SSH: Difference between revisions
| Line 180: | Line 180: | ||
| ==Using SSH with ssh ProxyCommand setup to access hosts inside Grid'5000== | ==Using SSH with ssh ProxyCommand setup to access hosts inside Grid'5000== | ||
| You can setup your local (on your laptop or workstation) <code class="file">.ssh/config</code> so that you transparently access any host inside Grid'5000 (behind Grid'5000 firewalls). The idea is that your local ssh client will directly talk with the ssh daemon on the host behind the firewall through a connection to the gateway opened with another ssh connection. | You can setup your local (on your laptop or workstation) <code class="file">~/.ssh/config</code> so that you transparently access any host inside Grid'5000 (behind Grid'5000 firewalls). The idea is that your local ssh client will directly talk with the ssh daemon on the host behind the firewall through a connection to the gateway opened with another ssh connection. | ||
| === First: setup an alias for the global access machine === | === First: setup an alias for the global access machine === | ||
Revision as of 10:13, 29 April 2020
TODO when no more draft
{{See also|[[FAQ]]}}
{{Portal|Admin}}
{{Portal|User}}
{{Portal|Service}}
{{Portal|Tutorial}}
Overview
SSH is a widely used network protocol to establish a secure communication channel to a remote machine. Its most common use is to get shell access (be able to type command-line commands) on a remote server.
When connecting to a remote machine, the standard way to authenticate is via the remote account's login and password. However, this authentication schema is disabled on Grid'5000 for security reasons (as it is often subject to brute-force attacks). Instead, SSH is used with a key-based authentication mechanism to gain access to the platform, and ssh keys are the recommended authentication method even inside Grid'5000.
It can also be used to transfer files (using SCP, SFTP or RSYNC), connect securely to network services on the remote network (using SSH tunnels or a SSH-based VPN), and even execute graphical applications remotely (using X forwarding).
This documentation is designed to teach you the basics as recommended for use in the Grid'5000 context.
Generating keys for use with Grid'5000
Linux and Mac users
Most Linux distribution and Mac OS variants come with the ssh and  ssh-keygen command line utilities. Generating a key-pair is simply a matter of running the ssh-keygen and supplying a passphrase. To access Grid'5000 using ssh, you must use a key-pair that whose private key is passphrase protected.
If you follow the defaults, you now have a public key stored in the ~/.ssh/id_rsa.pub file. You can use it when requesting an account or to update your profile.
Windows users
- All Windows versions with PuTTYgen
The basic steps for Windows users are well documented in the page Inria maintains for gforge users. You'll only need to remember that the key you generate don't need to be uploaded to InriaGforge, but to the Account management form or the Account request form.
- Since Windows 10, there is new SSH client usage possibilities
- A native OpenSSH (client and server) could be installed. See OpenSSH installation and first use Microsoft documentation
- Windows Subsystem for Linux (WSL) is available to use a complete Linux distribution and thus a complete OpenSSH client too. See about WSL Microsoft documentation
 
So ssh-keygen command is available, and could be used as in Linux and Mac OS.
Basic configuration for Grid'5000
After having looked at the explanations above, you might be wondering how servers can get a copy of your public key if you can not connect to them to put it there. In Grid'5000, the answer depends on the type of server.
Access machine configuration
You have to upload your previously generated public key (/home/login/.ssh/id_rsa.pub) using the Account Management Interface or the Account request form.
Access machines update the repository of trusted keys they use regularly from the user database.
The following command should therefore connect you to Grid'5000 if you have access to a ssh command and that it has access to the private part of the public key you uploaded on the Account management form. If not, please refer to the ssh access from windows paragraph.
You might be using more than one key, or have given a specific name to the key used for Grid'5000. In this case, you must be particularly careful about access rights given to the key and the directory it is stored in (see .ssh access rights). Please use:
You should be able to check the list of keys configured from your account with the following command.
Site frontend machines
Looking at the general configuration for your account on the access machine, you'll find some additional files:
The id_rsa and id_rsa.pub files are a passphrase-less pair of keys that where automatically configured for you when your account was created. The public part of that key was added to the repository of trusted keys for all access machines, as you can see when running
The configuration allows you to connect to site frontends using either the key generated for you (internal key), or the key used to access the access machine (external key). The recommended configuration is to passphrase-protect the external key, but not the internal key.
