IMPORTANT: users with Ubuntu operating systems (but may happen also for other Linux distributions) should not run the command "sudo apt install step" because this will install a different software that will give errors when following the below instructions.

Configuration of the step client

To configure smallstep on your Linux system, you should run the following command in your local shell:

$ step ca bootstrap --ca-url= --fingerprint 2ae1543202304d3f434bdc1a2c92eff2cd2b02110206ef06317e70c1c1735ecd 

The root certificate has been saved in <path-to>/.step/certs/root_ca.crt.

The authority configuration has been saved in <path-to>/.step/config/defaults.json.

ATTENTION: if you have a previous version of smallstep installed and configured on your system, the client will ask if you want to overwrite the existing configuration.  To save a copy of a previous version of smallstep installed and configured on your system, make a copy of the directory .step.  

Activation of the ssh-agent

To use the certificate, the user should activate the ssh-agent running:

$ eval $(ssh-agent)

At this point, to obtain the certificate run:

$ step ssh login '<user-email>' --provisioner cineca-hpc

the command will report on the shell an output like the following one:

Then the following page on keycloack will open automatically on the browser. The user has to put his/her cluster credentials (username and password) and push the button "Sign in". Then, keycloak will ask for the OTP code generated by the Authenticator (see  Configure the OTP).

Once authenticated, you will see a Success message on your browser meaning that the certificate has been generated and it is available on your PC.

IMPORTANT: the temporary certificate is valid for 12 hours. If you reboot your PC the certificate is lost and you need to download a new one launching again the "step ssh login ..." command.

It is possible to check for the presence of a valid certificate both via ssh-agent and the step command as follow:

$ ssh-add -L AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgYjJfSnpeTTNrMHB4Lm9yX3YjZWNxXyRxcHM9blRzU1gAAAAIbmlzdHAyNTYAAABBBAJRZ11/PIo0VJknlFMDa5BIaJp/w0OWd95ueZbWlQ4uG92aSZ+K8aKgkyDiOGla3x7l+saVT/pIR+x3zBgvwgkLrbmYufPPVAAAAA 
qqu2Mg== <user-email> 

$ step ssh list  

256 SHA256:x+QEW8xmDBtRjVRtAukc7v7zKEHef/9joyFP9n/gZtk <user_email> (ECDSA-CERT) 

To examine the validity of the certificate run:

$ step ssh list --raw  '<user_email>' | step ssh inspect  

       Type: user certificate  
       Public key: ECDSA-CERT SHA256:TdhIpD5KFZD37roGYcDstS7180TruOnNgNJeS8eJJPk  
       Signing CA: ECDSA SHA256:e0ZF6AnnUzi0g7Db9nOaXxkEjRq9D6Ka4tV04XqiIgM  
       Key ID: "<user_email>"  
       Serial: 841532770994081620  
       Valid: from 2022-02-15T11:55:24 to 2022-02-15T19:55:24  
       Critical Options: (none)  

An alternative mode of creation of the step certificate

If it is necessary to avoid using ssh-sgent you can download your certificate launching the following command in any path of your local PC (we suggest in ~/.ssh folder):

step ssh certificate 'user-email' --provisioner cineca-hpc my_key

You can change my_key with the name you prefer.

A password to encrypt the private key is requested on the shell command line

"Please enter the password to encrypt the private key:"

Please, choose a password and memorize it. It will be requested at login.

Three keys will be generated in the path where you executed the above command.

To use the keys to access the cluster you can place the three files in the ~/.ssh folder, or you have to specify -i <path-to-keys> and enter as passphrase the password selected in the previous step:

$ ssh -i /path/my_key <username>@login.<cluster>

"Enter passphrase for key 'my_key"

Remember that also these keys have an availability of 12 hours.

  • No labels