Connecting to access with SSH keys Edit Title

Duo multi-factor authentication (MFA) is, by default, required for everyone who uses a password to connect to access.cims.nyu.edu from outside the Courant network.  Duo MFA is the same as what you need to use when logging in to NYU Home.

If you would like to simplify your means of connecting, you can generate a key pair to use instead of a password.  The pair will consist of a public key and a private key and, although this connection method is not as secure as using MFA, it is more secure than a password alone in that you will only be allowed to connect if you have possession of the private key. Note that the private key should only exist on the machine that you use to connect from, and should NOT be placed anywhere else.  The public key can be copied elsewhere, which in this case is to access.cims.nyu.edu, to grant access from your laptop or home machine.

In essence, this will make it easier for you to connect from a particular machine. It will not, however, prevent you from using a password + MFA (as is the default) to connect from other machines.

For added security and to ensure that users to use separate key pairs to connect to access.cims.nyu.edu then those used to connect to machines once within the Courant network, we have configured access.cims.nyu.edu to use an authorized keys file called authorized_keys_access for remote connections to access.cims.nyu.edu from outside the Courant network. A standard authorized_keys file can be used for connections between machines within the Courant network. It's important that these are two separate files, and that your public keys are exclusive to one or the other (e.g. do not copy or link one to the other).

Furthermore, to make use public-key authentication for connecting to access.cims.nyu.edu you will first have to configure your machine to use NYU's VPN.  Information on how to use NYU's VPN is available at https://www.nyu.edu/life/information-technology/getting-started/network-and-connectivity/vpn.html

The ability to connect to access.cims.nyu.edu using public-key authentication without first being connected to the VPN is possible but is restricted to phd students, researchers, and faculty and must be requested by contacting helpdesk@cims.nyu.edu.

Generating and configuring an SSH public/private key pair on your local machine

macOS or other Unix-like OS

1. Open a Terminal on your local machine (e.g. personal laptop) and type ssh-keygen.
2. Press enter to choose the default location to save your private key, which is ~/.ssh/id_rsa. If you've already created an SSH key pair in the past, you will be prompted to overwrite it, in which case you should type n and skip to step 5 if you want to use the old one for access.cims.nyu.edu, or type y and proceed to create a new one. If your old private key does not require a passphrase, we ask that you create a new one that does. Beware that overwriting your old key will remove access to anything that it was previously being used to access.
3. Type in a passphrase to use in conjunction with your key. This is technically optional, but highly recommended for extra security, and we really want people to use a passphrase for connecting from outside of Courant.
4. Now, if the previous command was successful, two keys have been created and saved to ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. The former is your private key and the latter is your public key.
5. Log in to access.cims.nyu.edu, and type the following commands in sequence: mkdir -p ~/.ssh, chmod 700 ~/.ssh, touch ~/.ssh/authorized_keys_access, chmod 600 ~/.ssh/authorized_keys_access
6. Back on your local machine, copy your public key to access:

   cat ~/.ssh/id_rsa.pub | ssh username@access.cims.nyu.edu "cat >> ~/.ssh/authorized_keys_access"

   replacing "username" with your Courant username. Specifically, this will place your public key in a file called ~/.ssh/authorized_keys_access on access.cims.nyu.edu. Do not place any other public keys in this file.
7. Now, you should be able to SSH into access.cims.nyu.edu without needing a password + MFA. You'll still have to enter your private key's passphrase if you've set one. You may be prompted to save your passphrase to your login keychain or otherwise remember it, in which case you may only need to type your passphrase occasionally, such as after logging out and back in.

If you would like to add your private key to your SSH agent and your machine is not configured to do this automatically, you may do so with the command ssh-add or by adding the line AddKeysToAgent yes to ~/.ssh/config on your local machine.

Windows (with PuTTY)

This section assumes that you have already downloaded and installed the PuTTY package, and that's what you use to connect. In particular, you need PuTTY and PuTTYgen.

1. Open PuTTYgen, which can be found under the PuTTY folder in the Start menu.
2. Click "Generate", and move your mouse around the blank area until the keys are generated.
3. Type a passphrase into the "Key passphrase" and "Confirm key passphrase" fields. You'll be asked for this passphrase when trying to connect, after all of these steps are complete. Setting a passphrase is technically optional, but highly recommended for extra security, and we really want people to use a passphrase for connecting from outside of Courant
4. Click "Save private key" and save it to your Desktop folder as "private_key", or use another memorable filename and location of your choice. PuTTYgen will give file this a .ppk extension automatically.
5. Leave the PuTTYgen window open, open PuTTY, and connect to access.cims.nyu.edu as you usually would.
6. Once you're logged in, type the following commands in this sequence: mkdir -p ~/.ssh, chmod 700 ~/.ssh, touch ~/.ssh/authorized_keys_access, chmod 600 ~/.ssh/authorized_keys_access.
7. Then, copy the OpenSSH public key (this is at the top, labeled "Public key for pasting into OpenSSH authorized_keys file") from the PuTTYgen window into ~/.ssh/authorized_keys_accessin the PuTTY window. You could do this on the command line by running

   echo "<OpenSSH_public_key>" >> ~/.ssh/authorized_keys_access

   replacing <OpenSSH_public_key> with what you've copied from PuTTYgen. Do not place any other public keys in this file.
8. Finally, log out of PuTTY, and re-open it.
9. Before connecting, configure PuTTY to now use your private key by selecting the private key file saved above under Connection > SSH > Auth. In order to save this as a default connection parameter, go back to Session, click "Default Settings", and then "Save".
10. Now, you can connect using your newly-generated SSH key pair.