For External Users SSH Public Keys
For External Users: SSH Public Keys
Overview
This guide provides step-by-step instructions for external users to securely register, generate, and manage SSH public keys using the Locksmith SSH Key Management System. Authentication is handled through CILogon, which supports multiple Identity Providers (IDPs). After registering your SSH public key, you will need to open a support ticket to complete the process.
Table of Contents
Prerequisites
Before you begin, ensure you have the following:
An account with a supported Identity Provider (IDP). See the list of supported IDPs in the next section.
An SSH client installed on your local machine.
Linux and macOS: OpenSSH is typically pre-installed. Verify by running
ssh -Vin a terminal.Windows: Install either OpenSSH for Windows or PuTTY.
An existing SSH key pair, or the ability to generate one. See Generating SSH Key Pairs if you need to create a new key pair.
Supported Identity Providers
The SSH Key Management System authenticates users through CILogon. The following Identity Providers are supported:
University of Kentucky (UKY)
ACCESS-CI
Google
GitHub
Other institutional IDPs federated through CILogon
Important Notes on IDP Selection
Warning: Choosing the correct Identity Provider is critical. Read the following guidance carefully before logging in.
University of Kentucky (UKY) users: You must select "University of Kentucky" as your IDP. Do not use any other provider.
Non-UKY institutional users: You are recommended to use your own institution's IDP if it is available through CILogon.
Users without an institutional IDP: If your institution is not listed, use ACCESS-CI as your IDP.
ACCESS users accessing KyRIC resources: You must select "ACCESS" as your IDP.
Note: The system does not support Identity Providers that use the AMR (Authentication Methods References) claim. See Unsupported Identity Providers for details.
Logging In to the SSH Key Management System
Follow these steps to log in:
Open a web browser and navigate to the SSH Key Management System (Locksmith).
On the login page, select your Identity Provider from the list. Refer to Important Notes on IDP Selection to choose the correct provider.
Enter your credentials on the Identity Provider's authentication page.
After successful authentication, you will be redirected to the Locksmith home page.
Registering and Uploading an SSH Public Key
Security Reminder: Only upload your public key (the file ending in .pub, for example id_rsa.pub). Never share or upload your private key. Keep your private key stored securely on your local machine.
Follow these steps to register your SSH public key:
Log in to the SSH Key Management System by following the steps in Logging In to the SSH Key Management System.
On the home page, select the "Submit SSH Public Key" button.
In the text field labeled for the SSH public key, paste the contents of your public key file. The key must begin with a supported key type prefix such as
ssh-rsaorssh-ed25519.Select the "Upload" button to submit your key.
A confirmation message will be displayed indicating your key was uploaded successfully.
After uploading your key, you must open a support ticket to complete the registration process. Navigate to the HPC User Support Request portal and create a new ticket indicating that you have uploaded your SSH public key.
Managing Your SSH Keys
Viewing Your Current Key
After logging in, the home page displays your currently registered SSH public key. If no key has been uploaded, a message indicating "no key uploaded" is shown instead.
Deleting Your SSH Public Key
Warning: Deleting your SSH public key will prevent access to any systems that rely on it for authentication. Ensure you have an alternative means of access before proceeding.
Follow these steps to delete your SSH public key:
Log in to the SSH Key Management System.
On the home page, select the "Delete SSH Public Key" button.
A confirmation prompt will appear. Confirm the deletion.
A confirmation message will be displayed indicating the key was deleted successfully.
Updating Your Secondary Email Address
You can update your secondary email address from the home page.
Log in to the SSH Key Management System.
On the home page, locate the secondary email field.
Enter your new email address in the text input field.
Select the "Update Email" button.
A confirmation message will be displayed indicating the email was updated successfully.
Generating SSH Key Pairs
If you do not already have an SSH key pair, follow one of the procedures listed for your operating system. Each method generates a private key and a corresponding public key. You will upload only the public key to the SSH Key Management System.
Linux and macOS
Open a terminal application.
Run the following command to generate a 4096-bit RSA key pair:
Command to generate RSA key pair
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"Replace
your_email@example.comwith your actual email address.When prompted for a file location, press Enter to accept the default location (
~/.ssh/id_rsa).When prompted, enter an optional passphrase for additional security, or press Enter to skip.
The key pair is generated. Your public key is saved at
~/.ssh/id_rsa.pub. Your private key is saved at~/.ssh/id_rsa.To view your public key for copying, run:
Command to display public key
cat ~/.ssh/id_rsa.pubCopy the entire output. This is the value you will paste when uploading your key to the SSH Key Management System.
Windows Using Git Bash
Download and install Git for Windows, which includes Git Bash.
Launch the Git Bash application.
Run the following command to generate a 4096-bit RSA key pair:
Command to generate RSA key pair in Git Bash
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"Replace
your_email@example.comwith your actual email address.When prompted for a file location, press Enter to accept the default location (
/c/Users/your_username/.ssh/id_rsa).When prompted, enter an optional passphrase for additional security, or press Enter to skip.
The key pair is generated. Your public key is saved at
/c/Users/your_username/.ssh/id_rsa.pub. Your private key is saved at/c/Users/your_username/.ssh/id_rsa.To view your public key for copying, run:
Command to display public key in Git Bash
cat ~/.ssh/id_rsa.pubCopy the entire output. This is the value you will paste when uploading your key to the SSH Key Management System.
Windows Using PuTTYgen
Download PuTTYgen from the official PuTTY website if it is not already installed.
Launch the PuTTYgen application.
In the "Parameters" section at the bottom of the PuTTYgen window, select RSA as the key type.
Set the "Number of bits in a generated key" field to 4096.
Select the "Generate" button.
Move your mouse pointer over the blank area in the PuTTYgen window to generate randomness. Continue until the progress bar completes.
Once generation is complete, the public key is displayed in the text area labeled "Public key for pasting into OpenSSH authorized_keys file". Copy this entire value. This is what you will paste when uploading your key to the SSH Key Management System.
Select "Save private key" to save your private key to a secure location on your machine. You may optionally set a passphrase before saving.
Select "Save public key" to save your public key to a file for your records.
Unsupported Identity Providers
The SSH Key Management System does not support Identity Providers that include the AMR (Authentication Methods References) claim in their authentication response. One known example is ORCID.
If you attempt to log in using an unsupported IDP, authentication will fail. Use one of the Supported Identity Providers listed in this guide instead.
Getting Support
If you need assistance with the SSH Key Management System, create a support ticket through the HPC User Support Request portal.
Include the following information in your ticket:
Your name and email address
The Identity Provider you used to log in
A description of the issue you encountered