Managing SSH keys with Kanidm
For lab members who joined before 2026-05-22. orca's logins are now managed centrally through Kanidm for new members. If you already had an orca account before that date, your existing access still works and you don't need to follow this.
This page covers SSH access to orca, whose logins are managed through the lab's identity server, Kanidm. You register your SSH public key with Kanidm once, then you can log in. (For web services and passwords, see Accounts.) Other lab machines are still being migrated — ask Adarsh for access to those.
1. Make sure you have an SSH key
On your laptop:
ls ~/.ssh/id_ed25519.pub
If that file exists, skip to step 2. Otherwise create one:
ssh-keygen -t ed25519 -C "your-name@arizona.edu"
Press Enter for the default location; a passphrase is recommended. This creates a private key (~/.ssh/id_ed25519 — never share it) and a public key (~/.ssh/id_ed25519.pub — safe to share).
2. Copy your public key
cat ~/.ssh/id_ed25519.pub
Copy the whole line — it starts with ssh-ed25519.
3. Register it with Kanidm
You have two options for doing this: via the web (easier) or via the command line.
3.1 Web (easiest):easier)
Sign in at idm.lab.pyarelal.xyz → Profile → Credentials -> SSH Keys → Add SSH Key, paste the public key from step 2, and give it a Title (e.g. SBS-7726my-macbook-pro
If you have the (The label, e.g. The first time, your shell may take a moment while your home directory is created.3.2 Command line
(ifkanidm CLI)client tools:kanidm login -D <your-username>
kanidm person ssh add-publickey <your-username> <label> "ssh-ed25519 AAAA... your-name@arizona.edu"
adarsh-my-macbook-pro4. Log into orca
ssh <your-username>@orca.infosci.arizona.edu
Troubleshooting
Permission denied (publickey) — the key registered in Kanidm doesn't match the one your laptop is offering. Recheck steps 2–3, or run ssh -v <your-username>@orca.infosci.arizona.edu to see which key is being tried.