SSH Configuration

During the VM setup process, we used ssh to securely connect to the CS network and create our VMs. Unfortunately, though, getting all the way from your local development machine to your VM takes several steps and a whole lot of typing. We can do better by configuring ssh appropriately and setting up ssh keys to make authentication easier.

NOTE: this guide assumes that you already have the USF VPN set up and are connected, or in a location where you can access CS servers directly (CS labs or CS classrooms).

First, we need to be able to reach the CS network. If you can run:

ssh username@stargate.cs.usfca.edu

And it prompts you for your password, then you can reach stargate. If that doesn’t work, you’ll need to check your VPN configuration or make sure you’re in a location where you can reach the CS network directly.

Creating an SSH Key (No password)

We’ll create a key specifically for this class. Before you run the command below, decide whether you want to use a password for your key or not. You don’t have to set a password, which can be very convenient, but it also means that if someone steals your development machine (or you leave it logged in somewhere) they can impersonate you and reach your VM.

The instructions that follow assume you aren’t using a password for your key. See the next section if you’d like to set up a key with a password.

Start by using ssh-keygen to generate a key.

$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_cs521
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again: 
Your identification has been saved in /Users/matthew/.ssh/id_ed25519_cs521
Your public key has been saved in /Users/matthew/.ssh/id_ed25519_cs521.pub
The key fingerprint is:
...
(fingerprint and randomart image display)
...

Next, we need to copy this new key to the CS network:

$ ssh-copy-id -i ~/.ssh/id_ed25519_cs521 mmalensek@stargate.cs.usfca.edu
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ed25519_cs521.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
mmalensek@stargate.cs.usfca.edus password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'mmalensek@stargate.cs.usfca.edu'"
and check to make sure that only the key(s) you wanted were added.

$ ssh -i ~/.ssh/id_ed25519_cs521 mmalensek@stargate.cs.usfca.edu
Last login: Wed Jan 23 22:00:31 2019 from 75.25.144.132
[stargate:~]$ # hooray! It didn't ask for a password.

Now that we can reach the CS network with our key, let’s configure ssh to jump through it to get to our VM. Edit ~/.ssh/config on your local machine, not the VM (create it if it doesn’t exist already) and add the following:

Host stargate.cs.usfca.edu gojira.cs.usfca.edu gojira VMNAME
    User VMUSERNAME
    ServerAliveInterval 120
    IdentityFile ~/.ssh/id_ed25519_cs521

Host gojira
    ProxyJump stargate.cs.usfca.edu

Host VMNAME
    HostName 192.168.122.VMID
    ProxyJump stargate.cs.usfca.edu,gojira.cs.usfca.edu

Note that you can leave entries from your other classes (if any) in the file. No need to remove anything, we’re just adding the lines above. Test out the connection by running ssh VMNAME on your local machine. Type in your VM user account’s password, and you should be logged in. To make our life even easier, we should copy over our ssh key to the VM as well:

$ ssh-copy-id -i ~/.ssh/id_ed25519_cs521 VMNAME
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/matthew/.ssh/id_ed25519_cs521.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
mmalensek@192.168.122.100s password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'VMNAME'"
and check to make sure that only the key(s) you wanted were added.

Now I can log in instantly without my password!

Creating an SSH Key (WITH a password)

To set up an ssh key with a password, follow the steps outlined in the previous section but enter a password when prompted during the ssh-keygen step. If you proceed from there, you’ll notice that everything works well except you will get prompted for the key’s password multiple times every time you ssh to your VM.

To avoid typing the password so many times, you can use ssh-agent to store it. To make this happen, simply edit your ~/.ssh/config again and add the AddKeysToAgent option:

Host stargate.cs.usfca.edu gojira.cs.usfca.edu gojira VMNAME
    ...
    AddKeysToAgent yes
    ...

The other options ("…") are not shown for brevity. Please see the previous section for the full set of options if you need a reference.

Enabling this setting will save the password the first time you enter it.

NOTE: while macOS will automatically run ssh-agent when you log in, you may need to configure Windows/Linux to do so as well, or run it yourself with eval $(ssh-agent -s).

Creating a Key for the VM

At this point you should be able to type ssh VMNAME and be presented with a command prompt on your VM without intermediate steps. Thanks to the ProxyJump configuration, ssh will automatically bounce through the intermediate servers. Finally, it’s also a good idea to create an ssh key for your VM as well. To do this, log in and then run ssh-keygen:

$ ssh VMNAME
[mmalensek@VMNAME]$ ssh-keygen

(I’d recommend going passwordless for the VM key). Okay, enough messing with ssh for now!