Registration/SSH: Difference between revisions

From bwHPC Wiki
Jump to navigation Jump to search
mNo edit summary
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
= SSH Key Authentication for HPC Clusters =
{|style="background:#deffee; width:100%;"

|style="padding:5px; background:#cef2e0; text-align:left"|
'''SSH Keys''' allow you to log into a system without entering a password. Instead of proving your identity with something you know (a password), you prove it with something you have (a cryptographic key).
[[Image:Attention.svg|center|25px]]

|style="padding:5px; background:#cef2e0; text-align:left"|
{| class="wikitable" style="text-align:center;"
This process is only necessary for the bwUniCluster and the bwForCluster Helix and NEMO2.
|+ SSH Key Management Methods by Cluster
On the other clusters, SSH keys can still be copied to the <code>authorized_keys</code> file.
|-
! Cluster
! Management Method
! Details
|-
| bwUniCluster 3.0
| style="background-color:#90EE90;" | bwIDM Portal
| Centralized key management, 180-day validity
|-
| bwForCluster BinAC 2
| style="background-color:#FFE4B5;" | ~/.ssh/authorized_keys
| Self-managed, use ssh-copy-id
|-
| bwForCluster Helix
| style="background-color:#90EE90;" | bwServices Portal
| Centralized key management, 180-day validity
|-
| bwForCluster JUSTUS 2
| style="background-color:#FFE4B5;" | ~/.ssh/authorized_keys
| Self-managed, use ssh-copy-id
|-
| bwForCluster NEMO 2
| style="background-color:#90EE90;" | bwIDM Portal
| Centralized key management, 180-day validity
|}
|}


'''Choose your cluster below:'''
* [[#SSH_Keys_on_BinAC_2_and_JUSTUS_2|BinAC 2 and JUSTUS 2]] - Self-managed keys
* [[#SSH_Keys_via_bwIDM.2FbwServices|bwUniCluster 3.0, Helix, and NEMO 2]] - Centralized management


= Registering SSH Keys with your Cluster =
= SSH Keys on BinAC 2 and JUSTUS 2 =


On '''bwForCluster BinAC 2''' and '''bwForCluster JUSTUS 2''', you manage SSH keys yourself using the standard <code>~/.ssh/authorized_keys</code> file.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Interactive SSH Keys are not valid all the time, but only for a few hours after the last 2-factor login.
They have to be "unlocked" by entering the OTP and service password.
|}


== Quick Setup with ssh-copy-id ==
'''SSH Keys''' are a mechanism for logging into a computer system without having to enter a password. Instead of authenticating yourself with something you know (a password), you prove your identity by showing the server something you have (a cryptographic key).


The usual process is the following:
The easiest method to add your SSH key:


'''Step 1: Generate an SSH key''' (if you don't have one):
* The user generates a pair of SSH Keys, a private key and a public key, on their local system. The private key never leaves the local system.
<pre>
ssh-keygen -t ed25519 -C "your_email@example.com"
</pre>


Press Enter to accept the default location, then set a strong passphrase.
* The user then logs into the remote system using the remote system password and adds the public key to a file called ~/.ssh/authorized_keys .


'''Step 2: Copy your key to the cluster:'''
* All following logins will no longer require the entry of the remote system password because the local system can prove to the remote system that it has a private key matching the public key on file.
<pre>
# For BinAC2:
ssh-copy-id username@login.binac2.uni-tuebingen.de


# For JUSTUS2:
While SSH Keys have many advantages, the concept also has '''a number of issues''' which make it hard to handle them securely:
ssh-copy-id username@justus2.uni-ulm.de
</pre>


Enter your service password and OTP when prompted. Your public key will be automatically added to <code>~/.ssh/authorized_keys</code>.
* The private key on the local system is supposed to be protected by a strong passphrase. There is no possibility for the server to check if this is the case. Many users do not use a strong passphrase or do not use any passphrase at all. If such a private key is stolen, an attacker can immediately use it to access the remote system.


