wiki:otm-ssh-cert-emulab

Version 1 (modified by Prasad Calyam, 12 years ago) (diff)

--

Handling SSH Keys and Certificates in Emulab

Yingxiao Xu, Prasad Calyam
February 9, 2012

The purpose of this tutorial is to give general instructions about handling SSH Keys and Certificates in Emulab.

1. Login into nodes created by Emulab Java UI

You can login into the nodes created by Emulab Java UI either with Emulab account/password or using private key of Emulab.

You need to upload your own public key through Emulab web portal. All the uploaded public keys will be included in the .ssh/authorized_keys file automatically. So you can login into each nodes using your own private key or Emulab generated private key.

2. Login into nodes created by Flack

You can only login into nodes created by Flack by using SSH key. Nodes created by flack do not share the home folder. Only the public key you uploaded through Emulab web UI will be put in .ssh/authorized_keys file of each nodes. The Emulab generated public keys is not put in the authorized_keys file.

So you should upload your own public key through Emulab web portal.

3. Login into nodes created by OMNI/Gush

The public key you specified in omni_config file (i.e., keys=~/.ssh/id_rsa.pub ) will be automatically put in .ssh/authorized_keys file of each node.

You can use the corresponding private key to login into each of the nodes.

4. For Linux Client

You can create public/private key pairs using ssh-keygen tool in your own machine.

Then upload the .ssh/id_rsa.pub into Emulab website.

Then you can login into nodes created by Emulab Java UI and Flack.

If you install OMNI or Gush in the client and specify keys=~/.ssh/id_rsa.pub in omni_config file, then you can login into nodes created by OMNI/Gush in this client.

5. For Windows Client

You can download and re-use the key in Linux Client.

You can also generate one using PuTTY Key Generator and save the private key and public key. Next transfer the public key to Emulab Web portal.

Then you can start Pageant that comes with PuTTY, add the private key using Pageant.

Then you can login into nodes created by Emulab Java UI and Flack.

6. Certificates

A certificate is generated through Emulab portal by specifying a PassPhrase during creation. This certificate is used by Flack, OMNI/Gush.

For Flack, it will ask you to login into Emulab web-portal and then Flack will download the certificate through the web-portal when you specify the PassPhrase.

For OMNI/Gush, You need to copy the certificate to the OMNI/Gush client and specify it in omni_config file. You will be prompted for PassPhrase each time OMNI/Gush will use the certificate. To avoid the prompt for PassPhrase, you can create clear text certificate (i.e., keyout.pem ) using encrypted certificate (i.e., encrypted.pem ) by using the following command -

openssl rsa -in encrypted.pem -out keyout.pem
openssl x509 -in encrypted.pem >> keyout.pem

For more information, see -