Everything you always wanted to know about ssh, ssh keys, the passphrase and ssh agent, but were afraid to ask
At least everything you need to know in order to work efficiently, without getting bored to death
sshis a program for connecting securely to a remote server and for executing commands on this server
sshis an SSH client using the SSH protocol
my_loginaccount on the remote
remote_servercomputer, and that you know your password
scp(copy remote directories and files),
rsync(synchronize remote directories and files), …
sshis directly available in the built-in Apple Terminal application
ssh [options] [my_login@]remote_server
ssh ssh1.lsce.ipsl.frinstead of
sshwill ask if you are sure of what you are doing, and then store some unique information about the remote server in the
PS C:\Users\my_login> ssh ciclad.ipsl.jussieu.fr The authenticity of host 'ciclad.ipsl.jussieu.fr (220.127.116.11)' can't be established. RSA key fingerprint is SHA256:n6wFvMaJuyInd0LNhp78dfMd04Dr751lEekcU7X2UfU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ciclad.ipsl.jussieu.fr,18.104.22.168' (RSA) to the list of known hosts. email@example.com: Permission denied (publickey,hostbased).
ssh will automatically check this security information each time you connect to the same server, and warn you if something seems wrong.
-Yoptions if you will need to use graphical programs on the remote server
-A: enable agent forwarding. This is useful when you use ssh keys and an ssh agent
-t command: this option allows you to execute a specific command on the remote server (without displaying the output of the initial
ssh). We use this mostly to chain ssh connections, when we want to automatically go through a specific gateway server to access another server
ssh -A -X firstname.lastname@example.org -t ssh -A -X obelix
-v: verbose mode. Use this option only when you can't connect, or things don't seem to work correctly. Analyzing the verbose output when you start
sshshould allow you, or the system administrators, to find out what is wrong
There are several ways to use
ssh to connect to the LSCE
obelixNN servers (more details about the available LSCE servers)
ssh -A -X my_LSCE_login@obelix
ssh -A -X my_LSCE_login@obelix.lsce.ipsl.fr
obelixNN(possibly because you have some running processes on this server that you want to monitor with top, or terminate with
ssh -A -X my_LSCE_login@obelix4
ssh1gateway server, i.e you first use
sshto connect to the
ssh1gateway, and then use
sshto go to an
sshcommands can be conveniently chained with the '-t' option!
ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X obelix
ssh -A -X email@example.com
cicladserver may still be accessible when you read this page, but its usage has been deprecated in favor of the
If you want to use the TGCC computers (e.g.
ssh1LSCE gateway to access the TGCC, even if you are on the LSCE wired network!
ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@some_tgcc_login_node
irene), you can get lots of information by typing
If you have to use
ssh regularly (with the appropriate options), you should define convenient shell aliases, or add PuTTY connection profiles on Windows
Define the following aliases in the
~/.bashrc configuration file of your local Linux account
# Connecting to LSCE from a computer on the LSCE network alias obelix='ssh -A -X my_LSCE_login@obelix' # Connecting to LSCE from outside the LSCE network alias sobelix='ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X obelix' # Connecting to ciclad @ IPSL alias ciclad='ssh -A -X firstname.lastname@example.org' # Connnecting to irene @ TGCC alias sirene='ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@irene-ccrt.ccc.cea.fr'
If your connection shell is
tcsh instead of
bash, use the appropriate alias syntax in your
~/.cshrc configuration file,
alias obelix 'ssh -A -X my_LSCE_login@obelix'
A terminal can be used to display text information
e.g. the output of
vi editor, etc…
but also to start programs that will open new (graphical) windows outside of the initial terminal
evince to display pdf files,
eog to display png/jpg images, the
If you want to use
ssh to start graphical programs on a remote server, you need to:
-Xdoes not work) to connect to the remote server
-X: enable X11 forwarding
-Y: enable trusted X11 forwarding (low security, but you trust the remote server)
-Yoption will automatically define the
DISPLAYenvironment variable that is required by graphical programs on the remote server to determine where to display the graphical windows.
DISPLAYwill not be defined if you forget to use
my_login@my_local_computer:~$ echo $DISPLAY localhost:0.0 my_login@my_local_computer:~$ ssh ssh1.lsce.ipsl.fr Last login: Wed Jul 8 14:45:31 2020 from [...some address...] [my_login@ssh1 ~]$ echo $DISPLAY DISPLAY: Undefined variable. [my_login@ssh1 ~]$ logout Connection to ssh1.lsce.ipsl.fr closed. my_login@my_local_computer:~$ ssh -X ssh1.lsce.ipsl.fr [my_login@ssh1 ~]$ echo $DISPLAY localhost:43.0
ssh will store all its configuration files in a
.ssh sub-directory of your home directory. The configuration files are in a text format.
