Shared Account Access
From Socs Info Wiki
This document describes how to gain access to shared accounts via an ssh key.
The basic idea is that you must generate an authentication key pair for use with ssh(1). One key is your private key, while the other is your public key. The authentication keys are created within ~/.ssh/ by the ssh-keygen(1) command. The private key is by default named ~/.ssh/identity while the public key is named ~/.ssh/identity.pub. The public key (the content of identity.pub) is then placed into the file ~/.ssh/authorized_keys of the shared account.
Two examples of shared accounts at SOCS are course accounts and the consultant account. Only the system staff can add public keys to the authorized_keys file of these shared accounts. Once you have generated your authentication key pair, send your public key (~/.ssh/identity.pub) to email@example.com as an attachment.
For more information about these commands read ssh(1), and ssh-keygen(1) by doing `man ssh` and `man ssh-keygen` respectively.
The procedure for getting access to course accounts is simple and involves only two commands, namely ssh-keygen(1) and ssh(1).
- The first step is to log onto one of our compute servers. To do this, we MUST use ssh(1). ssh(1) is available on every machine at SOCS.
[nfland1][lab2-35][~] ssh linux nfland1@linux's password:
- The second step is to generate an ssh authentication key pair, thus we use the command ssh-keygen(1). WARNING When generating authentication key pairs you MUST be logged-in using ssh(1).
You will be asked to "Enter passphrase:" (the first blue part below). A good passphrase is 10-30 characters long, for example "oatmeal is damn good". From the man page: "USING GOOD, UNGUESSABLE PASSPHRASES IS STRONGLY RECOMMENDED.". The passphrase can be changed later by using the -p option; however there is no way to recover a lost passphrase. If the passphrase is lost or forgotten, you will have to generate a new key and copy the corresponding public key to the shared accounts (just as you did the first time around).
If ssh-keygen returns with "You must specify a key type (-t).", then add the flag "-t dsa".
[linux] [~] ssh-keygen Initializing random number generator... Generating p: ...........................................++ (distance 548) Generating q: ........++ (distance 102) Computing the keys... Testing the keys... Key generation complete. Enter file in which to save the key (/home/user/nfland1/.ssh/identity): Enter passphrase: Enter the same passphrase again: Your identification has been saved in /home/user/nfland1/.ssh/identity. Your public key is: 1024 33 134995975787556288425322019081800838397738714275289748767374552427442558 03433819693075292979236283999305350080624796860556175299373823455532360833911288 21842152494060961037539830392133015341634211365183441446396557862316559549461272 11749587070553314436099285135022798195015680941225201003453832454281988975497 nfland1@linux Your public key has been saved in /home/user/nfland1/.ssh/identity.pub
- The third step is to email your public key (~/.ssh/identity.pub) to firstname.lastname@example.org by attaching the ~/.ssh/identity.pub file itself, using your favorite email agent (pine4 or netscape, etc.). Please don't copy/paste the key into the body of the email.
[linux] [~] cat ~/.ssh/identity.pub 1024 33 134995975787556288425322019081800838397738714275289748767374552427442558 03433819693075292979236283999305350080624796860556175299373823455532360833911288 21842152494060961037539830392133015341634211365183441446396557862316559549461272 11749587070553314436099285135022798195015680941225201003453832454281988975497 nfland1@linux
- Once your public key (~/.ssh/identity.pub) has been appended to the authorized_keys file of the shared account, you will be able to log into that account using ssh(1).
For example, if I was the TA (Teaching Assistant) for cs520, and I had followed all the step above, then I could log into the cs520 account as follows:
[linux] [~] ssh linux -l cs520 Enter passphrase for RSA key 'nfland1@linux': >1 :[cs520@mimi] [~] pwd /course/cs520 >2 :[cs520@mimi] [~] whoami cs520 >3 :[cs520@mimi] [~] exit