Skip to content

Quickstart guide to the SSH CA

Secure Shell (SSH) certificates offer a simple and secure alternative to traditional SSH keys. SSH certificates are requested from a Certificate Authority (CA) and then used to access a resource.

Configuration

Before starting to use the SSH CA, you need to set up an SSH key pair and configure your system to trust the SSH CA.

  1. Generate a new personal SSH key pair.

    ssh-keygen -t ed25519 -f ~/.ssh/id_EFP
    This creates the two files, the private and public keys respectively. 
    ~/.ssh/id_EFP  
~/.ssh/id_EFP.pub

  2. Trust the CA SSH's public key.

    echo '[sshca.my-eurohpc.eu]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlPFxv2xhvg2Jlyt7TE8cTuVbk27LpFJmILWpXm/7xz' >> ~/.ssh/known_hosts

You only need to perform these steps once on each of your systems.

Connect to a resource

To connect to a resource, you use your SSH key pair to request a certificate.

  1. Using your browser, login to https://sshca.my-eurohpc.eu.

  2. After logging in, the portal will list the resources that you can access. This includes the ssh command-line needed to request a certificate for the resource. Copy the command-line for the intended resource and paste it into your terminal window to execute the command; for example 

    ssh -i ~/.ssh/id_EFP -p 2222 sshca.my-eurohpc.eu token 7WCD4IZCVTQ623CC7URBNJ2HQI-A > ~/.ssh/id_login.deucalion.macc.fccn.pt-cert.pub

  3. Return to your browser.

  4. Copy the ssh command-line displayed into your system clipboard and paste it into your terminal window; for example 

    ssh -o CertificateFile=~/.ssh/id_login.deucalion.macc.fccn.pt-cert.pub user@login.deucalion.macc.fccn.pt demo