Configuring SSH Key Pairs for Cluster Access

This page provides general instructions for producing and configuring SSH key pairs for authenticating to OrangeGrid and Zest. 

In most cases, users are able to utilize NetID/password combinations to authenticate to their desired cluster node. However, SSH key pairs, when configured, offer several key benefits including the elimination of passwords resulting in reduced risk of credential theft as well as the cryptographic strength of the keys themselves. 

Secure Connection Required

Note that SSH connections, including those utilizing SSH key pairs, require a campus or secure connection (when off campus). Additional details about each cluster, including details for connecting off-campus, are available on the OrangeGrid (OG) | HT Condor and Zest | Slurm support pages. 

Head Node Code Execution

OrangeGrid and Zest are not intended to be used as a development environment. Activities on the cluster should be limited to submitting jobs, doing light editing with a text editor such as nano or vim, and running small tests that use a single core for no more than a few minutes. Avoid running code and processes directly on the node you are connected to as this can interfere with other users and, in some cases, impact the whole cluster. 

On This Page


Generating and Configuring SSH Key Pairs

Follow the steps below to configure  a new SSH key pair in anticipation of accessing a cluster with SSH. Once you have generated and configured your SSH key pair for the cluster, you do not have to do this step each time.

Note: These instructions are written generally for OpenSSH and some programs, such as VS Code, are not compatible with this configuration using alternative SSH solutions like PuTTY. 

Step 1 - Generate SSH Key Pair

First, you'll need to create and configure an SSH pair for each node you'll be connecting to, a great secure solution to connection. 

Open a Terminal

Open a terminal based on your operating system.

  • Windows - Command Prompt (CMD) or Git Bash
  • MacOS or Linux - Terminal/Shell

Generate the SSH Key Pair

In the terminal, generate your SSH key pair with the following command. Be sure to give the key pair a comment that allows you to identify it. This could be your email address, netid, cluster name, etc.

Generate SSH Key Pair
# CMD 
ssh-keygen -o -a 100 -t ed25519 -f %USERPROFILE%\.ssh\id_ed25519 -C "<comment; ex.netid or email cluster-name>"

# Shell
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "<comment; ex.netid or email cluster-name>"

Next, you'll be prompted to choose a location to save the key pair. This will default to '~/.ssh/id_ed25519'. Be sure to notate if you choose another location. 

Finally, you will be prompted to set a passphrase. While this is not 'required', utilize a passphrase is highly encouraged to help keep your private key secure. If you prefer to not, simple hit 'Enter' to skip.

Keeping Your Private Key Secure

Users should take all possible steps to secure their private keys, including utilization of a passphrase.  Additionally, users should avoid sharing their private key or passphrase with others, only keep their keys in secure storage locations, and consider rotating their SSH keys while updating authorized keys on your connections to limit the impact in the event of compromise. 

Step 2 - Add the SSH Public Key to the Cluster

Next, you'll need to add the public key to each node you intend to connect to using this method noting that you can certainly generate a new key for each node. 

Copy the Public Key

Begin by displaying and copying your key. 

To do so, use a corresponding terminal to display the public key so that you can copy it. 

Display SSH Key Pair
# CMD
type %USERPROFILE%\.ssh\id_ed25519.pub

# Shell
cat ~/.ssh/id_ed25519.pub

Add the Public Key to the Login Node

Next, connect to the cluster and add the public key. Repeat this step for other nodes as needed. 

Add SSH Key Pair to Cluster
# Make the .ssh directory in your home directory (if necessary)
mkdir -p ~/.ssh

# Put the copied public key into your authorized_keys file
echo "your_copied_public_key" >> ~/.ssh/authorized_keys

# Ensure the .ssh locations have the correct permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Step 3 - Configure SSH Connection in Applications (if necessary)

Lastly, you'll need to ensure your application is configured to make the SSH connection utilizing your new or existing SSH key pair. 

Either during connection prompt or when configuring, you'll need to know where your SSH configuration is saved. This is likely '~/.ssh/config' or 'C:\Users\<netid>\.ssh\config'. 

Next, be sure the information for your host has been given the appropriate notations including specifying the SSH key location to be used. 

Example SSH Config File
# Example Global Settings for All Hosts
Host *
	User <your-netid>
	IdentityFile <your key location, ex. ~/.ssh/id_ed25519>
    AddKeysToAgent yes
    ForwardAgent yes
    ServerAliveInterval 180
    ServerAliveCountMax 3
    Protocol 2

# Example Specific Settings for an OrangeGrid and Zest Host
Host its-og-login1.syr.edu its-zest-login1.syr.edu
    HostName $h
    User <your-netid>
	IdentityFile <your key location, ex. ~/.ssh/id_ed25519>
    AddKeysToAgent yes
    ForwardAgent yes
    ServerAliveInterval 180
    ServerAliveCountMax 3
    Protocol 2

# Example Adding Bastion Proxy Jump (Bastion access required)
Host its-condor-t1
	HostName its-condor-t1.syr.edu
	User <your-netid>

Host its-og-login1.syr.edu
	HostName its-og-login1.syr.edu
	User <your-netid>
	ProxyJump its-condor-t1

Be sure to save any configuration files if you've made any changes. 

Step 4 - Connect to the SSH Host

Finally, connect to your host. This should be done either in your application as configured above or via CMD/CLI as in the examples below.

Note that the passphrase will be needed at least once per session and you may be prompted in additional intervals depending on your ssh-agent. 

Display SSH Key Pair
# Example Basic Connection
ssh <your-netid>@its-og-login1.syr.edu

# Example Bastion Proxy Direct Connection (Bastion access required)
ssh -J <your-netid>@its-condor-t1.syr.edu <your-netid>@its-og-login1.syr.edu

Getting Help

Need Help? Any questions about using the instructions on this page or to acquiring research computing resources can be directed at researchcomputing@syr.edu.

Related pages