Reserved machines
When you have reserved machines, you'll be in one of the following 3 cases
- you did not request a classical_sshordeployjob type : oar will have generated a keypair for your job, that will be used transparently for you if you are usingoarsh, a wrapper forssh.
- you requested a classical_sshjob type: the ssh config on nodes is to use the .ssh directory your homedir as trusted sources of authorized keys, and ssh configuration is dynamically updated to allow you to connect.
- you requested a deployjob type. Nothing has been done to allow you to connect on nodes. When you deploy an environment, the-koption ofkadeploy3will copy the authorized_keys of your home directory on the site to the ssh configuration of the root account of the deployed nodes.
Use SSH to connect to another site
The figure below shows how you just connected from your local machine to access, and then to the site frontend in nancy. Site frontends (named fsite.site.grid5000.fr or simply site.grid5000.fr) are the machines you will use to interact with Grid'5000 tools such as OAR and Kadeploy.
Those machines are virtual machines, and must not be used for CPU or I/O intensive tasks (nodes must be reserved and used instead).
More advanced SSH
files copy
Grid'5000 users have home directories in every Grid'5000 sites. But each site home directory is accessible in the access machines in a directory named after the site name.
To copy myfile from my workstation to my nancy home:
To copy myremotefile from my lyon home to my workstation:
To copy mydir from my workstation to my nancy home:
rsync files copy/synchronisation
Copying mydir to my rennes home with rsync through SSH:
tar/ssh files copy
Copying mydir to my rennes home with tar through SSH:
Mounting remote filesystem
To mount a remote filesystem using sshfs:
To unmount the remote filesystem :
SSH keys handling
SSH key types
SSH support 3 types of keys:
- rsa1: RSA algorithm, SSH protocol version 1 (default key name: identity), DEPRECATED
- rsa: RSA algorithm, SSH protocol version 2 (default key name: id_rsa)
- dsa: DSA algorithm, SSH protocol version 2 (default key name: id_dsa), DEPRECATED since OpenSSH 7
You are advised to use a rsa key.
SSH key passphrase
An SSH key-pair is a set of 2 files. A rsa key-pair for instance is in your ~/.ssh directory:
- id_rsa: the private key, to be kept on a safe storage, no permissions on the file for anybody except you (i.e. mode 600).
- id_rsa.pub: the public key, to be dispatched on the systems that you want to connect using SSH (within the authorized_keys files)
The general case
In order to protect your private key from being maliciously used to access your systems (if one steals your private key file for instance), you must provide a passphrase. Empty passphrase should only be used for SSH host key generation (normal users should not have to care about this), or for system accounts keys that need automatic (none-interactive) login on remote systems (no passphrase eases scripting ;) ).
For user's usage, you actually wont have to enter your passphrase each time you access to a system using SSH, since you can use a ssh-agent. This agent store it for you indeed, so that you only need to enter your passphrase one - and only one - time.
The Grid'5000 case
It is common usage on HPC cluster to use SSH keys without passphrase, so that connection to nodes can be scripted, and never interrupted by any authentication interactive process. Furthermore, using a ssh-agent is often not a good solution, because it doesn't work well with shell scripts, non-interactive sessions, screen sessions ... because you are always asked to enter your passphrase once.
The advice then is to use a SSH key with passphrase to access the frontal of the cluster, and then store on your Grid'5000 home directories a dedicated key without passphrase.
SSH Key generation
Please use the command ssh-keygen -t rsa to generate your SSH RSA key, and give a non-empty passphrase. The public key can then be used to encrypt messages that only the private key will be able to decrypt.
