Registration/SSH

From bwHPC Wiki
< Registration
Revision as of 18:01, 1 December 2025 by M Janczyk (talk | contribs)
Jump to navigation Jump to search
Attention.svg

This guide applies ONLY to:

bwUniCluster 3.0bwForCluster HelixbwForCluster NEMO 2

On all other clusters, SSH keys are still managed via ~/.ssh/authorized_keys files.


Registering SSH Keys with your Cluster

SSH Keys allow you to log into a system without entering a password. Instead of proving your identity with something you know (a password), you prove it with something you have (a cryptographic key).

Why SSH Key Management?

On bwUniCluster 3.0, bwForCluster Helix, and bwForCluster NEMO 2, SSH keys must be managed through bwIDM/bwServices for security reasons:

  • Security enforcement: Ensures keys use strong algorithms and have limited validity (180 days)
  • Centralized management: All keys can be reviewed and revoked from one location
  • Two types available: Interactive keys (for manual logins) and Command keys (for automated workflows)

Note: Self-managed ~/.ssh/authorized_keys files are ignored on these clusters.

SSH Key Requirements

Supported Algorithms and Key Sizes

  • RSA: 2048 bits or more
  • ECDSA: 521 bits
  • ED25519: 256 bits (default, recommended)
  • ECDSA-SK / ED25519-SK: FIDO2 hardware keys (Yubikey, etc.)

Important: Always protect your private keys with a strong passphrase.

FIDO2 Hardware Keys (Recommended)

Attention.svg

FIDO2 SSH Keys (ECDSA-SK and ED25519-SK) offer the best security:

  • Always valid - no 2-factor unlock required
  • Hardware-protected - private key never leaves the device
  • Physical presence required - must touch key to authenticate

See SSH with Yubikey - Quick Start Guide for setup instructions.

Attention.svg

FIDO2 SSH Keys currently work ONLY on:

bwUniCluster 3.0 and bwForCluster NEMO 2

NOT supported on bwForCluster Helix!

Adding a new SSH Key

Attention.svg
  • Validity: 180 days - keys are automatically revoked after expiration
  • Upload: Only the public key file ending in .pub (e.g., ~/.ssh/id_ed25519.pub)

SSH keys are managed via the My SSH Pubkeys menu on your cluster's registration page:

1. Navigate to your cluster's SSH key management:

My SSH Pubkeys page

2. Click Add SSH Key / SSH Key Hochladen

Add SSH Key button

3. Enter key details:

  • Name: Descriptive name for your key (e.g., "laptop-work")
  • SSH Key: Paste the complete contents of your .pub file
  • Click Add / Hinzufügen
Add SSH key dialog

4. Confirmation: Your new key appears in the list

SSH key successfully added

Next step: Bind your key to a service as either an Interactive Key (manual logins) or Command Key (automated workflows).


Registering an Interactive Key

Interactive Keys are used for manual SSH logins to work on the cluster.

Key Validity and 2-Factor Authentication

Attention.svg

Regular SSH Keys require 2-factor unlock:

  • Keys are only valid for limited hours after entering OTP and service password
  • Must re-authenticate after validity expires

FIDO2 SSH Keys (ECDSA-SK/ED25519-SK) work differently:

  • Always valid - no 2-factor unlock needed
  • Authentication via physical key touch only
  • Recommended for best security and convenience
  • Available on: bwUniCluster 3.0 and NEMO 2 only (not on Helix)
Validity periods for regular SSH keys
Cluster Validity after 2FA Login
bwUniCluster 3.0 8 hours
bwForCluster Helix 12 hours
bwForCluster NEMO 2 12 hours

Registration Steps

1. Add your SSH key if not already done

2. Navigate to Registered Services / Registrierte Dienste → Click Set SSH Key / SSH Key setzen for your cluster

Select cluster

3. Find your key in the bottom section → Click Add / Hinzufügen

Add SSH key to service

4. Select Interactive as usage type → Add optional comment → Click Add / Hinzufügen

Set as Interactive key

5. Done! Your key is now active for interactive logins

SSH key registered

Registering a Command Key

Command Keys enable automated workflows without manual login (e.g., automated backups, data transfers).

Security Requirements

Attention.svg

Command keys are always valid (no 2FA required), making them high-value targets.

Mandatory restrictions:

  • Single command: Must specify exact command with full path
  • IP restriction: Limited to specific IP address(es) or subnet
  • Admin approval: Keys must be reviewed before activation
  • Short validity: Maximum 30 days

Common use case: For rsync data transfers, see the rrsync wiki guide.

Registration Steps

1. Add your SSH key if not already done

2. Navigate to Registered Services → Click Set SSH Key for your cluster

Select cluster

3. Find your key in the bottom section → Click Add / Hinzufügen

Add SSH key to service

4. Configure command restrictions:

  • Usage type: Select Command
  • Command: Enter full path and parameters (example for rrsync below)
  • From: Specify IP address, range, or subnet (see man 8 sshd)
  • Comment: Explain purpose (speeds up approval)
  • Click Add / Hinzufügen
Example: rrsync for automated data transfer 
/usr/local/bin/rrsync -ro /home/aa/aa_bb/aa_abc1/

Note: Verify the exact path on your cluster first (may be /usr/bin/rrsync)

Configure command key

5. Wait for approval: Key status shows Pending until an administrator approves it

Key pending approval

You'll receive an email when the key is approved and ready to use.

Revoking SSH Keys

Revoked keys are immediately disabled and cannot be reused.

1. Navigate to your cluster's SSH key management:

My SSH Pubkeys page

2. Click REVOKE / ZURÜCKZIEHEN next to the key you want to disable

Revoke SSH key
Retrieved from "https://wiki.bwhpc.de/wiki/index.php?title=Registration/SSH&oldid=15533"