SSH

The Secure Shell (SSH) protocol is used to access interactive nodes on Mistral.

Clients

SSH client programs are available for all major operating systems. We will focus here on openssh which ships with Linux, MacOS, and Windows 10. Other client programs will probably also work but cannot be tested and supported by DKRZ.

Access Mistral

Use the following command to access one of our login nodes

ssh <user-account>@mistral.dkrz.de

in which <user-account> must be replaced by your individual account.

Public Key Authentication

The default password authentication is neither comfortable nor very secure. In order to use public key authentication, you have to generate a key pair and upload the public key to DKRZ. The command for key generation is ssh-keygen. It supports different key types. We recommend ed25519 keys.

ssh-keygen -t ed25519

Please use a strong passphrase to secure your key. By default, this created two files named id_ed25519 and id_ed25519.pub.

ls ~/.ssh/
id_ed25519     id_ed25519.pub

The file ending with .pub has to be uploaded to https://luv.dkrz.de/pubkeys. First press “Add key”

upload a new public key

The public key can be selected from a file by pressing the “Browse” button or pasted directly into the Key input field. Do not select UFTP unless you want to use this key for UFTP exclusively. After pressing “Register key”, the key is uploaded to the server. In order to use it on mistral, you have to provide your LDAP password.

push new keys to LDAP

After that your key should be active and ready to use.

ready to use keys are indicated with a green icon

Key validity

For most key types, the validity or lifetime of the keys is six weeks. A longer lifetime is allowed for keys using hardware tokes (see below). You should receive an e-mail one day before the key expires. You then have to upload a newly created key to continue using public key authentication. The old key is blocked from further use at DKRZ and cannot be uploaded again.

Managing Multiple SSH Keys

You may require multiple SSH keys for different computer centers. Reasons for this are added security and the fact that policies for key properties and lifetime may differ from site to site.

To prevent your SSH client from trying out all available keys, you should tell it exactly where to use which key. For this purpose you can create or edit the configuration file in ~/.ssh/config.

Host *.dkrz.de
     IdentityFile ~/.ssh/id_ed25519
     IdentitiesOnly yes

This tells ssh to use only the key ~/.ssh/id_ed25519 to log into any host at DKRZ.

Increased security and key lifetime with hardware authenticators

FIDO2 hardware key

OpenSSH starting with version 8.2 supports FIDO/U2F hardware authenticators or tokens. The use of such tokens increases the security of your ssh-key, as not only the key file (and passphrase) is needed for auth, but you need to touch the token when logging into a system. Because of the increased security, we allow a lifetime of 365 days for SSH keys which work in conjunction with such a token. There are two major requirements for the use of this technology:

  • A recent OpenSSH version, i.e. OpenSSH 8.2 or more recent.

  • A token.

We recommend you to ask your IT department for obtaining one. We recommend FIDO certified tokens, following the U2F or FIDO2 specification, with FIDO2 being more future-proof. At DKRZ, Yubicos YubiKey tokens have proven convenient. The cheaper Yubico “Security Key” model does the job.

Once you have the recent SSH client and a token, you need to create a new ssh-key of type ed25519-sk by running

ssh-keygen -t ed25519-sk

You can upload the public key to https://luv.dkrz.de/pubkeys following the instructions provided above for classic keys. Do not select UFTP. You should notice the extended lifetime when you upload the public key. For authentication with mistral, the token has to communicate with your local device (via USB, NFC, etc.) and you have to touch it to confirm your presence.

Tips

Having two keys, one at your desk, one on your keychain/… has proven convenient. Each token needs a separate SSH key.

OSX: The openssh which comes along with MacPorts (here version 8.4, as of 30 Aug 2021) does not support fido2. A ssh (8.7p1) installed via brew does work.