Now that you have access to your account, you may find that the double-login is holding you down. Besides being slower than a usual login, it can make transferring files between your computer and HCS more difficult because you have to work through FAS as an intermediate. However, by setting SSH keys, you will be able to securely access your HCS account from a designated computer without authenticating with FAS first! Read on to find out how to make accessing your group account as easy as one double-click.
As usual, the process is different depending on whether you use a Mac or a PC. Incidentally, if you're on a Linux computer, the Mac directions will work fine for you as well. Just substitute Gnome Terminal or Konsole (or other equivalent) for Terminal.app and the relevant keyboard shortcuts for copying & pasting.
Using a Mac
Open Terminal.app (in Applications>Utilities) and type:
ssh-keygen -t dsaIt will begin generating a pair of DSA keys for you. This process might take a minute or two. At the next prompt,
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/jharvard/.ssh/id_dsa):simply hit return to save the key in the default location.
Enter passphrase (empty for no passphrase):You will then be prompted for a passphrase. You don't have to specify one, but it's recommended that you do. Everytime you connect to HCS however, you will need to remember this passphrase, so choose something memorable but difficult for others to guess. Basically, you are setting a password for your own keys so that other people are unable to use them even if they steal your SSH key files. Whatever you choose, you will have to enter it twice, and then you will be informed that your keys have been saved.
After you have generated the key, you now need to grant access to this key on your HCS account. First, you need to copy the key's contents to your clipboard. To display the key you just created, type
cat .ssh/id_dsa.puband then copy all the output that results. To do that, highlight it in the Terminal and press 
Command-C. You should be highlighting all the text that looks like this:
ssh-dss AAAAB3NzaC1kc3MAAACBAPn9BVNNZry4SEdR9Kwf2yAV/jxtMlPjTXLFRgw/LCnT
2OOWsdreSJQ/+s2q1TxL3Dj5ZwCxyS9Al7+s5QxY1JDJW1tKBlDglo+6tPML7RsVyCLwCOzb
EWmgzcq/95PzpEaZyJCUW2IGcQkDRtTNx7D+V24aM+28NtjCOCR2GroKTHAAAAFQDDJMwUmB
YNuwdwBzvyN+MAiRlVlwAAAIB3eiqyWOODw6gXmOkKfL/e7PgihyPJFHZKnOQcQktHK41L4U
QYCwfEPemuVvhDl7ECHPzlx5LxnBdLgvsNzODBUXzi+UXAIjg0t06pLfvlKi7RZ+9pVBD4z7
BGEVUDjlnYaI2eivbLt30M3Fc8USFnMjDvNkMRrhoSlwcCtglYUwAAAIEA6qykkPCK4qo+DG
XarB+nALSb0Xqx/ND3ZlUJmFu4SDJbryN+ss5qXM6cepxCAn/QIXGOW+giTR1GOQf6oIhiux
iUjy60X7RfyBrpPkq1++LQVEmjTi7qutFqJayIc25O/CyJRoObuT+Zu/a4kik3CaapaVh6TC
UruSQwVzKI6iM= jharvard@jharvardmac.localNow login to your HCS account through FAS, so type ssh jharvard@fas.harvard.edu and then after entering your FAS password and getting the fas% prompt enter ssh group-name@hcs.harvard.edu. We will use the access utility, made by HCS, to add your key to the access list. Simply type access once you're in your home directory on HCS. You will see something like:
Usage: /usr/local/bin/access
Welcome!
The following currently have access to group-name@hera.hcs.harvard.edu:
[ 1] group-name@hera.hcs.harvard.edu
[ 2] jharvard on all HASCS hosts
Choose what you would like to do:
[A] Print the access list as it currently stands.
[B] Add a FAS username to the access list.
[C] Add a user at another host to the access list.
[D] Delete an entry from the access list.
[E] Add an OpenSSH keyfile to the access list.
[F] Print the raw shosts files.
[Q] Quit.
Your action?
You want to add an OpenSSH keyfile, so press E and then hit return.
Your action? e
You may paste in a one-line SSH host key below. Be sure that
when you're pasting you don't introduce any extra carriage returns.
Note that virtually no validation will be performed on the key.
Paste in your SSH key by hitting Command-V. Then hit enter. You will be asked Do you really want to add this key (y/n)? , to which you should hit Y to answer yes.
When the screen refreshes you should see your key as the last entry in the list, as in something like
[ 3] KEY: ssh-dss AAAAB3NzaC1kc3MAAACBAP...iM= jharvard@jharvardmac.localIf this is true, then congrats, you're all set. Hit Q to get out of access, then exit out of HCS and then FAS, and then see if you can ssh group-name@hcs.harvard.edu straight from your mac. If you made a passphrase, you'll be prompted for it to decode your keys, and with any luck, you just let yourself into HCS directly! If something went wrong, check the last bit of this page for troubleshooting tips.
On a Windoze PC
The process here is a bit longer than with a Mac, but hang in there. We've tried to make this guide as simple and straightforward as possible.
Open SecureCRT and close the Connect window if it comes up at startup. The first place you want to go is Tools>Create Public Key...
This will bring up a wizard on public keys. Select Next to continue.
