Generating Key Pair and Registering Public Key

Key Authentication is an alternative means of identifying you to a login server, instead of password authentication, requiring a pair of the pre-generated public key and the private key saved on your computer. Password-based authentication can be misused by a third person through cracking such as dictionary attacks. All you have to do is to keep in your mind that the private key should be strictly managed, and then there is no concern of such attacks.
A private key can be protected by setting up the passphrase (longer password for added security). The generated passphrase protects your private key from being misused in case if your computer or laptop was stolen and the private key leaks.

Important! : All users are prohibited from using any private key without passphrase.

Note that our Systems automatically delete any private key without passphrase stored on the login node.

This section explains how to generate a public/private key pair and how to register the key pairs using PuTTY on Windows, as an example.

Before generating a key pair, you need to complete installing PuTTY. For how to install PuTTY, see Installing PuTTY.

  1. Select Windows Start button > All Programs > Start by clicking the PuTTYgen.

  2. In the PuTTY Key Generator window, enter 2048 in the box next to the Number of bits in a generated key as (1) shown below.

  3. Click the Generate next to the Generate a public/private key pair as (2) shown below.

  4. Move the mouse over the blank area of the window. Keep moving the mouse for about ten seconds until the progress bar reaches the end.

  5. After the key generation is complete, the window (see below) appears. Enter a passphrase in (1) and (2) as shown below.

    What is a Strong Passphrase?
    A strong passphrase is a phrase that uses a long string of characters (longer than 12 characters) including each of the following four categories: uppercase letters and lowercase letters, numbers, and symbols. It is strongly recommended to avoid any personal identity information, especially any characters associated with your name. For tips for creating strong passwords and passphrases, see Notice: The Importance of Creating Strong Passwords and Passphrases.

  6. Click the Save private key as (3) shown below. In the dialog box, select a folder and save the file as a new name. Make sure to maintain the confidentiality of your private key.

  7. Copy the public key to register it via the User Portal as (4) shown below. Note the public key is a very long string of characters and fold-displayed. Thus, copy and paste the entire characters including the hidden portion under the scroll bar to register via the User Portal.

  8. When you use FastX for X (GUI) environments, select the Export OpenSSH Key from the Conversions menu. In the dialog box, select a folder and save it as ‘id_rsa’.

  9. Close the window by clicking the X on the top right corner.

This section explains how to create a public/private key pair using the ssh-keygen command.

Before generating a key pair, you need to complete installing OpenSSH. OpenSSH is pre-installed in recent distributions.

$ ssh-keygen -t rsa -b 2048 -m pem  #(1)
Generating public/private rsa key pair.
Enter file in which to save the key (/home/taro/.ssh/id_rsa): #(2)
Enter passphrase (empty for no passphrase):  #(3)
Enter same passphrase again:  #(4)
Your identification has been saved in /home/taro/.ssh/id_rsa.
Your public key has been saved in /home/taro/.ssh/id_rsa.pub.
The key fingerprint is:
8c:13:10:d2:c0:12:c5:0b:53:d4:3f:b6:9c:16:f6:ca taro@test.kyoto-u.ac.jp

(1) Generate a 2048 bit public/private key using RSA version 2.
(2) Enter a file name in which you save the public/private key. The default file name is ~/.ssh/id_rsa. Click Enter.
(3) Enter a passphrase.
(4) Enter the passphrase again.

What is a Strong Passphrase?
A strong passphrase is a phrase that uses a long string of characters (longer than 12 characters) including each of the following four categories: uppercase letters and lowercase letters, numbers, and symbols. It is strongly recommended to avoid any personal identity information, especially any characters associated with your name. For tips for creating strong passwords and passphrases, see Notice: The Importance of Creating Strong Passwords and Passphrases.

When you create a key pair in the default file, the key pair is stored in the ‘~/.ssh’ folder as below. ‘id_rsa’ is the private key, and ‘id_rsa.pub’ is the public key. Before logging in to the System(s), you need to register the public key by following the instruction at Registering a Public Key via the User Portal.

