Key Generation
In this part of the documentation, the term manager (i.e ssh client) refers to the computer where Agilab is installed, and the worker (i.e the ssh server) refers to the remote worker. The remote account refers to the account provided during the AGI installation process. This account is used by AGI to establish SSH connections to the remote server. Ensure that the account exists on the server.
Generate the keys
In the workers terminal
ssh-keygen -a 100 -t ed25519
You will be prompted for a passphrase. don’t enter one (double return).
If you have not changed the default path, the public key will be stored in ~/.ssh/id_ed25519.pub and the private key in ~/.ssh/id_ed25519.
Loading the private key in SSH Agent
Load the public key
Follow these steps to load the public key of the worker into the SSH agent of the manager (where you run Agilab):
In the manager terminal
ssh-copy-id -i ~/.ssh/id_ed25519 <remote account>@<worker ip>
PS_COMMAND='$input = [Console]::In.ReadToEnd(); Add-Content -Path ''C:\Users\<remote account>\.ssh\authorized_keys'' -Value $input'
ENCODED_COMMAND=$(echo -n "$PS_COMMAND" | iconv -f utf-8 -t utf-16le | base64 -w 0)
cat ~/.ssh/id_ed25519.pub | ssh <remote account>@<worker ip> powershell.exe -EncodedCommand $ENCODED_COMMAND
Get-Content -Raw "${env:USERPROFILE}\\.ssh\\id_ed25519.pub" | ssh <remote account>@<worker ip> "cat >> ~/.ssh/authorized_keys"
Get-Content -Raw $env:USERPROFILE\\.ssh\\id_ed25519.pub | ssh <remote account>@<worker ip> "powershell -Command \"\$input | Out-File -Append -Encoding ascii C:\\Users\\<remote account>\\.ssh\\authorized_keys\\\""
If you have set a passphrase, you will be asked to enter it. If you encounter any permission-related errors, refer to the Permissions section.
On Linux, if a window titled “Enter password to unlock the private key” appears when trying to establish an SSH connection, enter the passphrase and check the box “Automatically unlock this key whenever I’m logged in”.
Verify the key Addition
In the workers terminal
ssh-add -l
It should display the public key (not private). To manually check the public key:
In the workers terminal
cat $env:USERPROFILE/.ssh/id_ed25519.pub
cat ~/.ssh/id_ed25519.pub
SSHD Service
Check the configuration
Check the SSH server configuration in the sshd_config file:
Windows Server:
C:\ProgramData\ssh\sshd_configUnix Server:
/etc/ssh/sshd_config
In the workers terminal
Ensure the following configuration is set:
PubkeyAuthentication yes
PasswordAuthentication no
To modify, open the file in an elevated text editor, update the lines as shown above, and restart the SSH server (see `Restart SSH Server`_ section).
Restart the SSHD service
In the workers terminal
Restart-Service sshd # Restart SSH Server
Restart-Service ssh-agent # Restart SSH Agent
sudo systemctl restart ssh # Restart SSH Server
eval "$(ssh-agent -s)" # Restart SSH Agent
Check the service status:
In the workers terminal
Get-Service sshd
Get-Service ssh-agent
sudo systemctl status ssh # Check SSH Server status
ssh-add -L # Check if the SSH agent is running
Permissions
In the workers terminal
Ensure that the .ssh folder and files id_ed25519 and authorized_keys have the correct permissions:
.ssh\id_rsa AUTORITE NT\Système:(F)
BUILTIN\Administrateurs:(F)
%USERNAME%:(M)
To view permissions:
icacls "$env:userprofile\.ssh"
To set correct permissions:
icacls "$env:userprofile\.ssh\id_ed25519" /inheritance:r /grant "AUTORITE NT\Système:(F)" "BUILTIN\Administrateurs:(F)" "$env:username:(M)"
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 600 ~/.ssh/authorized_keys
To verify:
ls -l "~/.ssh"
Useful links
If you need more informations about ssh configuration, the following guides may be helpful: - For Unix: Debian documentation
For Windows/ Microsoft documentation