The next screen is on key types; DSA is fine.
Now you are prompted to create a passphrase. You will have to enter this everytime you use the key. It is optional, but recommended. Also, enter in the bottom field a note of your username and your machine name (or alternatively, a hint for your passphrase).
Leave the key length at the recommended value of 1024 bits.
Now for the fun part: move your mouse around to create random data for the key generator. Seriously. Whip it around however you like.
Here you should change the format to OpenSSH Key Format. Don't worry about where it saves it; leave the default.
The wizard will finish and it will ask you if this should be your global key. Go ahead and say Yes.
Now you will need to go and find your generated key. The default directory it saved it should have been C:\Documents and Settings\jharvard\Application Data\VanDyke\Identity.pub. No, it's not a Microsoft Publisher document, just a text file. Right-click it and open it with Notepad. You want to select all text and then go to Edit>Copy.
Now you need to connect to your HCS account in the old way, to upload the key that you just made. If you're not familiar with this, you should check out the first tutorial. Login to your HCS account through FAS: bring back the Connect pane in SecureCRT by going to File>Connect..., and double-click on fas.harvard.edu.
Then, after authenticating with your FAS password, enter ssh group-name@hcs.harvard.edu at the fas% prompt. As you know, you will log straight into HCS without a password since you are coming from FAS. Now we will use the access utility, made by HCS, to add your key to the access list. Simply type access once you're in your home directory on HCS. You will see something like:
Usage: /usr/local/bin/access
Welcome!
The following currently have access to group-name@hera.hcs.harvard.edu:
[ 1] group-name@hera.hcs.harvard.edu
[ 2] jharvard on all HASCS hosts
Choose what you would like to do:
[A] Print the access list as it currently stands.
[B] Add a FAS username to the access list.
[C] Add a user at another host to the access list.
[D] Delete an entry from the access list.
[E] Add an OpenSSH keyfile to the access list.
[F] Print the raw shosts files.
[Q] Quit.
Your action?
You want to add an OpenSSH keyfile, so press E and then hit return.
Your action? e
You may paste in a one-line SSH host key below. Be sure that
when you're pasting you don't introduce any extra carriage returns.
Note that virtually no validation will be performed on the key.
Paste in your SSH key from the Clipboard (you copied it from Notepad, remember) by hitting Shift-Insert on your keyboard (SecureCRT uses different shortcuts from most other Windows apps, because terminal programs usually need the Control key). Then hit enter. You will be asked Do you really want to add this key (y/n)? , to which you should hit Y to answer yes.
When the screen refreshes you should see your key as the last entry in the list, as in something like
[ 3] KEY: ssh-dss AAAAB3NzaC1kc3MAAACBAJ...Cg== jharvard@jharvardpcIf you see it, then congrats, you're all set. Hit Q to get out of access, and then close your session by going to File>Disconnect.
Now take a breather; we're almost done. We can now create a session for you that you can click in the Connect dialog to go straight into HCS. Go to File>Connect... but this time go for the New Session button.
Another wizard pops up. SecureCRT loves wizards. Hit next.
Type in the following information; of course, substitute group-name with your HCS account name.
Now you need to name this connection something. Pick whatever you want. Name it "Fluffy" if you please.
Once you click Finish, you'll be back at your connection screen with your newly made connection selected. But hold on a minute. We need to set some more options! With your HCS connection selected, go to the Properties button.
You'll see a lot of junk that doesn't really matter. What does matter is that you should click on SSH2 in the tree on the left side and turn off all Authentication methods except PublicKey. If you don't do this, SecureCRT will be stupid and try to ask for a password, which won't work.
Say OK and you're back at the Connections window. Now you can double-click on your brand new HCS connection.
It's your first time connecting, so it will probably give you this freaky dialog. Just hit Accept & Save and you'll never see it again.
Finally, if you had a passphrase for your key, enter it now; if you didn't you won't see this dialog.
That's it! You should be in; if not, something went wrong. See the final section for some tips.
So what now?
Troubleshooting
OK, what if it didn't work. The mostly likely reason is that our access program mangled its job and didn't add your key correctly, or you pasted it wrong, say without the last ten characters or something. In that case, you will have to roll up your sleeves and fix the mess. Get back into your HCS account the old-fashioned way, through FAS, and edit your authorized_keys file by typing:
pico .ssh/authorized_keysThe way this file is supposed to work, is one SSH key per line (even though the lines get very long), with no other line breaks. Each SSH key needs the ssh-dss identifier at the beginning and ends with a space followed by a user identifier like jharvard@example.com. If it's messed up, try mucking with it in pico until you get it right, then hit Control-X to exit and choose Y or N to save/discard changes.
If you think you did everything right, your authorized_keys looks fine, and you're followed all the settings above to a T, you could try asking us at acctserv@hcs what to do. We'll give you our best shot.
Why did I go through all this again?
Now you can connect straight to your HCS account without going through FAS. This is not only more convenient and secure, but it is the way to go if your FAS account is about to expire or if you have problems with FAS dropping your SSH connections too often. Plus, it will make uploading files so much easier through a graphical client, which will be the focus of the next tutorial.