and it can be easily browsed.