Scientific Computing - Concerning the placement of SSH keys for PubkeyAuthentication

This is not fundamentally different at JLab than anywhere else, but the combination of the Lab's general policy of prohibiting initial external authentication by PubkeyAuth and our Common User Environment's sharing of home directories can create confusion about which piece goes where.

If you SSH to login.jlab.org., and then, once logged in there, SSH to another host, it is an SSH process on login.jlab.org. which is talking to the SSHD on the final destination. Since at JLab, many of those destinations (e.g. ifarm) use the same, shared home directories as login.jlab.org., both the private key file (e.g. id_rsa), which SSH on login.jlab.org. is using, and the authorized_keys file, which SSHD on the final destination is using, end up being pulled from the same home directory, so there is no distinction between in what home directory the private key needs to be and in what home directory the public key needs to be.

If instead you use -J or ProxyJump, the SSH process on your local machine, rather than facilitating you yourself starting another SSH process from a shell on login.jlab.org., automatically starts a secondary SSH process on your local machine which connects to login.jlab.org. and establishes a tunnel enabling the primary SSH process to communicate directly with the SSHD on the final destination. So the private key file, which SSH on your local machine is using, needs to be in your home directory on your local machine, whereas the corresponding public key entry in authorized_keys needs to be in your home directory on the final destination. If you're ProxyJumping from one host which uses CUE home directories (e.g. many workstations at JLab) to another host which uses CUE home directories (e.g. ifarm or jlabl[1-5]), those will once again be the same, but if not (e.g. you're logging in using your laptop from home), having both keys in your CUE home directory won't work. You need a public key entry in authorized_keys on the final destination that corresponds to a private key in your home directory on your local machine.

You'll still have to authenticate interactively into login.jlab.org., but you should be able to make the second step pubkey instead of getting prompted for your CUE password, e.g.

lsh@laura-mac ~> ssh ifarm
(lsh@login.jlab.org.) Password: 
[lsh@ifarm2401 ~]$