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/bob/.ssh/id_rsa): Enter passphrase (empty for no passphrase): ******************** Enter same passphrase again: ******************** Your identification has been saved in /home/bob/.ssh/id_rsa. Your public key has been saved in /home/bob/.ssh/id_rsa.pub. The key fingerprint is: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff bob@leponge
SSH Key usage
Once you generated your key, you need to dispatch its public part on every server you may want to access. This means adding the content of the id_rsa.pub file into the remote .ssh/authorized_keys file of every server. For Grid'5000, you need to understand that you have a different home directory for each site, and therefore that for each site you plan to access, you need to dispatch your public key on your home directory on that site. To dispatch your id_rsa.pub public key on the server named myserver (login mylogin), you may use the following command:
$ MYSERVER=myuser@myserver $ cat ~/.ssh/id_rsa.pub | ssh $MYSERVER 'umask 022 ; mkdir -p .ssh ; touch .ssh/authorized_keys ; cat >> .ssh/authorized_keys'
A command named ssh-copy-id may be provided within the SSH package installed on your system. In such a case, you may simply run:
$ ssh-copy-id myuser@myserver
NB: this requires your key(s) to be stored in a SSH agent, see below.
Using the SSH agent
- Storing keys and passphrases
To tell the ssh-agent to store your key AND remember the passphrase so that you do not have to enter it everytime you connect via SSH to a remote machine, just do a:
$ ssh-add Enter passphrase for /home/bob/.ssh/id_rsa: ******************** Identity added: /home/bob/.ssh/id_rsa (/home/bob/.ssh/id_rsa)
You may look at the keys the agent actually stores with the following command:
$ ssh-add -l 2048 SHA256:Bx7zKapa1Gz04+LtvxTsQCkvojKjB2iPmx2OLxfkXjl /home/bob/.ssh/id_rsa (RSA)
- forwarding the agent (useful if chaining SSH connections)
If not activated by default, you may need to run the SSH command with the `-A` parameter in order your key storage agent to be forwarded on connected hosts, so that you can chain other SSH command from this host without password or passphrase afterward. (try a `ssh-add -l` on the remote host to check if your key is forwarded). You may also add a "ForwardAgent yes" statement in your .ssh/config file.
Be warned that forwarding the agent (and then the data it stores) on a unsecure remote server may be unsafe.
Setting up a user config file
Setting up aliases or defaults
You may provide a configuration file that define default parameters for your SSH connections inside Grid'5000. This file is ~/.ssh/config in your Grid'5000 account home directories (one per site). In this configuration file, you may for instance specify:
- alias for long hostnames
- username to be used to connect some machines if this is not the one used locally (no more need for either "-l username" or "username@" statement).
- X11 forwarding enabling
- TCP port forwarding
Using SSH with ssh ProxyCommand setup to access hosts inside Grid'5000
You can setup your local (on your laptop or workstation) ~/.ssh/config so that you transparently access any host inside Grid'5000 (behind Grid'5000 firewalls). The idea is that your local ssh client will directly talk with the ssh daemon on the host behind the firewall through a connection to the gateway opened with another ssh connection.
First: setup an alias for the global access machine
# Alias for the gateway (not really needed, but convenient)
Host g5k
  User g5k_login
  Hostname access.grid5000.fr
  ForwardAgent no
Your are now able to connect to your Grid'5000 site without being bothered with options such as to specify your Grid'5000 login each time:
ssh g5k scpmy_directory/my_fileg5k:site/
Second: setup the glob alias for the access to any hosts inside Grid'5000
(host inside Grid'5000, except the access machine are not reachable from the Internet)
# Automatic connection to hosts within Grid'5000, and not reachable direction on SSH tcp port 22
Host *.g5k
  User g5k_login
  ProxyCommand ssh g5k -W "$(basename %h .g5k):%p"
  ForwardAgent no
The .g5k suffix is an arbitrary suffix you will now specify in your command lines in order to access hosts inside Grid'5000: And now, to log on that gateway, you can use:
- Accessing the frontend of my site (grenoble)
ssh grenoble.g5k
- Accessing the frontend of another site
ssh rennes.g5k
- Accessing a node belonging to one of my job
ssh graphite-3.nancy.g5k
- Copying files
Any command (scp, rsync, ...) can use the .g5k magic suffix.
scp myfile rennes.g5k: rsync -avz mydir rennes.g5k:
Global picture
Using SSH with ProxyJump to access hosts inside Grid'5000
Basics
ProxyJump was introduced in ssh version 7.3 to made it easier to do the jump and internal login in one step.