'''Step 3: Test your connection:'''
* There is no concept of validity. Users are not forced to regularly generate new SSH Key pairs and replace the old ones. Often the same key pair is used for many years and the users have no overview of how many systems they have stored their SSH Keys on.
<pre>
# For BinAC2:
ssh username@login.binac2.uni-tuebingen.de


# For JUSTUS2:
* SSH Keys can be restricted so they can only be used to execute specific commands on the server, or to log in from specified IP addresses. Most users do not do this.
ssh username@justus2.uni-ulm.de
</pre>


You should now be able to log in using your SSH key and OTP.
To fix these issues '''it is no longer possible to self-manage your SSH Keys by adding them to the ~/.ssh/authorized_keys file''' on bwUniCluster/bwForCluster.
SSH Keys have to be managed through bwIDM/bwServces instead.
Existing authorized_keys files are ignored.


== Manual Setup (Alternative) ==
== Minimum requirements for SSH Keys ==


If <code>ssh-copy-id</code> is not available on your system:
Algorithms and Key sizes:


'''Step 1: Display your public key:'''
* 2048 bits or more for RSA
<pre>
* 521 bits for ECDSA
cat ~/.ssh/id_ed25519.pub
* 256 Bits (Default) for ED25519
</pre>


Copy the entire output.
'''Please set a strong passphrase for your private keys.'''


'''Step 2: Log into the cluster''' using your service password and OTP
ECDSA-SK and ED25519-SK keys (for use with U2F/FIDO Hardware Tokens like Yubikeys) can currently only be used on NEMO2 and bwUniCluster 3.0.


'''Step 3: Add the key to authorized_keys:'''
= Adding a new SSH Key =
<pre>
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "paste-your-public-key-here" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
</pre>


Replace <code>paste-your-public-key-here</code> with your actual public key.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* Newly added keys are valid for 180 days. After that, they are revoked and placed on a "revocation list" so that they cannot be reused.
* Copy only the contents of your public ssh key file to bwIDM/bwServices. The file ends with <code>.pub</code> ( e.g. <code>~/.ssh/<filename>.pub</code>).
|}


= SSH Keys via bwIDM/bwServices =
'''SSH keys''' are generally managed via the '''My SSH Pubkeys''' menu entry on the registration pages for the clusters.
Here you can add and revoke SSH keys. To add a ssh key, please follow these steps:


On '''bwUniCluster 3.0''', '''bwForCluster Helix''', and '''bwForCluster NEMO 2''', SSH keys are managed centrally through the registration service.
1. '''Select the cluster''' for which you want to create a second factor:</br> &rarr; [https://login.bwidm.de/user/ssh-keys.xhtml '''bwUniCluster 3.0''']</br> &rarr; [https://bwservices.uni-heidelberg.de/user/ssh-keys.xhtml '''bwForCluster Helix''']</br> &rarr; [https://login.bwidm.de/user/ssh-keys.xhtml '''bwForCluster NEMO 2''']
[[File:BwIDM-twofa.png|center|600px|thumb|My SSH Pubkeys.]]


== Why Centralized Management? ==
3. Click the '''Add SSH Key''' or '''SSH Key Hochladen''' button.
[[File:Bwunicluster 2.0 access ssh keys empty.png|center|400px|thumb|Add new SSH key.]]


Centralized SSH key management provides:
4. A new window will appear.
Enter a name for the key and paste your SSH public key (file <code>~/.ssh/<filename>.pub</code>) into the box labelled "SSH Key:".
Click on the button labelled '''Add''' or '''Hinzufügen'''.
[[File:Ssh-key.png|center|600px|thumb|Add new SSH key.]]


* Security enforcement: Keys must use strong algorithms and have 180-day validity
5. If everything worked fine your new key will show up in the user interface:
* Centralized control: Review and revoke all keys from one location
[[File:Ssh-success.png|center|800px|thumb|New SSH key added.]]
* Two key types: Interactive keys (manual logins) and Command keys (automated workflows)


'''Note:''' Self-managed <code>~/.ssh/authorized_keys</code> files are ignored on these clusters.
Once you have added SSH keys to the system, you can bind them to one or more services to use either for interactive logins ('''Interactive key''') or for automatic logins ('''Command key''').