$ ls ~/.ssh/
id_rsa id_rsa.pub
$ cat ~/.ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsotK4PbdadfhbXbTPIsxvwKFIg+8Lmp0pXKckAOuSnoaaT516ddj9rnIJlE/JaJf0cltp+087R6Ov8LPY+QeQvzzUfGiAQQVdwBiMrVQVqXylIoidU86uz/w8GITXltu1m+fXO+O26dEESQWsAgiNfVOzB57OCadGX1iCy6/2CxvNEB3mnHkvmC+H3azP27tTARHXqTBThuxjwR9iZBkx2iYSW3tVg0cDdzuLP3ULVrJXHrrLCr1HGaAzQEs0M+vtrV+G8gLlkeqbKy4YKWKUY/xkM8c/20jnSKP36SeU4fezbRQREkYqRjx4a3kx97K1sfch/WKwzuHWqhYYMtvEw== taro@test.kyoto-u.ac.jp

  1. Go to the User Portal, and enter your User ID and Password to log in.

  2. Select the SSH Public Key menu.

  3. In the Add SSH Public Key page, input a title (any title you like), copy and paste the previously created public key to the Public Key . After confirming set passphrase of public key , click the 追加 to complete the registration process.

  4. After registration is completed, you can log in to the System(s) using the private key and passphrase. For how to log in, see Logging In on Windows or Logging In on Mac and Linux.

A leakage of its private key poses a serious security threat to the System(s). Make sure that you maintain the confidentiality of your private key. If there is any implication that your private key may leak out, contact us by Email at portal * kudpc.kyoto-u.ac.jp (please replace the asterisk with an at-sign”@” ).

When you log in to the System(s) using multiple PCs such as a desktop PC and a laptop, the different key pairs are required for each PC.

When you registered the public key via the User Portal, the key is stored in the ‘~/.ssh/authorized_keys’ file as below. To add and remove the public key, edit it directly in the file.

When the registration of the public key is complete via the User Portal, the key is indicated as shown below.

$ cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA2u3ckgu2sakTgLgpjK2Ihd9O4oN6FNPovlDsTtSzErd665L4SkyzGY5wc35CqAehxi3kRLxugseUTykHUeTBHVSJju1arYPnnL1CdURqraSBsIRyErPUE8YFcDtPpmr8wCcdzB8iTsLOs4vo/L1nxGOZn0iifhZ7mLMu+3G55JFJsafn0s/e7sP6KMiQJ6Muv026Y6zUcLalp11ILrta4+ep0mvH6jjhCpzEnupRxVWDvZASMhfUF/pG61o9shqMBvKNCUVxhjZlyRARtpVvRBhjjxcaXV87EpiUBnzPSQ+JlLsFtuRKUtUwjaSxZIBaVPxSrGBhwkq3URPAhyD8QQ== rsa-key-20120315

To add another public key, append the key into the second line using a text editor.

$ cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA2u3ckgu2sakTgLgpjK2Ihd9O4oN6FNPovlDsTtSzErd665L4SkyzGY5wc35CqAehxi3kRLxugseUTykHUeTBHVSJju1arYPnnL1CdURqraSBsIRyErPUE8YFcDtPpmr8wCcdzB8iTsLOs4vo/L1nxGOZn0iifhZ7mLMu+3G55JFJsafn0s/e7sP6KMiQJ6Muv026Y6zUcLalp11ILrta4+ep0mvH6jjhCpzEnupRxVWDvZASMhfUF/pG61o9shqMBvKNCUVxhjZlyRARtpVvRBhjjxcaXV87EpiUBnzPSQ+JlLsFtuRKUtUwjaSxZIBaVPxSrGBhwkq3URPAhyD8QQ== rsa-key-20120315
ssh-rsa AAAAffffC1yc2EAAAABJQAAAQEA2u3ckgu2sakTgLgpjK2Ihd9O4oN6FNPovlDsTtSzErd665L4SkyzGY5wc35CqAehxi3kRLxugseUTykHUeTBHVSJju1arYPnnL1CdURqraSBsIRyErPUE8YFcDtPpmr8wCcdzB8iTsLOs4vo/L1nxGOZn0iifhZ7mLMu+3G55JFJsafn0s/e7sP6KMiQJ6Muv026Y6zUcLalp11ILrta4+ep0mvH6jjhCpzEnupRxVWDvZASMhfUF/pG61o9shqMBvKNCUVxhjZlyRARtpVvRBhjjxcaXV87EpiUBnzPSQ+JlLsFtuRKUtUwjaSxZIBaVPxSrGBhwkq3URPAhyD8QQ== rsa-key-20121022