/Users/your_mac_login/.sshdirectory (should be the same path as
You will find (some of) the following text files:
known_hosts: the text file were
sshstores one line of security information about each server you have connected to from this computer
ciclad.ipsl.jussieu.fr,22.214.171.124 ssh-rsa AAAAB3NzaC1y[a long identifier…]
config: an optional configuration text file, e.g.
# Empty lines and lines starting with '#' are "comments" # More details => man ssh_config ServerAliveInterval=120 ServerAliveCountMax=90
authorized_keys: the public key(s) of the account(s) authorized to connect to this account.
PuTTY is a convenient and user-friendly ssh client for Windows
Terminal window will open a local Linux-like shell session on the Mac, where you can use
ssh to connect to another server, or other standard Linux commands
Terminalapplication (available in
sshin verbose mode to help you determine what is wrong (
Sometimes you need to copy files from one remote server (or your desktop) to the other. The files can be securely copied over ssh with the
Note: you should keep the big data files were their original version is instead of duplicating them, and move the data processing (your scripts, etc…) to the server where the original files are located (e.g. the
ciclad server at IPSL)
Note: the following will work in a Linux terminal, but can also work in a terminal on a Mac or on a Windows 10 computer (
scp is directly available in
Windows Powershell, Windows Terminal or the old
cmd, but it is not the most user-friendly way to use
scp on Windows)
If you have a Windows computer, it is much easier to use WinSCP for copying files
scp [options] local_path_or_file(s) [my_login@]remote_server:remote_path
scp [options] [my_login@]remote_server:remote_path_or_file(s) local_path
.instead of the full path of the local directory:
$ cd /some/path $ scp -p ssh1.lsce.ipsl.fr:/some/remote/path/scatter_regress_example.py . scatter_regress_example.py 100% 4988 134.6KB/s 00:00
$ scp -p ssh1.lsce.ipsl.fr:'/some/remote/path/matplotlib/plot_lat_test.*' . plot_lat_test.eps 100% 43KB 1.0MB/s 00:00 plot_lat_test.pdf 100% 20KB 853.8KB/s 00:00 plot_lat_test.png 100% 77KB 1.5MB/s 00:00
-p: preserves modification times, access times, and modes from the original file.
-r: recursively copy entire directories.
scp -rwill copy the complete content of the directory (including sub-directories)
WinSCP is a convenient and user-friendly scp client for Windows
In some cases, you may want to mirror the content of directories:
DST(Destination) directories will have the exact same content (files in
DSTand not in
SRCwill be deleted)
rsync is a convenient Linux command that can be used for mirroring a directory hierarchy to another location on the same computer (e.g. a removable disk), or a remote Linux machine, over ssh.
Mirroring means, in the
rsync case, that we will only copy new or changed files. The first copy may take some time, but will be much faster afterwards, when only a few files have been created/changed and have to be copied. Or, if a copy is interrupted, the files already copied will not be copied a second time.
Warning! It is easy to lose files with
rsync if you use the wrong syntax or options!
Mirroring no files by mistake, to a place where there are files, when using the
--delete option, means that existing files or whole directory hierarchies will be deleted!
--dry-run(simulate what would be done) and
-v(verbose) before performing the actual mirroring
/or not behind a directory name makes a difference!
man rync to get all the details and options
rsync [OPTIONS] SRC DEST
Remote usage (i.e. the
DEST directories are on different Linux machines):
Pull: rsync [OPTIONS] [USER@]HOST:SRC... DEST Push: rsync [OPTIONS] SRC... [USER@]HOST:DEST
-a, --archive archive mode; equals -rlptgoD (no -H,-A,-X) -r, --recursive recurse into directories -l, --links copy symlinks as symlinks -p, --perms preserve permissions -t, --times preserve modification times -g, --group preserve group -o, --owner preserve owner (super-user only) --devices preserve device files (super-user only) --specials preserve special files -D same as --devices --specials -v, --verbose increase verbosity -z, --compress compress file data during the transfer -W, --whole-file copy files whole (w/o delta-xfer algorithm) -C, --cvs-exclude auto-ignore files in the same way CVS does RCS SCCS CVS CVS.adm RCSLOG cvslog.* tags TAGS .make.state .nse_depinfo *~ #* .#* ,* _$* *$ *.old *.bak *.BAK *.orig *.rej .del-* *.a *.olb *.o *.obj *.so *.exe *.Z *.elc *.ln core .svn/ .git/ .hg/ .bzr/ --delete delete extraneous files from dest dirs -n, --dry-run perform a trial run with no changes made -c, --checksum skip based on checksum, not mod-time & size
/mnt/h/test/directory that we would like to mirror to another disk or destination, as
test/directory somewhere else
[USER@]HOST:in front of the Source or Destination directory
/after the source directory, and NO
/after the destination directory
rsync --dry-run -avW -C /mnt/h/test/ /mnt/i/test
-Cmakes sure that files and directories considered as temporary will not be copied.
