SSH

From Grid5000
Jump to: navigation, search

Contents

Overview

SSH (Secure SHell) is a network protocol and application generally used to access a shell account on a remote machine. It is the main tool used to access the Grid'5000 testbed.

When connecting to a remote machine, the standard way to authenticate is via the remote account's login and password. However, this authentication schema is disabled on Grid'5000 for security reasons (as it is often subject to bruteforce attacks). Instead, Grid'5000 users must use public-key authentication, as follows:

  • You (the user) generate a key pair using ssh-keygen. The public key can then be used to encrypt messages that only the private key will be able to decrypt.
Terminal.png your machine:
ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (
/home/login/.ssh/id_rsa):(press Enter)
Enter passphrase (empty for no passphrase):(enter passphrase and press Enter)
Enter same passphrase again:(enter same passphrase and press Enter)
Your identification has been saved in /home/login/.ssh/id_rsa.

Your public key has been saved in /home/login/.ssh/id_rsa.pub.
  • Upload the public key (/home/login/.ssh/id_rsa.pub) using the Account Management Interface. The key is copied to the list of keys used to authenticate you (~/.ssh/authorized_keys).
  • When you try to connect to Grid'5000, the Grid'5000 SSH server encrypts a message (the challenge) using your public key, and sends that crypted message. If the your SSH client can decrypt the message, and send it back to the server, the server will have verified your identity. That step is performed automatically when you try to connect. Additionally, if you use an SSH agent, you can avoid typing the key's passphrase at each connection.

SSH-based tools such as scp and rsync can also be used to transfer files to/from Grid'5000.

Basic usage

Connection to a machine

Terminal.png laptop:
ssh jdoe@access.grid5000.fr

or

Terminal.png laptop:
ssh access.grid5000.fr -l jdoe

see man ssh for options

Copying files

To copy myfile from my laptop to my nancy home:

Terminal.png laptop:
scp myfile jdoe@access.grid5000.fr:nancy

To copy myremotefile from my bordeaux home to my laptop:

Terminal.png laptop:
scp jdoe@access.grid5000.fr:bordeaux/myremotefile /tmp

To copy mydir from my laptop to my nancy home:

Terminal.png laptop:
scp -r mydir jdoe@access.grid5000.fr:nancy

Mounting remote filesystem

To mount a remote filesystem :

  mkdir ~/remote_dir
  sshfs -o idmap=user jdoe@lyon.g5k:/home/jdoe/ ~/remote_dir

To unmount the remote filesystem :

  fusermount -u ~/remote_dir

Complex usage

Copying mydir to my rennes home with rsync or tar:

rsync

To synchronize thru SSH:

  rsync -avz -e ssh mydir jdoe@access.grid5000.fr:rennes/mydir

tar/ssh

To preserve things

  tar c mydir | ssh jdoe@access.grid5000.fr tar x -C rennes/mydir

SSH keys handling

SSH key types

SSH support 3 types of keys:

  • rsa1: RSA algorithm, SSH protocol version 1 (default key name: identity), DEPRECATED
  • rsa: RSA algorithm, SSH protocol version 2 (default key name: id_rsa)
  • dsa: DSA algorithm, SSH protocol version 2 (default key name: id_dsa)

You are advised to use a dsa key.

SSH key passphrase

An SSH key-pair is a set of 2 files. A dsa key-pair for instance is:

  • id_dsa: the private key, to be kept on a safe storage, no permissions on the file for anybody except you (i.e. mode 600).
  • id_dsa.pub: the public key, to be dispatched on the systems that you want to connect using SSH (within the authorized_keys files)

The general case

In order to protect your private key from being maliciously used to access your systems (if one steals your private key file for instance), you must provide a passphrase. Empty passphrase should only be used for SSH host key generation (normal users should not have to care about this), or for system accounts keys that need automatic (none-interactive) login on remote systems (no passphrase eases scripting ;) ).

For user's usage, you actually wont have to enter your passphrase each time you access to a system using SSH, since you can use a ssh-agent. This agent store it for you indeed, so that you only need to enter your passphrase one - and only one - time.

The Grid'5000 case

It is common usage on HPC cluster to use SSH keys without passphrase, so that connection to nodes can be scripted, and never interrupted by any authentication interactive process. Furthermore, using a ssh-agent is often not a good solution, because it doesn't work well with shell scripts, non-interactive sessions, screen sessions ... because you are always asked to enter your passphrase once.