Here is the basic syntax with the -J flag:
ssh -J <access-host> <remote-host>
And a Grid'5000 example to connect to Nancy's frontend:
ssh -J access.grid5000.fr fnancy.nancy.grid5000.fr
Single remote host aliases
Like ProxyCommand, ProxyJump can be used in your local .ssh/config.
However, ProxyJump can't use `%h` or `%p` ssh variables nor `basename` command. So a general/wildcard suffix can't be used like previous ProxyCommand configuration to access to any hosts inside Grid'5000.
But you can easily use some single host alias configuration like this Nancy's frontend example:
Host myfrontend
  User g5k_login
  HostName fnancy.nancy
  ProxyJump access.grid5000.fr
  ForwardAgent no
and so directly connect with:
ssh myfrontend
Tips
bash-completion
The bash-completion package eases the ssh command usage by providing completion for hostnames and more.
yum install bash-completion
On Debian:
apt-get install bash-completion
Using port forwarding
A SSH connection allow you to tunnelize other connections. This is achieved using the "-L", "-R" parameters.
Forwarding a local port
You can forward a localport to a host behind a firewall.
In this case, the target remote server must be explicitly given in the ssh command.
Forwarding a remote port
You can forward a remote port back to a host protected by your firewall.
In this case, the target local server must be explicitly given in the ssh command.
Tunnelizing for others
Using the "-g" parameter, you allow connections from other hosts than localhost to use your SSH tunnels. Be warned that anybody within your network may access the tunneled host this way, which may be a security issue.
Using OpenSSH SOCKS proxy
OpenSSH ssh client also embeds a SOCKS proxy. You may activate it using the "-D " parameter and then configuring your application (Mozilla Firefox for instance) to be proxified through the so created SOCKS proxy.
It is also possible to configure your web browser to use a different proxy depending on the destination to reach. This can be achieved using Foxyproxy (a browser extension) (or using a proxy autoconfiguration script).
In this case, no target remote server needs to be given in the ssh command line. The socks client (e.g. Firefox) can talk to target address.
|   | Note | 
|---|---|
| If using SSH tunneling does not suit your needs, for instance because your client application does not support the socks protocol, or because you do not manage to get things working as you like, mind looking at Grid'5000 VPN, which provides another way to reach services in Grid'5000 from the outside. | |
Escape characters
- ~.
Disconnect you, even if your remote command hangs.
- ~C
Open command line. Allows the addition of port forwardings using the -L and -R options.
See `man ssh' for more details
SSH resources
Un*x clients
- OpenSSH
OpenSSH is available in every good linux distro, and every *BSD, and Mac OS X.
Mac OS X tools
- SSHKeychain is a Cocoa application that acts as a frontend to ssh-agent. It uses the Mac OS X Keychain to store the key (so you don't have to remember another password), and it can manage a set of tunnels.
- Cyberduck is a Cocoa FTP and SFTP client.
Windows clients
- OpenSSH is natively available since Windows 10 April 2018 Update.
- OpenSSH/Cygwin
OpenSSH is available with Cygwin. You may then find the same features in your SSH client even if you run Windows. Furthermore, Cygwin also embeds many other GNU Un*x like tools, and even a FREE X server for windows. USE CYGWIN ;). URL: http://www.cygwin.com/
- Putty
Free windowish SSH client: http://www.chiark.greenend.org.uk/~sgtatham/putty/
More
Depending on your client, you will be able to configure ssh to use more fancy options. If you are using Linux, Mac OS X, or another Unix-based system, the FAQ will give you some recipes to tune your configuration. Not all ssh clients (not putty in particular) allow for such flexible options, but most will have equivalents.
- you will be able to store the login name to use, and the key to use to access Grid'5000
- you will be able to connect to any machine inside Grid'5000 in one shot, using sshmachine.g5k. See this page for details. This is also the way to go to transfer large volumes of data to a site.
- you will be able to open TCP tunnels to connect from your machine to services running inside Grid'5000
- you will be able to avoid man-in-the middle warnings, host key checking (in the FAQ#SSH_related_questions)
For more SSH client options, see man ssh.
The official openSSH website is openssh.com
For more informations about OpenSSH/SSH Protocols, see OpenSSH/SSH Protocols page on wikibooks.org






