Versions Compared

Old Version 10

changes.mady.by.user Craig Michael Dupree

Saved on

compared with

New Version 11

changes.mady.by.user Craig Michael Dupree

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To use SSH, you will need to obtain a client. If you use MacOS X, you can open up the Terminal application which is in the utilities folder. You can then use the ssh command to access one of the systems above. Linux users can also go this route. There are also GUI ssh clients. For example, many PC users like the Putty program, and many Mac users like the JellyfiSSH. Both are available from Bevoware (see our software page). To transfer files onto the file server you will need a Secure File Transfer Program (SFTP) (or you can use Windows file sharing from within the building; see the file server docs for more information. MacOS X and Linux terminal users can use the sftp command to do this. WinSCP is a good PC client, and FUGU is a good Windows client.

Using Keys

...

1. generate key with

...

for Logins

Besides host keys, ssh allows users to use keys to negotiate a login. This has the benefit of not requiring you to send a password to the server, which in turn prevents it from being exposed if the server has been compromised. To use a key start by creating it

Code Block


ssh-keygen -b 1024 -f ~/.ssh/

...

ccbb -t dsa

For now when you are asked to type the passphrase to protect the password, please do so. This is actually another benefit of a key based login, because passwords usually have size limits where a passphrase can be something like "i can haz cheezeburger" – something memorable, yet long enough to not be easily guessed.

This creates two files called ~/.ssh/tacc1 ccbb and ~/.ssh/tacc1.pub

2. Protect these with

chmod 400 ccbb. These should be protected by running

Code Block

chmod 400 ~/.ssh/

...

ccbb*

These ensures that only the owner can read the files, although with the pub version of the file you are just to prevent yourself from overwriting. The pub file contains the public key which can be posted on your web page, put into an email, or whatever else you want to do with it. At least, copy it over to the remote server where it should be stored in ~/.ssh on the TACC systems you want to access.

2. Run

cat tacc1.pub >> . Then log in, and run

Code Block

cat ccbb.pub >> authorized_keys

...

Make sure you use >> or else!!!!

3. Now

...

BE SURE THAT YOU USE >> OR ELSE YOU WILL OVERWRITE authorized_keys. Once the key is stored you can can remove ccbb.pub.

Now you are ready to log in. The command line way to do this is

Code Block

ssh -i ~/.ssh/

...

foo host.ccbb.utexas.edu

You should be asked for your passphrase, and if you correctly type it in you should be allowed access. If you use the ~/.a ssh / config file like I showed you
the other day you can add

Host beehive
Hostname beehive.ccbb.utexas.edu
User cdupree
Port 4224
IdentityFile ~/.ssh/tacc1
IdentityFile ~/.ssh/tacc2

Use the key-agent:

$ eval `ssh-agent`
Agent pid 312

Administrator@horked ~/.ssh
$ ssh-add ~/.ssh/tacc1
Enter passphrase for /home/Administrator/.ssh/tacc1:
Identity added: /home/Administrator/.ssh/tacc1 (/home/Administrator/.ssh/tacc1), then you can add a entry IdentityFile which lists out the identity file.

Hands-Free Logins

The other benefit of using keys for logins is to have logins which don't require you authenticate. This is useful when repeatedly uploading files, or logging in repeatedly. The obvious way to do this is to just hit return when you are asked to provide the passphrase protecting your key. You do this the first time you log in to the cluster, because the batch queuing software, SGE, uses ssh to log into compute nodes. This is done on your behalf by SGE, and you won't have an opportunity to provide a passphrase. If you protected that key with a passphrase, job submissions will fail. This same problem will happen with job scripts that use scp to transfer files. Those scripts will need to use ssh with a key that is not protected by a passphrase.

In all other cases, you want to have a protected key. Otherwise, anyone that has access to your account, and use your key to compromise other systems. Luckily ssh provides a useful utility called the SSH agent. When using a terminal based version of ssh (eg, Linux terminal, cygwin on PCs, or Mac's Terminal.app) type

Code Block

eval `ssh-agent`

Note that these are the backquote (`) and not the regular quote ('). The eval is a bit of shell magic to make sure that the agent is available to any scrips or programs that run. For example, if you have started the agent, and then you run a script which scp's some data, then scp running in the script will be able to use the agent. Once the agent is running

Code Block

ssh-add ~/.ssh/ccbb

and provide your passphrase. Now when you log in to the remote server the agent will be consulted for keys which have been unlocked, and if one of these keys accepted by the server.

Of course, this means you should lock your screen when you leave your computer. Might also use the -x option with ssh-add to lock the agent when you are not using; the -X option unlocks the agent. Read the ssh-add man page for more info. If you are done with the agent, simply close the terminal you started it in. You can also run

Code Block

ssh-agent -k

to kill the agent. Finally, if you are using a windowing system such as KDE or GNOME in Linux, it is possible to have 1 agent that is started when you first log in, but this setup is advanced, and should be researched online.