-Coption if you really want to copy all the files!
rsync --dry-run -aW -C /mnt/h/test/ /mnt/i/test
rsync -aW -C /mnt/h/test/ /mnt/i/test
--deleteoption will make sure that files present in the destination directory, but not in the source directory will be deleted! Be careful, make some tests and use the
--dry-runoption before using this
rsync -aW -C --delete /mnt/h/test/ /mnt/i/test
ssh keys are a combination of two specific (and unique) text files, the private key file and the public key file, linked by a special kind of password called the passphrase, that can be used instead of a standard password to connect securely from one server to another server
ssh keys have to be configured properly (a few easy steps), and are very convenient because:
server_Aand install the matching public key on
server_B, etc… you can then use
account_C@server_C, … with the same passphrase !
sshwill ask you to type your passphrase each time you connect to a server, but you can use an ssh agent to securely store your passphrase for you
scp(and WinSCP on Windows) and the tools using
sshon your local computer will not ask your passphrase, if they find the passphrase in a running ssh agent on the local computer
-Aoption (agent forwarding), the remote server will also know (securely) your passphrase, and you will not have to type the passphrase when using
scpand tools running over ssh on the remote server(s)
If you already have a pair of ssh keys, you probably don't want to generate a new pair, unless you have been asked to (e.g. because an old encryption type like DSA has been deprecated), or you have lost one of the keys, or forgotten your passphrase. If you generate a new pair of keys, you will have to replace the old keys that you were using on all your desktops/laptops, and all the remote servers
There are several ways to generate pairs of ssh keys with
ssh-keygen. The following one is the one recommended for opening an account on IPSL Mésocentre ESPRI. If you open an account on
spirit, but already have a public key, just send your existing public key!
ssh-keygen -t ed25519
ssh-keygen -t ed25519will also work on Windows! But then you will still have to convert the generated private key with PuTTYgen
sshwill not work
> cd ~/.ssh > ls -l id_ed25519 -rw------- 1 my_login my_group some_date id_ed25519 > cat id_ed25519 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC7W9+Eu7 [ lots of literally cryptic lines ] cG7sHta/m1cOGM8ej7yD8ejCRMKGX1pEqGx/8= -----END OPENSSH PRIVATE KEY-----
my_login@my_machinestring at the end of the line is just some information about who generated the keys, and where, and can be removed or replaced by something more informative
> cat id_ed25519.pub ssh-ed25519 AAAAC3NzaC1lZDI1NT [ lots of cryptic characters ] Frx8rRFKthpmqRdkXl my_login@my_machine
An ssh agent running on your computer will securely store your passphrase and supply it to applications that use
ssh on your computer to connect to remote Linux servers
C: > ssh-add Error connecting to agent: No such file or directory
C: > Get-Service ssh-agent Status Name DisplayName ------ ---- ----------- Stopped ssh-agent OpenSSH Authentication Agent C: > Get-Service ssh-agent | Set-Service -StartupType Automatic C: > Start-Service ssh-agent C: > Get-Service ssh-agent Status Name DisplayName ------ ---- ----------- Running ssh-agent OpenSSH Authentication Agent C: > ssh-add Enter passphrase for C:\Users\your_login/.ssh/id_dsa: XXXX_Type_Your_Passphrase_Here_XXXX Identity added: C:\Users\your_login/.ssh/id_dsa Identity added: C:\Users\your_login/.ssh/id_ed25519 C: > ssh-add -l 1024 SHA256:/vC3Ma6s9Wj[Some_Summary_Info_About_The_Key]c1Q4 (DSA) 256 SHA256:8BGKU+zBnJXH[Some_Summary_Info_About_The_Key]2Al8 jypeter@obelix5 (ED25519)
Nothing to configure!
ssh-agent process will be automatically started, if a user runs
Check the launchd documentation if you need more details
$ launchctl list | grep ssh 7240 0 com.openssh.ssh-agent
It seems that, once used, the passphrase will be automatically stored in the Keychain for future sessions