Main navigation

Passwordless ssh and scp

Normally both the ssh and scp client commands will prompt for your Hoffman2 Cluster password. If desired, follow the instructions here to ssh and scp without being asked for your password when you are coming from a specific desktop or laptop system that you normally use. For example, you can make it so that you can always login without a password from your personal workstation.

SSH Configuration Files

The ssh/scp commands use files in the .ssh subdirectory of your home directory for configuration purposes. There are two ways the .ssh subdirectory and the files in it can be created:

  • The ssh/scp commands will create them for you as required.
  • You can create them yourself.

For example, the first time you ssh from a login node to an interactive node on the same cluster, the ssh command will create ~/.ssh/known_hosts for you. Note that you should never ssh from Hoffman2 to another system (outside of the cluster) because the Hoffman2 Cluster is not behind a fire wall and could be compromised.

The ~/.ssh/authorized_keys file may contain a list of public keys. By placing the public key for your login id on your personal machine in your authorized_keys file on Hoffman2, you allow your login id on your personal machine to ssh or scp to your cluster login id on the Hoffman2 Cluster without being asked for your Hoffman2 password.

Dangers Inherent in Passwordless Access

UCLA Policy 401 specifies the minimum security standards for all electronic devices connected to the UCLA Campus Network. If you allow passwordless access from your desktop workstation or from your laptop to the Hoffman2 Cluster and your machine does not meet those minimum standards, you risk compromising your login id on the Hoffman2 Cluster. Moreover, you could compromise the entire cluster, not just for your account, but for everyone else as well.

Steps to take to Enable Passwordless Access from Specific Machines

  1. On Hoffman2 check to see if you have a .ssh subdirectory in your home directory:
    cd
    ls -a
    

    If you don’t see .ssh in the list, make a subdirectory named .ssh:

    mkdir .ssh

  2. On your local machine (the machine you want passwordless ssh connection to Hoffman2) perform the followings. We will assume that you are in a terminal window of a Linux or Mac or Cygwin system.
    • If you do not have a .ssh subdirectory of your home directory, create one and go there:
      mkdir .ssh
      cd .ssh
      
    • Enter the following command:

      ssh-keygen -t rsa

      Do not enter a passphrase; just press the enter key. This will create the files id_rsa and id_rsa.pub on your local machine in the .ssh directory.

    • Copy the public key file to your .ssh subdirectory on Hoffman2. From your local machine, enter the command:
      scp id_rsa.pub login_id@hoffman2.idre.ucla.edu:.ssh/id_rsa.name.pub
      

      Replace login_id with your Hoffman2 login id, and name with a name you will use for this local machine.

  3. On Hoffman2 in the .ssh subdirectory, enter the command:
    cd ~/.ssh
    cat id_rsa.name.pub >> authorized_keys
    
  4. On Hoffman2 make sure that only you, as owner, have write access to the authorized_keys file, the .ssh subdirectory and your home directory.

    Set the proper ownership using symbolic modes:

    cd $HOME
    chmod a=,u=rwx .ssh/
    chmod a=,u=rw .ssh/authorized_keys
    

    This may also be specified in octal if you are more familiar with the traditional way of specifying unix permissions:

    cd $HOME
    chmod 700 .ssh/
    chmod 600 .ssh/authorized_keys
    

    If your home directory, .ssh subdirectory or authorized_keys file are writable by other than you as owner, ssh and scp will continue to ask for a password each time you access the cluster. There will not be any error message telling you what the problem is.

Report Typos and Errors
UCLA OIT

© 2016 UC REGENTS TERMS OF USE & PRIVACY POLICY