Greenberg - SSH key setup

Owned by Maurice Spiewack (Unlicensed)
Last updated: Dec 27, 2022 by Meghan Netterville
2 min read


Running HPC jobs on SCU resources requires passwordless key-based authentication.  In this article we explain how to configure key-based authentication as well as setup your SSH client for proxying and avoiding Fail2Ban.

Setting up your ssh keys only needs to be done once.


Connect to Gateway Server

Once you have a new SCU account, connect to one of our gateway nodes using the username and password provided to you by the SCU.   In this example, we are using pascal:

ssh <your-scu-username>@pascal.med.cornell.edu


Create Key Pair

First, check to see if you have ssh keys set up:

ls -ltr ~/.ssh

If the output shows the files id_rsa and id_rsa.pub,you already have keys in place.   Skip the following command and continue to authorizing your key.


If the output does not show those files, then generate them with the following command:

ssh-keygen -t rsa -b 4096

Follow the instructions on screen. Accept the default location. This will create two new files: id_rsa and id_rsa.pub, which are your private and public keys, respectively.


While your public key in id_rsa.pub can be shared freely, your private key in id_rsa must be kept secret. If another person gains access to this file, they will be able to impersonate you thereby accessing all of your files.

Do not ever copy or move your private key from your ~/.ssh folder or set permissions so that other users can access this file.  Permissions on this file should always be "chmod 600," set my ssh-keygen, which means only accessible by the owner.  Do not change permissions on the private key.

Authorizing your key

SCU has a shared home directory which will allow key-based authentication across all HPC nodes.  For this to work add the public key you generated to your authorized_keys file.

cd ~/.ssh
cat id_rsa.pub >> authorized_keys

This will create the file if it does not already exist.

After this step you will be able to access SCU infrastructure without a password.

Avoiding Fail2ban and SSH Proxy


Fail2ban will block invalid connection attempts when users attempt multiple logins with wrong username.

When logging into a server if you don't explicitly specify username then the default for ssh is to try username of current user.  So if your laptop has the username of "joe" then typing "ssh aphrodite.med.cornell.edu" will include "joe" as the user for authentication.  This will trigger a ban.

To avoid use ~/.ssh/config on your laptop, desktop, etc, and specify username for a given set of hosts.

For example:
Host *.pbtech # this will allow connecting to internal HPC network
User scu_ldap_username # change to your user name
ProxyCommand ssh -W %h:%p scu_ldap_username@gateway.med.cornell.edu #allows automatic proxying to HPC network - change to aphrodite, pascal, or aristotle
ControlMaster auto
ControlPersist 60
ServerAliveInterval 120
IdentityFile ~/.ssh/your_private_key # by default ~/.ssh/id_rsa will be tried though use this if you named it something else


Host *.med.cornell.edu # this will allow connecting to gateway servers
User scu_ldap_username # change to your user name
ControlMaster auto
ServerAliveInterval 120
ControlPersist 60
IdentityFile ~/.ssh/your_private_key # by default ~/.ssh/id_rsa will be tried though use this if you named it something else
Place these lines at bottom of your ~/.ssh/config file.  Follow and remove the instructions shown after "#."
These settings are applied to any server with "med.cornell.edu" in the hostname.   This will also allow proxying through a login node to reach our internal HPC network.

Then you can just do "ssh aphrodite" and the user name will never be incorrect.