Key Generation

This guide provides detailed instructions for generating SSH key pairs and securely deploying public keys to remote worker machines in various operating system configurations within the Agilab environment.

In the rest of the guide, I would refer to:

  • Manager: The local machine from which SSH connections are initiated.

  • Worker: The remote machine that accepts SSH connections.

  • Remote account: The user account on the worker machine used for SSH login.

1. Generate the keys

manager$ ssh-keygen -a 100 -t ed25519

You will be prompted for a passphrase. don’t enter one (double return).

If you have not changed the default path, the public key will be stored in ~/.ssh/id_ed25519.pub and the private key in ~/.ssh/id_ed25519.

2. Loading the private key in SSH Agent

2.1 Load the private key

manager$ ssh-add ~/.ssh/id_ed25519

2.2 Verify the key Addition

manager$ ssh-add -l

It should display the public key (not private). To manually check the public key:

manager$ cat ~/.ssh/id_ed25519.pub

If you have set a passphrase, you will be asked to enter it. If you encounter any permission-related errors, refer to the Permissions section.

On Linux, if a window titled “Enter password to unlock the private key” appears when trying to establish an SSH connection, enter the passphrase and check the box “Automatically unlock this key whenever I’m logged in”.

3. Copy the public key to the server

3.1 Allow your key

Follow these steps to add your key to the authorized_keys file of each workers:

Worker Linux:

manager$ ssh-copy-id -i ~/.ssh/id_ed25519 <remote account>@<worker ip>

Worker Windows:

manager$ cat ~/.ssh/id_ed25519.pub | ssh <remote account>@<worker ip> powershell -NoProfile -Command "Add-Content -Encoding ascii -Path 'C:\\Users\\<remote account>\\.ssh\\authorized_keys' -Value '([Console]::In.ReadToEnd())'"

3.2 Verification

manager$ ssh <remote account>@<worker ip>

Success

It should connect without asking the account password !

Bidirectional trust between worker Macs

When two macOS workers must talk to each other (for example 192.168.3.84 and 192.168.3.86), install the same SSH key pair on both hosts so either side can ssh without a password prompt. Assuming the login user is agi (adjust if yours differs):

  1. Enable Remote Login on each Mac if it is not already on:

    sudo systemsetup -setremotelogin on

  2. From 192.168.3.84 push the public key to 192.168.3.86:

    ssh-copy-id -i ~/.ssh/id_ed25519 agi@192.168.3.86

  3. From 192.168.3.86 push the same key back to 192.168.3.84:

    ssh-copy-id -i ~/.ssh/id_ed25519 agi@192.168.3.84

  4. Verify both directions once so the host keys land in ~/.ssh/known_hosts:

    ssh agi@192.168.3.86 hostname
ssh agi@192.168.3.84 hostname

Each command should print the remote hostname without asking for a password. If either side still prompts, re-run ssh-copy-id and make sure ~/.ssh/authorized_keys on the target contains the public key content.

Troubleshooting

SSHD Service

Check the service status:

sudo systemctl status ssh  # Check SSH Server status
ssh-add -L  # Check if the SSH agent is running

Check the configuration

Check the SSH server configuration in the sshd_config file:

  • Windows Server: C:\ProgramData\ssh\sshd_config

  • Unix Server: /etc/ssh/sshd_config

Ensure the following configuration is set:

PubkeyAuthentication yes
PasswordAuthentication no

To modify, open the file in an elevated text editor, update the lines as shown above, and restart the SSH server (see Restart the SSHD service section).

Restart the SSHD service

workers$ sudo systemctl restart ssh  # Restart SSH Server
workers$ eval "$(ssh-agent -s)"  # Restart SSH Agent

Permissions

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519

To verify:

ls -l "~/.ssh"