== Supported Key Types ==


== Registering an Interactive Key ==
=== Standard SSH Keys ===


* ED25519: 256 bits (recommended)
{|style="background:#deffee; width:100%;"
* RSA: 2048 bits or more
|style="padding:5px; background:#cef2e0; text-align:left"|
* ECDSA: 521 bits
[[Image:Attention.svg|center|25px]]

|style="padding:5px; background:#cef2e0; text-align:left"|
'''Important:''' Always protect your private keys with a strong passphrase.
Interactive SSH Keys are not valid all the time, but only for a few hours after the last 2-factor login.

They have to be "unlocked" by entering the OTP and service password.
=== FIDO2 Hardware Keys ===

'''ED25519-SK''' keys use hardware security keys (like Yubikey) for authentication:

* Always valid - no 2-factor unlock required
* Hardware-protected - private key never leaves the device
* Physical presence required - must touch key to authenticate

'''Note:''' ECDSA-SK keys are not supported. Use ED25519-SK only.

{| class="wikitable" style="text-align:center;"
|+ FIDO2 Key Support by Cluster
|-
! Cluster
! ED25519-SK Support
|-
| bwUniCluster 3.0
| style="background-color:#90EE90;" | ✓ Supported
|-
| bwForCluster Helix
| style="background-color:#FFB6C1;" | ✗ Not supported
|-
| bwForCluster NEMO 2
| style="background-color:#90EE90;" | ✓ Supported
|}
|}


'''Get started:''' See [[Registration/SSH/SSH-FIDO2-Quick-Start|SSH with FIDO2 - Quick Start Guide]]
'''Interactive Keys''' can be used to log into a system for interactive use.
Perform the following steps to register an interactive key:


== Step 1: Add Your SSH Key to the Portal ==
1. [[Registration/SSH#Adding_a_new_SSH_Key|'''Add a new interactive SSH key''']] if you have not already done so.


First, upload your public key to the management portal:
2. Select '''Registered services/Registrierte Dienste''' from the top menu and click '''Set SSH Key/SSH Key setzen''' for the cluster for which you want to use the SSH key.
[[File:BwIDM-registered.png|center|600px|thumb|Select Cluster for which you want to use the SSH key.]]


<div style="border: 3px solid #ffc107; padding: 15px; background-color: #fff3cd; margin: 10px 0;">
3. The upper block displays the SSH keys currently registered for the service.
'''Important:'''
The bottom block displays all the public SSH keys associated with your account.
* Keys are valid for '''180 days''' and automatically revoked after expiration
Find the SSH key you want to use and click '''Add/Hinzufügen'''.
* Upload only your '''public key''' file (ending in <code>.pub</code>, e.g., <code>~/.ssh/id_ed25519.pub</code>)
[[File:Ssh-service-int.png|center|800px|thumb|Add SSH key to service.]]
</div>


'''1. Navigate to SSH key management:'''
4. A new window appears.
* [https://login.bwidm.de/user/ssh-keys.xhtml bwUniCluster 3.0 / NEMO 2] (bwIDM)
Select '''Interactive''' as the usage type, enter an optional comment and click '''Add/Hinzufügen'''.
* [https://bwservices.uni-heidelberg.de/user/ssh-keys.xhtml bwForCluster Helix] (bwServices)
[[File:Ssh-int.png|center|600px|thumb|Add interactive SSH key to service.]]


[[File:BwIDM-twofa.png|center|600px|thumb|My SSH Pubkeys page]]
5. Your SSH key is now registered for interactive use with this service.
[[File:Ssh-service.png|center|800px|thumb|SSH key is now registered for interactive use.]]


'''2. Click "Add SSH Key" / "SSH Key Hochladen"'''
=== SSH Interactive Key valid after successful Login ===


[[File:Bwunicluster 2.0 access ssh keys empty.png|center|400px|thumb|Add SSH Key button]]
Interactive SSH Keys are not valid all the time, but only for a few hours after the last 2-factor login.

They have to be "unlocked" by entering the OTP and service password.
'''3. Enter key details:'''
* '''Name:''' Descriptive identifier (e.g., "laptop-work", "desktop-home")
* '''SSH Key:''' Paste complete contents of your <code>.pub</code> file
* Click '''Add''' / '''Hinzufügen'''

[[File:Ssh-key.png|center|600px|thumb|Add SSH key dialog]]

'''4. Success!''' Your key appears in the list

[[File:Ssh-success.png|center|800px|thumb|SSH key successfully added]]
'''Next:''' Bind your key to a cluster as either an [[#Step_2A:_Register_Interactive_Key|Interactive Key]] or [[#Step_2B:_Register_Command_Key|Command Key]].

