As LC transitions its systems to the TOSS 4 operating system, support for older SSH key types is being phased out. In particular, DSA keys are not supported by TOSS 4 or by LC's GitLab instances. Users with DSA keys or weak RSA keys must transition to RSA SSH keys with a minimum size of 2048 bits, and ideally 4096 bits or greater. All LC systems will transition to TOSS 4 by August, 2023. Users will need to use a 2048-bit (or stronger) RSA key to connect to these systems.
If you have an existing SSH key and you would like to check the length, you can do that using the ssh-keygen command and looking at the first number returned. The following shows an RSA key (rightmost text output) with a key length of 3072 bits (first number in output):
$ ssh-keygen -l -f ~/.ssh/id_rsa 3072 SHA256:<.....> lee1001@nebula (RSA)
The instructions below can be used to generate a new RSA key either on your local machine or directly on an LC system.
Generate and Install a New SSH Key
- Generate a new SSH Key with the command:
ssh-keygen -b 4096 -t rsa
- You will be asked to optionally provide a passphrase. It is good security practice to use a passphrase for any SSH keys on your local system. SSH keys used within LC clusters should NOT have a passphrase.
- This should create the identity files: ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key)
- If using an ~/.ssh/config file, update any identity file setting for any LC related hosts to use the new key:
IdentityFile ~/.ssh/id_rsa
- Tell LC systems about your new public SSH key. RZ users should copy the identity to both RZ and CZ systems.
- If you have the ssh-copy-id program installed, use these commands to copy the key to any LC system (in each zone), e.g., oslic and rzslic:
ssh-copy-id <user>@oslic.llnl.gov # CZ users ssh-copy-id <user>@rzslic.llnl.gov # RZ users
- Otherwise, manually append the public key onto the authorized_keys file on an LC cluster (use oslic, rzslic, or other system as appropriate) with the commands:
# For new keys generated on an LC system cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys # For new keys generated on a laptop / desktop cat ~/.ssh/id_rsa.pub | ssh <user>@oslic.llnl.gov 'cat >> .ssh/authorized_keys && echo "Key copied"'
- If you have the ssh-copy-id program installed, use these commands to copy the key to any LC system (in each zone), e.g., oslic and rzslic:
- Test your connection to LC systems by logging in as you normally would.
- Update your GitLab profile with this new SSH key. Copy the contents of the ~/.ssh/id_rsa.pub file to your CZ GitLab profile and/or RZ GitLab profile. More detailed, step-by-step instructions can be found on the GitLab Setup page.
Additional SSH Resources
The internal dev.llnl.gov page has advice specific for LC users, including:
- Documentation for FIS users on using an SSH key to push files in to the FIS on the unclassified side from inside of LC.
- Template configuration files for CZ-only, RZ, and Windows users.