Public key authentication
SSH public key authentication can be used by users to access machines without typing their password. Password free logins benefit remote access and automation. Moreover public key authentication prevent brute force attacks if all password-based authentication methods are disabled.
The following tip describes the SSH keys setup to access Grid'5000 from outside and then to access the resources of the grid.
As a Grid'5000 user, you use ssh in 3 cases:
- To access the grid from your workstation, via the connection to a site access machine (e.g.
- To acces the frontends of the sites from your point of entrance in the grid (e.g.
- To acces your resources (nodes) if you either use OAR with the "allow_classic_ssh" mode or deploy systems with a ssh server. (You should actually be using
oarshin any other case, and then do not have to bother customizing your ssh configuration as it is handled internally by OAR)
SSH keys security
Basically, SSH keys can be of two kind: with OR without passephrase
Keys with passphrase
- protected from an eventual steal by a passphrase, hence more secure
- In order to achieve non-interactive connection (with no passephrase to enter each time), one must use a SSH-Agent and forward it from host to host
Keys without passphrase
- don't have to bother adding the keys to the SSH-Agent and to forward it.
- stolen keys are unprotected
Authentication to access the grid (1)
Giving advice about SSH keys used outside of Grid'5000 is mostly out of the scope of the information here. However, you will certainly be using the same SSH keys to access servers of your lab or other labs and Grid'5000 access machines. As a general matter and in particular to access Grid'5000, we strongly recommend to use SSH keys with a passphrase in those cases.
Authentication from node to node, within the grid (2&3)
- First of all, all users must be conscious that data within Grid'5000 are unsecure. Thru the OS deployement capability, and because of NFS lack of security, Grid'5000 cannot prevent a steal of uid and the access to the data from others even if protected in term of UNIX rights (perm 600 of 700). Hence, it is advised to only grant a relative trust in the grid, and for that reason, to use dedicated SSH keys within Grid'5000, and not store your personal SSH keys used to connect outside of Grid'5000 to you servers.
- Second of all, as using the grid often require to connect from host to host non interactively, we advise the use of passphrase less SSH keys, even if unsecure with regard to a steal. Being dedicated to Grid'5000 internal usage, the security hole is not relevant, as anyway, NFS is not secure.
- Third of all, one may want to use the SSH Agent within Grid'5000, but as a reminder, it may be a security hole (see man ssh), and one will in some annoyed because of broken agent forwarding (OARSH and screen for instance break the SSH Agent chain).
As a consequence, we advise the use of a dedicated SSH keys within Grid'5000.
A look to a good SSH keys configuration
~/.ssh/authorized_keys should look like the following:
ssh-rsa [...rsa public key data...] jdoe@workstation, key with passphrase ssh-dss [...dss public key data...] jdoe@workstation, another key with passphrase (optional) ssh-rsa [...rsa public key data...] email@example.com Grid5000 dedicated key with no passphrase (idem id_rsa.pub below)
~/.ssh directory should contain the following files:
authorized_keys: file decribed above
id_rsa: your Grid'5000 dedicated key, private part
id_rsa.pub: your Grid'5000 dedicated key, public part
config: your eventual SSH client configuration file
known_hosts: the database of hosts keys that is checked and eventually updated upon every SSH connection
That directory and the files contained must be owned by you, and have permissions be at most 755. The
id_rsa file must be 600.
- You private keys from your workstation must absolutely not be copied here (
~/.ssh/id_dsastored in your home directory of your workstation).
- That directory must be replicated on every sites.
Step by step generation of your keys
to be completed