== Step 2A: Register Interactive Key ==

'''Interactive Keys''' are for manual SSH logins.

=== Understanding Key Validity ===

'''Regular SSH Keys''' (RSA, ECDSA, ED25519):
* Require 2-factor authentication unlock
* Valid for limited hours after entering OTP + service password
* Must re-authenticate when validity expires


{| class="wikitable" style="text-align:center;"
{| class="wikitable" style="text-align:center;"
|+ Validity Periods for Regular SSH Keys
|-
|-
! style="width:50%"| Cluster
! Cluster
! Valid Duration
! style="width:50%"| Interactive SSH Key Validity
|-
|-
!scope="column"| bwUniCluster 3.0
| bwUniCluster 3.0
| 8h
| 8 hours
|-
|-
!scope="column"| bwForCluster Helix
| bwForCluster Helix
| 12 hours
| 12h
|-
!scope="column"| bwForCluster NEMO 2
| 12h
|-
|-
| bwForCluster NEMO 2
| 12 hours
|}
|}


'''FIDO2 Hardware Keys''' (ED25519-SK):
== Registering a Command Key ==
* Always valid - no 2-factor unlock needed
* Authentication via physical key touch only
* Only on bwUniCluster 3.0 and NEMO 2 (not Helix)
* See [[Registration/SSH/SSH-FIDO2-Quick-Start|SSH with FIDO2 - Quick Start Guide]]


=== Registration Steps ===
{|style="background:#deffee; width:100%;"

|style="padding:5px; background:#cef2e0; text-align:left"|
'''1. Add your public key''' following [[#Step_1:_Add_Your_SSH_Key_to_the_Portal|Step 1]] above
[[Image:Attention.svg|center|25px]]

|style="padding:5px; background:#cef2e0; text-align:left"|
'''2. Navigate to "Registered Services" / "Registrierte Dienste"'''
SSH command keys are always valid and do not need to be unlocked with a 2-factor login.

This makes these keys extremely valuable to a potential attacker and poses a security risk.
Click '''Set SSH Key''' / '''SSH Key setzen''' for your cluster
Therefore, additional restrictions apply to these keys:

* They must be limited to a single command to be executed.
[[File:BwIDM-registered.png|center|600px|thumb|Select cluster]]
* They must be limited to a single IP address (e.g., the workflow server) or a small number of IP addresses (e.g., the institution's subnet).

* They must be reviewed and approved by a cluster administrator before they can be used.
'''3. Find your key and click "Add" / "Hinzufügen"'''
* Validity is reduced to one month.

|}
[[File:Ssh-service-int.png|center|800px|thumb|Add SSH key to service]]

'''4. Select "Interactive" and confirm'''

* Usage type: '''Interactive'''
* Comment: Optional description
* Click '''Add''' / '''Hinzufügen'''

[[File:Ssh-int.png|center|600px|thumb|Set as Interactive key]]

'''5. Done!''' Your key is active for interactive logins

[[File:Ssh-service.png|center|800px|thumb|SSH key registered]]

== Step 2B: Register Command Key ==

'''Command Keys''' enable automated workflows (e.g., backups, data transfers) without manual login.

=== Security Requirements ===

<div style="border: 3px solid #dc3545; padding: 15px; background-color: #f8d7da; margin: 10px 0;">
Command keys are '''always valid''' (no 2FA required), making them security-sensitive.

'''Mandatory restrictions:'''
* Single command: Specify exact command with full path
* IP restriction: Limit to specific IP address(es) or subnet
* Admin approval: Keys require review before activation
* Short validity: Maximum 30 days
</div>

'''Common use case:''' [[Registration/SSH/rrsync|rrsync for data transfers]]

=== Registration Steps ===

'''1. Add your public key''' following [[#Step_1:_Add_Your_SSH_Key_to_the_Portal|Step 1]] above

'''2. Navigate to "Registered Services"'''


'''Command Keys''' can be used for automatic workflows.
Click '''Set SSH Key''' for your cluster
If you want to use rsync, please read the [[Registration/SSH/rrsync|rrsync wiki]].


