Registration/SSH: Difference between revisions
(10 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{|style="background:#deffee; width:100%;" |
|||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|||
[[Image:Attention.svg|center|25px]] |
|||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|||
This process is only necessary for the bwUniCluster and the bwForCluster Helix. |
|||
On the other clusters, SSH keys can still be copied to the <code>authorized_keys</code> file. |
|||
|} |
|||
= Registering SSH Keys with your Cluster = |
= Registering SSH Keys with your Cluster = |
||
Line 50: | Line 59: | ||
[[Image:Attention.svg|center|25px]] |
[[Image:Attention.svg|center|25px]] |
||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|style="padding:5px; background:#cef2e0; text-align:left"| |
||
* Newly added keys are valid for three months. After that, they are revoked and placed on a "revocation list" so that they cannot be reused. |
|||
Copy only the contents of your public ssh key file to bwIDM/bwServices. |
|||
The file ends with <code>.pub</code> ( e.g. <code>~/.ssh/<filename>.pub</code>). |
* Copy only the contents of your public ssh key file to bwIDM/bwServices. The file ends with <code>.pub</code> ( e.g. <code>~/.ssh/<filename>.pub</code>). |
||
You can only add SSH keys that have not been used yet. |
|||
|} |
|} |
||
Line 58: | Line 66: | ||
Here you can add and revoke SSH keys. To add a ssh key, please follow these steps: |
Here you can add and revoke SSH keys. To add a ssh key, please follow these steps: |
||
1. '''Select the cluster''' for which you want to create a second factor:</br> → [https://login.bwidm.de/user/ssh-keys.xhtml '''bwUniCluster 2.0''']</br> → [https:// |
1. '''Select the cluster''' for which you want to create a second factor:</br> → [https://login.bwidm.de/user/ssh-keys.xhtml '''bwUniCluster 2.0''']</br> → [https://bwservices.uni-heidelberg.de/user/ssh-keys.xhtml '''bwForCluster Helix'''] |
||
[[File:BwIDM-twofa.png|center| |
[[File:BwIDM-twofa.png|center|600px|thumb|My SSH Pubkeys.]] |
||
3. Click the '''Add SSH Key''' or '''SSH Key Hochladen''' button. |
3. Click the '''Add SSH Key''' or '''SSH Key Hochladen''' button. |
||
[[File:Bwunicluster 2.0 access ssh keys empty.png|center| |
[[File:Bwunicluster 2.0 access ssh keys empty.png|center|400px|thumb|Add new SSH key.]] |
||
4. A new window will appear. |
4. A new window will appear. |
||
Enter a name for the key and paste your SSH public key (file <code>~/.ssh/<filename>.pub</code>) into the box labelled "SSH Key:". |
Enter a name for the key and paste your SSH public key (file <code>~/.ssh/<filename>.pub</code>) into the box labelled "SSH Key:". |
||
Click on the button labelled '''Add''' or '''Hinzufügen'''. |
Click on the button labelled '''Add''' or '''Hinzufügen'''. |
||
[[File:Ssh-key.png|center| |
[[File:Ssh-key.png|center|600px|thumb|Add new SSH key.]] |
||
5. If everything worked fine your new key will show up in the user interface: |
5. If everything worked fine your new key will show up in the user interface: |
||
[[File:Ssh-success.png|center| |
[[File:Ssh-success.png|center|800px|thumb|New SSH key added.]] |
||
Once you have added SSH keys to the system, you can bind them to one or more services to use either for interactive logins ('''Interactive key''') or for automatic logins ('''Command key'''). |
|||
Newly added keys have a validity of three months. |
|||
After that, they are revoked and placed on a blacklist so that they can no longer be used. |
|||
Once you have added SSH keys to the system, you can bind them to one or more services to use either for interactive logins ('''Interactive key'') or for automatic logins ('''Command key''). |
|||
= Registering an Interactive Key = |
== Registering an Interactive Key == |
||
{|style="background:#deffee; width:100%;" |
|||
'''Interactive Keys''' can be used to log into a system for normal interactive use. They are not valid all the time, but only for one hour after the last 2-factor login. This means that on the first attempt to log into the bwUniCluster 2.0 system your SSH key will not be accepted, but you have to log in with an One-Time Password (OTP) and your service password. After that you won't have to enter the OTP and service password anymore for one hour because your SSH Key has been unlocked. After the hour has passed, you have to enter the OTP and service password again on your next login attempt, and then your SSH Key will be unlocked for another hour. |
|||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|||
[[Image:Attention.svg|center|25px]] |
|||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|||
