Generate Certificates

From NMSL
Revision as of 02:59, 1 January 2010 by Aah10 (talk | contribs)

Generate SSH Certificate

The instructions below are for Linux and Mac OSX. If you are not on Linux or OSX, you should either check for appropriate instructions to perform this on you operating system, use a Linux emulation environment (e.g. Cygwin or MinGW), or SSH into either nsl.cs.sfu.ca or one of the cluster machines in the lab.

The first step is to generate both a private and public key. This is done using the ssh-keygen key generation command. Simply type the command followed by the type of key to generate as shown below and follow the instructions on the screen. For Planet-Lab, the RSA algorithm is used for the type of the key. Make note of the location of the keys.

ssh-keygen -t rsa

During the key generation process, you will be prompted for a passphrase. This is because the generated private key will be encrypted and this passphrase will be used to decrypt the key later on whenever it is used. Although it is not recommended, when prompted for passphrase, you can just leave it blank! If you do enter a passphrase, you may need to use ssh-agent as will be shown in the following section.

Once the keys are generated you will need to submit the public key (.pub) to your Planet-Lab account (under My Account->Keys). The private key should be copied to the ~/.ssh/ folder if it's not already there.


Using ssh-agent

Each time you will login using ssh or pssh, you will be asked for your passphrase in order to decrypt the private key. If you want to enable a login session without entering the passphrase each time you should activate the ssh-agent. Public keys are not sensitive information and may be known to anybody, whereas the private key needs to be protected very carefully by a strong passphrase. Using multiple servers is easier designed by using ssh agent. ssh-agent remembers the passphrase so that the user does not need to type it every time he or she wants to connect or send data to the server. Identities (i.e. private keys) are added to the authentication agent, ssh-agent, using the ssh-add command which takes as an argument the private key file to be added.

eval `ssh-agent`
ssh-add ~/.ssh/id_rsa

For the rest of this session you will not be prompted for passphrase.


Configuring SSH

The next step is to relax SSH. The first time you ssh into a certain machine, you are prompted whether you accept the machine's identification key or not. Since the experiments on PlanetLab usually utilize a large number of nodes, this would mean that the user would be prompted once for each node to be accessed. To get rid of this, open/create the file ~/.ssh/config and make sure you have these two lines in it.

StrictHostKeyChecking no
BatchMode yes