Skip to content

Quickstart guide to the SSH CA

Secure Shell (SSH) certificates offer a simple and secure alternative to traditional SSH keys. SSH certificates are requested from a Certificate Authority (CA) and then used to access a resource.

Configuration

Before starting to use the SSH CA, you need to set up an SSH key pair and configure your system to trust the SSH CA.

  1. Generate a new personal SSH key pair.

    ssh-keygen -t ed25519 -f ~/.ssh/id_EFP
    This creates the two files, the private and public keys respectively. 
    ~/.ssh/id_EFP  
~/.ssh/id_EFP.pub

  2. Trust the CA SSH's public key.

    echo 'sshca.my-eurohpc.eu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlPFxv2xhvg2Jlyt7TE8cTuVbk27LpFJmILWpXm/7xz' >> ~/.ssh/known_hosts

You only need to perform these steps once on each of your systems.

Connect to a resource

To connect to a resource, you use your SSH key pair to request a certificate.

  1. Using your browser, login to https://sshca.my-eurohpc.eu.

  2. After logging in, the portal will list the resources that you can access. This includes the ssh command-line needed to request a certificate for the resource. Copy the command-line for the intended resource and paste it into your terminal window to execute the command.

    (The following is an example - you should copy and paste the command-line shown in your browser). 

    ssh -i ~/.ssh/id_EFP -o IdentitiesOnly=yes -p 2226 sshca.my-eurohpc.eu token OICCDNIG5BBCM5MOAHM4HXXE36-A > ~/.ssh/id_login.deucalion.macc.fccn.pt-cert.pub

  3. Return to your browser.

  4. Copy the ssh command-line displayed into your system clipboard and paste it into your terminal window.

    (The following is an example - you should copy and paste the command-line shown in your browser). 

    ssh  -i ~/.ssh/id_EFP -o IdentitiesOnly=yes -o CertificateFile=~/.ssh/id_login.deucalion.macc.fccn.pt-cert.pub user@login.deucalion.macc.fccn.pt