To increase security, specify options in the authorized_keys file. For details of the setting, check the AUTHORIZED_KEYS FILE FORMAT section of ‘man sshd’ command.

As a secure method for access control, specify the IP address or hostname of the logged-in computers before the character string of the public key beginning with ‘ssh-rsa’ in a format of: from=“192.168.0.1” or from=“myhost.jp”, for example. That is, all accesses, using the public key that fails to match the filtering criteria, are denied. Asterisk character (*) can be used in the IP address or hostname.
By configuring such setting as show below, your account allows accesses only from your laboratory or institution network.

$ cat ~/.ssh/authorized_keys
from="10.113.*.*" ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA2u3ckgu2sakTgLgpjK2Ihd9O4oN6FNPovlDsTtSzErd665L4SkyzGY5wc35CqAehxi3kRLxugseUTykHUeTBHVSJju1arYPnnL1CdURqraSBsIRyErPUE8YFcDtPpmr8wCcdzB8iTsLOs4vo/L1nxGOZn0iifhZ7mLMu+3G55JFJsafn0s/e7sP6KMiQJ6Muv026Y6zUcLalpkkjj11ILrta4+ep0mvH6jjhCpzEnupRxVWDvZASMhfUF/pG61o9shqMBvKNCUVxhjZlyRARtpVvRBhjjxcaXV87EpiUBnzPSQ+JlLsFtuRKUtUwjaSxZIBaVPxSrGBhwkq3URPAhyD8QQ== rsa-key-20120315
from="*.kyoto-u.ac.jp" ssh-rsa AAAAffffC1yc2EAAAABJQAAAQEA2u3ckgu2sakTgLgpjK2Ihd9O4oN6FNPovlDsTtSzErd665L4SkyzGY5wc35CqAehxi3kRLxugseUTykHUeTBHVSJju1arYPnnL1CdURqraSBsIRyErPUE8YFcDtPpmr8wCcdzB8iTsLOs4vo/L1nxGOZn0iifhZ7mLMu+3G55JFJsafn0s/e7sP6KMiQJ6Muv026Y6zUcLalp11ILrta4+ep0mvH6jjhCpzEnupRxVWDvZASMhfUF/pG61o9shqMBvKNCUVxhjZlyRARtpVvRBhjjxcaXV87EpiUBnzPSQ+JlLsFtuRKUtUwjaSxZIBaVPxSrGBhwkq3URPAhyD8QQ== rsa-key-20121022

Note:

  • In order to avoid login errors resulting from erroneous editing in the authorized_keys file, make sure you remain the previously logged-in console opened, and then open a separate console so as to run a connectivity test without closing the previously-opened console.
  • This notation is incompatible with the public key registration form on the User Portal. Thus,it is required you directly edit the script in the authorized_keys file.

Your public key that you registered via the User Portal becomes invalid after you successfully logged in to the Systems and a predetermined time has elapsed. When you lost your private key or forgot your passphrase, send us an email detailing the following information using your registered email address:

  • To: consult * kudpc.kyoto-u.ac.jp (Please replace the asterisk with an at-sign”@” )
  • From: your registered email address
  • Subject: 公開鍵登録の再開希望 (Asking for approval to re-register the public key)
  • Description:
    • Your user ID
    • Organization where you belong
    • Your name
    • Details and reasons for losing your private key or forgetting your passphrase


Copyright © Academic Center for Computing and Media Studies, Kyoto University, All Rights Reserved.