Interactive SSH Keys are not valid all the time, but only for one hour after the last 2-factor login. |
|||
They have to be "unlocked" by entering the OTP and service password. |
|||
|} |
|||
'''Interactive Keys''' can be used to log into a system for interactive use. |
|||
Perform the following steps to register an interactive key: |
Perform the following steps to register an interactive key: |
||
1. [[Registration/SSH#Adding_a_new_SSH_Key|'''Add a new interactive SSH key''']] if you have not already done so. |
|||
1. Log into [https://bwidm.scc.kit.edu https://bwidm.scc.kit.edu]. |
|||
2. |
2. Select '''Registered services/Registrierte Dienste''' from the top menu and click '''Set SSH Key/SSH Key setzen''' for the cluster for which you want to use the SSH key. |
||
[[File:BwIDM-registered.png|center|600px|thumb|Select Cluster for which you want to use the SSH key.]] |
|||
3. The upper block |
3. The upper block displays the SSH keys currently registered for the service. |
||
The bottom block displays all the public SSH keys associated with your account. |
|||
Find the SSH key you want to use and click '''Add/Hinzufügen'''. |
|||
[[File:Ssh-service-int.png|center|800px|thumb|Add SSH key to service.]] |
|||
4. A new window appears. |
|||
[[File:Bwunicluster 2.0 access ssh keys service list.png|center]] |
|||
Select '''Interactive''' as the usage type, enter an optional comment and click '''Add/Hinzufügen'''. |
|||
[[File:Ssh-int.png|center|600px|thumb|Add interactive SSH key to service.]] |
|||
5. Your SSH key is now registered for interactive use with this service. |
|||
4. A new window appears. Choose '''Interactive''' under '''Type of usage''', enter an optional comment and click on '''Add''' or '''Hinzufügen'''. |
|||
[[File:Ssh-service.png|center|800px|thumb|SSH key is now registered for interactive use.]] |
|||
[[File:Bwunicluster 2.0 access ssh keys service add.png|center]] |
|||
== Registering a Command Key == |
|||
5. Your SSH key has now been registered to the service and can be used. |
|||
{|style="background:#deffee; width:100%;" |
|||
[[File:Bwunicluster 2.0 access ssh keys service added.png|center]] |
|||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|||
[[Image:Attention.svg|center|25px]] |
|||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|||
SSH command keys are always valid and do not need to be unlocked with a 2-factor login. |
|||
This makes these keys extremely valuable to a potential attacker and poses a security risk. |
|||
Therefore, additional restrictions apply to these keys: |
|||
* They must be limited to a single command to be executed. |
|||
* They must be limited to a single IP address (e.g., the workflow server) or a small number of IP addresses (e.g., the institution's subnet). |
|||
* They must be reviewed and approved by a cluster administrator before they can be used. |
|||
* Validity is reduced to one month. |
|||
|} |
|||
'''Command Keys''' can be used for automatic workflows. |
|||
<br/> |
|||
If you want to use rsync, please read the [[Registration/SSH/rrsync|rrsync wiki]]. |
|||
<br/> |
|||
Perform the following steps to register a "Command key" (in this example we use rrsync): |
|||
= Registering a Command Key = |
|||
1. [[Registration/SSH#Adding_a_new_SSH_Key|'''Add a new "command SSH key"''']] if you have not already done so. |
|||
Passphrases, 2-factor authentication and service passwords make it impossible to integrate many scientific workflows with bwUniCluster 2.0. We therefore offer a second type of registration: '''Command Keys''', special keys which can be used for automation. |
|||
Command Keys are always valid and don't have to be unlocked. This makes these keys extremely valuable to a possible attacker and poses a security risk, so we enforce additional restrictions on these keys: |
|||
2. Select '''Registered services/Registrierte Dienste''' from the top menu and click '''Set SSH Key/SSH Key setzen''' for the cluster for which you want to use the SSH key. |
|||
* They have to be restricted to a single command which can be executed. |
|||
[[File:BwIDM-registered.png|center|600px|thumb|Select Cluster for which you want to use the SSH key.]] |
|||
* They have to be restricted to a single IP address (e.g. the workflow server) or a small number of IP addresses (e.g. the subnet of the institute). |
|||
* They have to be checked and approved by an HPC administrator before they can be used. |
|||
* The validity is reduced to one month. |
|||
3. The upper block displays the SSH keys currently registered for the service. |
|||