The advice then is to use a SSH key with passphrase to access the frontal of the cluster, and then store on your Grid'5000 home directories a dedicated key without passphrase.

SSH Key generation

Please use the command "ssh-keygen -t dsa" to generate your SSH DSA key, and give a non-empty passphrase.

  $ ssh-keygen -t dsa
  Generating public/private dsa key pair.
  Enter file in which to save the key (/home/bob/.ssh/id_dsa): 
  Enter passphrase (empty for no passphrase): ********************
  Enter same passphrase again: ********************
  Your identification has been saved in /home/bob/.ssh/id_dsa.
  Your public key has been saved in /home/bob/.ssh/id_dsa.pub.
  The key fingerprint is:
  00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff bob@leponge

SSH Key usage

Once you generated your key, you need to dispatch its public part on every server you may want to access. This means adding the content of the id_dsa.pub file into the remote .ssh/authorized_keys file of every server. For Grid'5000, you need to understand that you have a different home directory for each site, and therefore that for each site you plan to access, you need to dispatch your public key on your home directory on that site. To dispatch your id_dsa.pub public key on the server named myserver (login mylogin), you may use the following command:

  $ MYSERVER=myuser@myserver
  $ cat ~/.ssh/id_dsa.pub | ssh $MYSERVER 'umask 022 ; mkdir -p .ssh ; touch .ssh/authorized_keys ; cat >> .ssh/authorized_keys'

A command named ssh-copy-id may be provided within the SSH package installed on your system. In such a case, you may simply run:

  $ ssh-copy-id myuser@myserver

NB: this requires your key(s) to be stored in a SSH agent, see below.

Using the SSH agent

  • Storing keys and passphrases

To tell the ssh-agent to store your key AND remember the passphrase so that you do not have to enter it everytime you connect via SSH to a remote machine, just do a:

  $ ssh-add 
  Enter passphrase for /home/bob/.ssh/id_dsa: ********************
  Identity added: /home/bob/.ssh/id_dsa (/home/bob/.ssh/id_dsa)

You may look at the keys the agent actually stores with the following command:

  $ ssh-add -l
  1024 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff (/home/bob/.ssh/id_dsa)
  • forwarding the agent (useful if chaining SSH connections)

If not activated by default, you may need to run the SSH command with the `-A' parameter in order your key storage agent to be forwarded on connected hosts, so that you can chain other SSH command from this host without password or passphrase afterward. (try a `ssh-add -l' on the remote host to check if your key is forwarded). You may also add a "ForwardAgent yes" statement in your .ssh/config file.

Be warned that forwarding the agent (and then the data it stores) on a unsecure remote server may be unsafe.

Setting up a user config file

Setting up aliases or defaults

You may provide a configuration file that define default parameters for your SSH connections inside Grid'5000. This file is ~/.ssh/config in your Grid'5000 account home directories (one per site). In this configuration file, you may for instance specify:

  • alias for long hostnames
  • username to be used to connect some machines if this is not the one used localy (no more need for either "-l username" or "username@" statement).
  • X11 forwarding enabling
  • TCP port forwarding

Using SSH with ssh proxycommand setup to access hosts inside Grid'5000

You can setup your local (on your laptop or workstation) .ssh/config so that you transparently access any host inside Grid'5000 (behind Grid'5000 firewalls). The idea is that your local ssh client will directly talk with the ssh deamon on the host behind the firewall thru a connection to the gateway opened with another ssh connection.

First
setup an alias for the global access machine
# Alias for the gateway (not really needed, but convenient)
Host g5k
  User g5k_login
  Hostname access.grid5000.fr
  ForwardAgent no

Your are now able to connect to your Grid'5000 site without being bothered with options such as to specify your Grid'5000 login each time:

ssh g5k
scp my_directory/my_file g5k:site/
Second
setup the glob alias for the access to any hosts inside Grid'5000

(host inside Grid'5000, except the access machine are not reachable from the Internet)

# Automatic connection to hosts within Grid'5000, and not reachable direction on SSH tcp port 22
Host *.g5k
  User g5k_login
  ProxyCommand ssh g5k -W "`basename %h .g5k`:%p"
  # Before OpenSSH 5.4, -W option does not exist and tcpconnect or nc must be used such as :
  # ProxyCommand ssh g5k "nc -q 0 `basename %h .g5k` %p"
  ForwardAgent no

