Instructions on setting up SSH key based authentication

For the Big Exercise 2 you will need to set up SSH key based authentication on the Ukko cluster. The exercise requires you to start python programs remotely in an automated fashion, which is not going to happen if logging in requires user interaction (i.e. typing in a password).

The exercise is required to run on the Ukko cluster. A more detailed description of the cluster can be found here: https://www.cs.helsinki.fi/en/compfac/high-performance-cluster-ukko. Note that some of the Ukko nodes are reserved for research groups. These nodes give a password prompt, but do not allow login. So if your password doesn't seem to work, try a different node. Some nodes may also be down or under maintenance. There's a status report (hpc-report.txt) link on the cluster description page linked above. From there you can find nodes that are running and available for you purpose (stat = "cs", Everyone with cs account can access host). Also note that "Needs restart" in the end of a line doesn't prevent you from using that node.

1. Creating a key for you

Start by logging in to one of the Ukko nodes. Create a SSH public/private key pair with the following command:

$ ssh-keygen

For longer (and stronger) keys you can give the command different parameters, such as the key length with -b and cipher type with -t. For further details see the man page for ssh-keygen.

Ssh-keygen will ask you for the file into which the key will be saved and a passphrase. The passphrase is an extra layer of security for the key. It can be left empty, but it is strongly recommended to be set. A passphrase is key specific, and it is completely decoupled from your CS or AD login credentials.

2. Setting the keys up

After the key is generated your key is by default stored in ~/.ssh/id_rsa. That is your private key. Besides it there is also a file called id_rsa.pub, which is your public key. Your public key is the one that you copy to the remote hosts you want to login to. In our case, since you are already logged in on an Ukko node, and all the Ukko nodes share the same home directory, you can copy the public key to its correct location locally. The following command will append your public key to your Ukko-wide home directory:

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

At this point you should be able to login to any available Ukko node by just typing in your passphrase. This is good, but not yet enough.

3. ssh-agent to the rescue

Ssh-agent is an additional piece of software which task is to provide your passphrase for SSH authentication whenever it's required. By default it is not running on CS linux systems so we need to start it manually. On the same Ukko node where you created your keys earlier, execute the following command:

$ eval $(ssh-agent)

The command returns the agent process id and leaves it running in the background. Next we can add your passphrase to the agent. After executing the following:

$ ssh-add

you should be prompted for you passphrase. Type it in and you are set. Try it out by logging to some other Ukko node, and you should not be prompted for a passphrase, nor a password.

4. Other remarks

Since ssh-agent is not started automatically you are going to have to repeat step 3. of this instructional after every time you login to your Ukko node and intend to run you Big Exercise 2. It can be automatically started from e.g. your ~/.profile file on login, but because of security reasons we cannot exactly recommend it to everyone. If despite this you're willing to do so, then further instructions can be found online.

When logging from one ukko node to another one always use the full host address, e.g. "ukko042.hpc.cs.helsinki.fi". The nodes do have aliases (e.g. "ukko042"), but you're likely to encounter warnings regarding ECDSA key differences when using them.