The process for registering a Command Key is the same as the one for an Interactive Key, but after selecting '''Command''' under '''Type of usage''' two additional field labelled '''Command''' and '''From (network address)''' appear which have to be filled in. Please also provide a comment to speed up the approval process. |
|||
The bottom block displays all the public SSH keys associated with your account. |
|||
Find the SSH key you want to use and click '''Add/Hinzufügen'''. |
|||
If you want to register a command key to be able to transfer data automatically, please use the following string as the '''Command''': |
|||
[[File:Ssh-service-com.png|center|800px|thumb|Add SSH key to service.]] |
|||
4. A new window appears. |
|||
Select '''Command''' as the usage type. |
|||
Type the full command with the full path, including all parameters, in the '''Command''' text box. |
|||
Specify a network address, list, or range in the '''From''' text field (see [https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8#from=_pattern-list_ man 8 sshd] for more info). |
|||
Please also provide a comment to speed up the approval process. |
|||
Click '''Add/Hinzufügen'''. |
|||
{| class="wikitable" |
|||
! | Example |
|||
|- |
|||
| If you want to register a command key to be able to transfer data automatically, please use the following string as in the '''Command''' text field (please verify the path on the cluster first): |
|||
<pre> |
<pre> |
||
/usr/bin/rrsync -ro / |
/usr[/local]/bin/rrsync -ro /home/aa/aa_bb/aa_abc1/ |
||
</pre> |
</pre> |
||
|} |
|||
[[File:Ssh-com.png|center|600px|thumb|Add command SSH key to service.]] |
|||
After the key has been added, it will be marked as '''Pending''': |
5. After the key has been added, it will be marked as '''Pending''': |
||
[[File:Bwunicluster 2.0 access ssh keys service add command.png|center]] |
|||
You will receive an e-mail as soon as the key has been approved and can be used. |
You will receive an e-mail as soon as the key has been approved and can be used. |
||
[[File:Ssh-service.png|center|800px|thumb|SSH key is now registered for interactive use.]] |
|||
== Revoke/Delete SSH Key == |
|||
<br/> |
|||
<br/> |
|||
{|style="background:#deffee; width:100%;" |
|||
= Revoke/Delete an SSH Key= |
|||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|||
[[Image:Attention.svg|center|25px]] |
|||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|||
Revoked keys are locked and can no longer be used. |
|||
|} |
|||
'''SSH keys''' are generally managed via the '''My SSH Pubkeys''' menu entry on the registration pages for the clusters. |
|||
Here you can add and revoke SSH keys. To revoke/delete a ssh key, please follow these steps: |
|||
1. '''Select the cluster''' for which you want to create a second factor:</br> → [https://login.bwidm.de/user/ssh-keys.xhtml '''bwUniCluster 2.0''']</br> → [https://bwservices.uni-heidelberg.de/user/ssh-keys.xhtml '''bwForCluster Helix'''] |
|||
# Log into [https://bwidm.scc.kit.edu https://bwidm.scc.kit.edu]. |
|||
[[File:BwIDM-twofa.png|center|600px|thumb|My SSH Pubkeys.]] |
|||
# Navigate to '''index''' or '''Übersicht''' |
|||
# Click on '''My SSH Pubkeys''' or '''Meine SSH Pubkeys''' in the main menu. |
|||
# Click on the '''Revoke''' or '''Zurückziehen''' button next to the SSH Key you want to revoke. |
|||
2. Click '''REVOKE/ZURÜCKZIEHEN''' next to the SSH key you want to revoke. |
|||
'''Please note that revoked keys are blocked and cannot be used again.''' |
|||
[[File:Ssh-success.png|center|800px|thumb|Revoke SSH key.]] |
Latest revision as of 16:35, 8 November 2023
This process is only necessary for the bwUniCluster and the bwForCluster Helix.
On the other clusters, SSH keys can still be copied to the |
Registering SSH Keys with your Cluster
Interactive SSH Keys are not valid all the time, but only for one hour after the last 2-factor login. They have to be "unlocked" by entering the OTP and service password. |
SSH Keys are a mechanism for logging into a computer system without having to enter a password. Instead of authenticating yourself with something you know (a password), you prove your identity by showing the server something you have (a cryptographic key).
The usual process is the following:
- The user generates a pair of SSH Keys, a private key and a public key, on their local system. The private key never leaves the local system.
- The user then logs into the remote system using the remote system password and adds the public key to a file called ~/.ssh/authorized_keys .
- All following logins will no longer require the entry of the remote system password because the local system can prove to the remote system that it has a private key matching the public key on file.