The .g5k suffix is an arbitrary suffix you will now specify in your command lines in order to access hosts inside Grid'5000: And now, to log on that gateway, you can use:

  • Accessing the frontend of my site (grenoble):
ssh grenoble.g5k
  • Accessing the frontend of another site:
ssh rennes.g5k
  • Accessing a node belonging to one of my job
ssh gdx-102.orsay.g5k
Note.png Note

That latter example take as assumption that gdx-102 SSH server is open for you account, e.g.:

  • you submitted a job with the allow_classic_ssh magic type (oarsub -t allow_classic_ssh ... )
  • you submitted a deploy job, and deployed your own operating system which allows you to connect using SSH
Otherwise, shell access is only granted via oarsh (or ssh as oar and using you job key)

Grid5000 SSH access w proxycommand-new.png

Tips

bash-completion

The bash-completion package eases the ssh command usage by providing completion for hostnames and more.

  yum install bash-completion

On Debian it is provided within bash package.

Using port forwarding

A SSH connection allow you to tunelize other connections. This is achieved using the "-L", "-R" parameters.

Forwarding a local port

You can forward a localport to a host behind a firewall.

SSH Local port forwarding

Forwarding a remote port

You can forward a remote port back to a host protected by your firewall.

SSH Remote port forwarding

Tunelizing for others

Using the "-g" parameter, you allow connections from other hosts than localhost to use your SSH tunnels. Be warned that anybody within your network my access the tunnelized host this way, which may be a security issue.

Using OpenSSH SOCKS proxy feature (with mozilla for instance)

OpenSSH ssh client also embeds a SOCKS proxy. You may activate it using the "-D " parameter and then configuring your application (mozilla firefox for instance) to be proxified through the so created SOCKS proxy.

SSH embedded socks proxy

It is also possible to configure your web browser to use a different proxy depending on the destination to reach. This can be achieved using a proxy autoconfiguration script (an example is provided in the SSH resources section below), or using Foxyproxy (a firefox/chrome extension).

Escape characters

  • ~.

Disconnect you, even if your remote command hangs.

  • ~C

Open command line. Allows the addition of port forwardings using the -L and -R options.

See `man ssh' for more details

SSH resources

Un*x clients

  • OpenSSH

OpenSSH is available in every good linux distro, and every *BSD, and Mac OS X.

Mac OS X tools

  • SSHKeychain is a Cocoa application that acts as a frontend to ssh-agent. It uses the Mac OS X Keychain to store the key (so you don't have to remember another password), and it can manage a set of tunnels.
  • Cyberduck is a Cocoa FTP and SFTP client.

Windows clients

  • OpenSSH/Cygwin

OpenSSH is available with Cygwin. You may then find the same features in your SSH client even if you run Windows. Furthermore, Cygwin also embeds many other GNU Un*x like tools, and even a FREE X server for windows. USE CYGWIN ;). URL: http://www.cygwin.com/

  • Putty

Free windowish SSH client: http://www.chiark.greenend.org.uk/~sgtatham/putty/

  • www.ssh.com client

Free for non commercial use windows client: http://www.ssh.com/support/downloads/secureshellwks/non-commercial.html

Automatic proxy configuration file

  //+----------------------------------------------------
  //| Hosts to proxify are set in the urls array.
  //| This script assumes that the proxy to reach those
  //| hosts is listening on localhost:7777, e.g. created
  //| with `ssh -D 7777 access.grenoble.grid5000.fr'
  //+----------------------------------------------------
  var urls = new Array(
   "http://edel-42.grenoble.grid5000.fr*",
   "https://adonis-3.grenoble.grid5000.fr*"
  );

  function isProxified( url )
  {
      for (var i = 0; i < urls.length; i++)
      {
          if( shExpMatch(url, urls[i] ) )
              return 1;
      }
      return 0;
  }

  function FindProxyForURL(url, host)
  {
      if (isProxified(url))
          return "SOCKS localhost:7777";
      else
          return "DIRECT";
  }

You may place this file in your home directory on your workstation (in /home/bob/ssh-socks.pac for instance) and provide the URL in mozilla proxy configurtion window: file:///home/bob/ssh-socks.pac

Personal tools
Namespaces

Variants
Actions
Public Portal
Users Portal
Admin portal
Wiki special pages
Toolbox