[[File:BwIDM-registered.png|center|600px|thumb|Select cluster]]
Perform the following steps to register a "Command key" (in this example we use rrsync):


'''3. Find your key and click "Add" / "Hinzufügen"'''
1. [[Registration/SSH#Adding_a_new_SSH_Key|'''Add a new "SSH key"''']] if you have not already done so.


[[File:Ssh-service-com.png|center|800px|thumb|Add SSH key to service]]


'''4. Configure command restrictions:'''
2. Select '''Registered services/Registrierte Dienste''' from the top menu and click '''Set SSH Key/SSH Key setzen''' for the cluster for which you want to use the SSH key.
[[File:BwIDM-registered.png|center|600px|thumb|Select Cluster for which you want to use the SSH key.]]


* '''Usage type:''' Select '''Command'''
3. The upper block displays the SSH keys currently registered for the service.
* '''Command:''' Full path with parameters (see example below)
The bottom block displays all the public SSH keys associated with your account.
* '''From:''' IP address or CIDR notation (e.g., <code>192.168.1.0/24</code>)
Find the SSH key you want to use and click '''Add/Hinzufügen'''.
* '''Comment:''' Explain purpose (speeds up approval)
[[File:Ssh-service-com.png|center|800px|thumb|Add SSH key to service.]]
* Click '''Add''' / '''Hinzufügen'''


4. A new window appears.
Select '''Command''' as the usage type.
Type the full command with the full path, including all parameters, in the '''Command''' text box.
Specify a network address, list, or range in the '''From''' text field (see [https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8#from=_pattern-list_ man 8 sshd] for more info).
Please also provide a comment to speed up the approval process.
Click '''Add/Hinzufügen'''.
{| class="wikitable"
{| class="wikitable"
! | Example
! Example: rrsync for data transfer
|-
|-
| <pre>/usr/local/bin/rrsync -ro /home/aa/aa_bb/aa_abc1/</pre>
| If you want to register a command key to be able to transfer data automatically, please use the following string as in the '''Command''' text field (please verify the path on the cluster first):
'''Note:''' Verify exact path on your cluster (may be <code>/usr/bin/rrsync</code>)
<pre>
/usr[/local]/bin/rrsync -ro /home/aa/aa_bb/aa_abc1/
</pre>
|}
|}
[[File:Ssh-com.png|center|600px|thumb|Add command SSH key to service.]]


[[File:Ssh-com.png|center|600px|thumb|Configure command key]]
5. After the key has been added, it will be marked as '''Pending''':
You will receive an e-mail as soon as the key has been approved and can be used.
[[File:Ssh-service.png|center|800px|thumb|SSH key is now registered for interactive use.]]


'''5. Wait for approval'''
== Revoke/Delete SSH Key ==


[[File:Ssh-service.png|center|800px|thumb|Key pending approval]]
{|style="background:#deffee; width:100%;"

|style="padding:5px; background:#cef2e0; text-align:left"|
== Revoking SSH Keys ==
[[Image:Attention.svg|center|25px]]

|style="padding:5px; background:#cef2e0; text-align:left"|
Revoked keys are locked and can no longer be used.
Revoke keys that are no longer needed or potentially compromised.

|}
<div style="border: 3px solid #6c757d; padding: 15px; background-color: #e2e3e5; margin: 10px 0;">
'''Note:''' Revoked keys are immediately disabled and cannot be reused.
</div>

'''1. Navigate to SSH key management:'''
* [https://login.bwidm.de/user/ssh-keys.xhtml bwUniCluster 3.0 / NEMO 2] (bwIDM)
* [https://bwservices.uni-heidelberg.de/user/ssh-keys.xhtml bwForCluster Helix] (bwServices)

[[File:BwIDM-twofa.png|center|600px|thumb|My SSH Pubkeys page]]


'''2. Click "REVOKE" / "ZURÜCKZIEHEN"''' next to the key you want to disable
'''SSH keys''' are generally managed via the '''My SSH Pubkeys''' menu entry on the registration pages for the clusters.
Here you can add and revoke SSH keys. To revoke/delete a ssh key, please follow these steps:


'''2.''' Click '''REVOKE''' / '''ZURÜCKZIEHEN''' next to the key you want to disable
1. '''Select the cluster''' for which you want to delete the SSH key:</br> &rarr; [https://login.bwidm.de/user/ssh-keys.xhtml '''bwUniCluster 3.0''']</br> &rarr; [https://bwservices.uni-heidelberg.de/user/ssh-keys.xhtml '''bwForCluster Helix''']</br> &rarr; [https://login.bwidm.de/user/ssh-keys.xhtml '''bwForCluster NEMO 2''']
[[File:BwIDM-twofa.png|center|600px|thumb|My SSH Pubkeys.]]


[[File:Ssh-success.png|center|800px|thumb|Revoke SSH key]]
2. Click '''REVOKE/ZURÜCKZIEHEN''' next to the SSH key you want to revoke.
[[File:Ssh-success.png|center|800px|thumb|Revoke SSH key.]]

Latest revision as of 17:47, 3 December 2025

SSH Key Authentication for HPC Clusters

SSH Keys allow you to log into a system without entering a password. Instead of proving your identity with something you know (a password), you prove it with something you have (a cryptographic key).

SSH Key Management Methods by Cluster
Cluster Management Method Details
bwUniCluster 3.0 bwIDM Portal Centralized key management, 180-day validity
bwForCluster BinAC 2 ~/.ssh/authorized_keys Self-managed, use ssh-copy-id
bwForCluster Helix bwServices Portal Centralized key management, 180-day validity
bwForCluster JUSTUS 2 ~/.ssh/authorized_keys Self-managed, use ssh-copy-id
bwForCluster NEMO 2 bwIDM Portal Centralized key management, 180-day validity

Choose your cluster below:

SSH Keys on BinAC 2 and JUSTUS 2

On bwForCluster BinAC 2 and bwForCluster JUSTUS 2, you manage SSH keys yourself using the standard ~/.ssh/authorized_keys file.

Quick Setup with ssh-copy-id

The easiest method to add your SSH key:

Step 1: Generate an SSH key (if you don't have one): 

ssh-keygen -t ed25519 -C "your_email@example.com"

Press Enter to accept the default location, then set a strong passphrase.

Step 2: Copy your key to the cluster: 

# For BinAC2:
ssh-copy-id username@login.binac2.uni-tuebingen.de

# For JUSTUS2:
ssh-copy-id username@justus2.uni-ulm.de

Enter your service password and OTP when prompted. Your public key will be automatically added to ~/.ssh/authorized_keys.

Step 3: Test your connection: 

# For BinAC2:
ssh username@login.binac2.uni-tuebingen.de

# For JUSTUS2:
ssh username@justus2.uni-ulm.de

You should now be able to log in using your SSH key and OTP.

Manual Setup (Alternative)

If ssh-copy-id is not available on your system:

Step 1: Display your public key: 

cat ~/.ssh/id_ed25519.pub

Copy the entire output.

Step 2: Log into the cluster using your service password and OTP

Step 3: Add the key to authorized_keys: 

mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "paste-your-public-key-here" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Replace paste-your-public-key-here with your actual public key.

SSH Keys via bwIDM/bwServices

On bwUniCluster 3.0, bwForCluster Helix, and bwForCluster NEMO 2, SSH keys are managed centrally through the registration service.

Why Centralized Management?

Centralized SSH key management provides:

  • Security enforcement: Keys must use strong algorithms and have 180-day validity
  • Centralized control: Review and revoke all keys from one location
  • Two key types: Interactive keys (manual logins) and Command keys (automated workflows)

Note: Self-managed ~/.ssh/authorized_keys files are ignored on these clusters.

Supported Key Types

Standard SSH Keys

  • ED25519: 256 bits (recommended)
  • RSA: 2048 bits or more
  • ECDSA: 521 bits

Important: Always protect your private keys with a strong passphrase.

FIDO2 Hardware Keys

ED25519-SK keys use hardware security keys (like Yubikey) for authentication:

  • Always valid - no 2-factor unlock required
  • Hardware-protected - private key never leaves the device
  • Physical presence required - must touch key to authenticate

Note: ECDSA-SK keys are not supported. Use ED25519-SK only.