While SSH Keys have many advantages, the concept also has a number of issues which make it hard to handle them securely:
- The private key on the local system is supposed to be protected by a strong passphrase. There is no possibility for the server to check if this is the case. Many users do not use a strong passphrase or do not use any passphrase at all. If such a private key is stolen, an attacker can immediately use it to access the remote system.
- There is no concept of validity. Users are not forced to regularly generate new SSH Key pairs and replace the old ones. Often the same key pair is used for many years and the users have no overview of how many systems they have stored their SSH Keys on.
- SSH Keys can be restricted so they can only be used to execute specific commands on the server, or to log in from specified IP addresses. Most users do not do this.
To fix these issues it is no longer possible to self-manage your SSH Keys by adding them to the ~/.ssh/authorized_keys file on bwUniCluster/bwForCluster. SSH Keys have to be managed through bwIDM/bwServces instead. Existing authorized_keys files are ignored.
Minimum requirements for SSH Keys
Algorithms and Key sizes:
- 2048 bits or more for RSA
- 521 bits for ECDSA
- 256 Bits (Default) for ED25519
ECDSA-SK and ED25519-SK keys (for use with U2F Hardware Tokens) cannot be used yet.
Please set a strong passphrase for your private keys.
Adding a new SSH Key
|
SSH keys are generally managed via the My SSH Pubkeys menu entry on the registration pages for the clusters. Here you can add and revoke SSH keys. To add a ssh key, please follow these steps:
1. Select the cluster for which you want to create a second factor:
→ bwUniCluster 2.0
→ bwForCluster Helix
3. Click the Add SSH Key or SSH Key Hochladen button.
4. A new window will appear.
Enter a name for the key and paste your SSH public key (file ~/.ssh/<filename>.pub
) into the box labelled "SSH Key:".
Click on the button labelled Add or Hinzufügen.
5. If everything worked fine your new key will show up in the user interface:
Once you have added SSH keys to the system, you can bind them to one or more services to use either for interactive logins (Interactive key) or for automatic logins (Command key).
Registering an Interactive Key
Interactive SSH Keys are not valid all the time, but only for one hour after the last 2-factor login. They have to be "unlocked" by entering the OTP and service password. |
Interactive Keys can be used to log into a system for interactive use. Perform the following steps to register an interactive key:
1. Add a new interactive SSH key if you have not already done so.
2. Select Registered services/Registrierte Dienste from the top menu and click Set SSH Key/SSH Key setzen for the cluster for which you want to use the SSH key.
3. The upper block displays the SSH keys currently registered for the service. The bottom block displays all the public SSH keys associated with your account. Find the SSH key you want to use and click Add/Hinzufügen.
4. A new window appears. Select Interactive as the usage type, enter an optional comment and click Add/Hinzufügen.
5. Your SSH key is now registered for interactive use with this service.
Registering a Command Key
SSH command keys are always valid and do not need to be unlocked with a 2-factor login. This makes these keys extremely valuable to a potential attacker and poses a security risk. Therefore, additional restrictions apply to these keys:
|
Command Keys can be used for automatic workflows. If you want to use rsync, please read the rrsync wiki.
Perform the following steps to register a "Command key" (in this example we use rrsync):
1. Add a new "command SSH key" if you have not already done so.
2. Select Registered services/Registrierte Dienste from the top menu and click Set SSH Key/SSH Key setzen for the cluster for which you want to use the SSH key.
3. The upper block displays the SSH keys currently registered for the service. The bottom block displays all the public SSH keys associated with your account. Find the SSH key you want to use and click Add/Hinzufügen.
4. A new window appears. Select Command as the usage type. Type the full command with the full path, including all parameters, in the Command text box. Specify a network address, list, or range in the From text field (see man 8 sshd for more info). Please also provide a comment to speed up the approval process. Click Add/Hinzufügen.
Example |
---|
If you want to register a command key to be able to transfer data automatically, please use the following string as in the Command text field (please verify the path on the cluster first):
/usr[/local]/bin/rrsync -ro /home/aa/aa_bb/aa_abc1/ |
5. After the key has been added, it will be marked as Pending: You will receive an e-mail as soon as the key has been approved and can be used.
Revoke/Delete SSH Key
Revoked keys are locked and can no longer be used. |
SSH keys are generally managed via the My SSH Pubkeys menu entry on the registration pages for the clusters. Here you can add and revoke SSH keys. To revoke/delete a ssh key, please follow these steps:
1. Select the cluster for which you want to create a second factor:
→ bwUniCluster 2.0
→ bwForCluster Helix
2. Click REVOKE/ZURÜCKZIEHEN next to the SSH key you want to revoke.