Instructions for getting in using SSH keys

OK, so we have many instructions pages but somewhat, I still need to indicate to a few users what to do whenever they have lost their password and did not yet upload their keys (the sequence is not obvious to all).

Here are a few quick instructions for such case.

First step

The first step is really to re-enable your RCF account because without that, you will not be able to go very far.
Instructions are available at Account re-activation and likely the one under "Forgot your password but did not upload SSH".

Do this first since the RCF will take time to react (hopefully not too long).

Also:

• Before being able to log to our STAR Gateway, an account will have to be created for you on our STAR authentication server.  Please, send an Email to starsupport 'at' bnl.gov to request an account to access the online nodes - at a minimum, provide your name, BNL life number and/or your RCF account name (your RCF account name will be used to match our online nodes account)
• NB. If you already have an account on the onlXX linux pool, then you should have access to the gateways.

Second step

Second, you will need to generate key pairs for SSH authentication. This is explained at SSH Keys and login to the SDCC and the main principle is to use

  % ssh-keygen -t rsa

type a passphrase you can remember and this will generate two files namely /home/<user>/.ssh/id_rsa and /home/<user>/.ssh/id_rsa.pub. Notes:

• You need to save BOTH if you use multiple nodes
• You need to secure those keys (they are as important as a password if not more so)
• The only thing which will be requested by Key interface is your public key (never distribute your private key)
• You need to generate keys ONLY ONCE (as far as you do not lose them)

Third step

The third step is to go to the RCF and the STAR interface and upload your PUBLIC key to the respective RCF and STAR key management interfaces:

• https://web.racf.bnl.gov/Facility/SshKeys/UploadSshKey.php
• https://www.star.bnl.gov/starkeyw/

Note again that BOTH will ask you for a real RCF account and password to log to the interface hence the first step is necessary. The password is meant as the Kerberos password the RCF will provide you upon re-activating your account. Whenever you wilkl go to our STAR Key management system interface, you should also request from the same interface an association between your keys and your online account. Do this by

• ging to the menu Request for account association 
• Select 'Host'=onlldap.starp.bnl.gov from the first drop down.
• In the second drop down 'Account', select your account name (it should appear if Matthew has created one for you)
• Click on [REQUEST ACCOUNT @ HOST]

Done.

Finally ...

When this is done, you may log to the RCF using ssh ... and typing from now on your passphrase. The general syntax for ssh is

  % ssh [options...] username@node.domain    

If you need to make more than one HOP to your destination (for example, if you need to go first to sssh.sdcc.bnl.gov and then to stargw.starp.bnl.gov), you will need to use an Using the SSH Agent and the key forwarding mechanism. This is especially true as you will NOT be able to store keys on the RHIC ssh gateways and hence will have no other choice (for more than one HOP) than using an agent forwarding mechanism.

Instructions on how to use the agent is available at Using the SSH Agent. For the agent key forwarding to work, you need to specify the "-A" option to ssh all the way through toward your final destination (so, 'ssh -A username@sssh.sdcc.bnl.gov' etc ...).

The final recommended set of commands are then (including starting the agent)

% ssh-agent >agent.sh
% source agent.sh
% ssh-add
Enter passphrase for /home/jlauret/.ssh/id_rsa:
Identity added: /home/jlauret/.ssh/id_rsa (/home/jlauret/.ssh/id_rsa)

The agent needs to be started once per computers, per key per user. When this is done, you can

% ssh -X -A username@sssh.sdcc.bnl.gov 
% ssh -X -A username@stargw.starp.bnl.gov

IF you open a new xterm terminal, a new terminal will need to define the environment variables needed for ssh to use the agent information. This can be done by re-sourcing the previous agent.sh file:

% source agent.sh
% ssh -X -A username@sssh.sdcc.bnl.gov 
etc ...

Other

You can always check you have an agent running by doing

% ps -ef | grep ssh-agent

BEFORE starting another one. Especially, some Linux desktop environment starts an agent automatically with every session (and propagate to the entire process tree the needed ENV variables, making integration easier).

You can also always check if your keys are properly loaded by doing the below (results and echo command provided as guidance of what the result means)

% ssh-add -l
1024 34:a0:3f:56:6d:a2:02:d1:c5:23:2e:a0:27:16:3d:e5 /home/jlauret/.ssh/id_rsa (RSA)
% echo "All is fine, proceed with connecting using ssh"

% ssh-add -l
The agent has no identities.
% echo "You need to reload your keys, use ssh-add without option and type passphrase"