FIDO2 Key Support by Cluster
Cluster ED25519-SK Support
bwUniCluster 3.0 ✓ Supported
bwForCluster Helix ✗ Not supported
bwForCluster NEMO 2 ✓ Supported

Get started: See SSH with FIDO2 - Quick Start Guide

Step 1: Add Your SSH Key to the Portal

First, upload your public key to the management portal:

Important:

  • Keys are valid for 180 days and automatically revoked after expiration
  • Upload only your public key file (ending in .pub, e.g., ~/.ssh/id_ed25519.pub)

1. Navigate to SSH key management:

My SSH Pubkeys page

2. Click "Add SSH Key" / "SSH Key Hochladen"

Add SSH Key button

3. Enter key details:

  • Name: Descriptive identifier (e.g., "laptop-work", "desktop-home")
  • SSH Key: Paste complete contents of your .pub file
  • Click Add / Hinzufügen
Add SSH key dialog

4. Success! Your key appears in the list

SSH key successfully added

Next: Bind your key to a cluster as either an Interactive Key or Command Key.

Step 2A: Register Interactive Key

Interactive Keys are for manual SSH logins.

Understanding Key Validity

Regular SSH Keys (RSA, ECDSA, ED25519):

  • Require 2-factor authentication unlock
  • Valid for limited hours after entering OTP + service password
  • Must re-authenticate when validity expires
Validity Periods for Regular SSH Keys
Cluster Valid Duration
bwUniCluster 3.0 8 hours
bwForCluster Helix 12 hours
bwForCluster NEMO 2 12 hours

FIDO2 Hardware Keys (ED25519-SK):

  • Always valid - no 2-factor unlock needed
  • Authentication via physical key touch only
  • Only on bwUniCluster 3.0 and NEMO 2 (not Helix)
  • See SSH with FIDO2 - Quick Start Guide

Registration Steps

1. Add your public key following Step 1 above

2. Navigate to "Registered Services" / "Registrierte Dienste"

Click Set SSH Key / SSH Key setzen for your cluster

Select cluster

3. Find your key and click "Add" / "Hinzufügen"

Add SSH key to service

4. Select "Interactive" and confirm

  • Usage type: Interactive
  • Comment: Optional description
  • Click Add / Hinzufügen
Set as Interactive key

5. Done! Your key is active for interactive logins

SSH key registered

Step 2B: Register Command Key

Command Keys enable automated workflows (e.g., backups, data transfers) without manual login.

Security Requirements

Command keys are always valid (no 2FA required), making them security-sensitive.

Mandatory restrictions:

  • Single command: Specify exact command with full path
  • IP restriction: Limit to specific IP address(es) or subnet
  • Admin approval: Keys require review before activation
  • Short validity: Maximum 30 days

Common use case: rrsync for data transfers

Registration Steps

1. Add your public key following Step 1 above

2. Navigate to "Registered Services"

Click Set SSH Key for your cluster

Select cluster

3. Find your key and click "Add" / "Hinzufügen"

Add SSH key to service

4. Configure command restrictions:

  • Usage type: Select Command
  • Command: Full path with parameters (see example below)
  • From: IP address or CIDR notation (e.g., 192.168.1.0/24)
  • Comment: Explain purpose (speeds up approval)
  • Click Add / Hinzufügen
Example: rrsync for data transfer 
/usr/local/bin/rrsync -ro /home/aa/aa_bb/aa_abc1/

Note: Verify exact path on your cluster (may be /usr/bin/rrsync)

Configure command key

5. Wait for approval

Key pending approval

Revoking SSH Keys

Revoke keys that are no longer needed or potentially compromised.

Note: Revoked keys are immediately disabled and cannot be reused.

1. Navigate to SSH key management:

My SSH Pubkeys page

2. Click "REVOKE" / "ZURÜCKZIEHEN" next to the key you want to disable

2. Click REVOKE / ZURÜCKZIEHEN next to the key you want to disable

Revoke SSH key
Retrieved from "https://wiki.bwhpc.de/wiki/index.php?title=Registration/SSH&oldid=15632"