Differences

This shows you the differences between two versions of the page.

--- other:ssh [2022/08/12 15:00] – [A recommended terminal for Mac] Added link to Terminal user guide jypeter
+++ other:ssh [2024/11/29 13:58] (current) – [Installing ssh keys] Improved jypeter
@@ Line 32: / Line 32: @@
   * On **Windows 10**, ''ssh'' is directly available in a ''Windows Powershell'', a [[other:win10apps#windows_terminal|Windows Terminal]] or the old ''cmd'', but the most user-friendly way to use ''ssh'' is to use [[other:putty_conf|PuTTY]]
-  * On a **Mac**, ''ssh'' is directly available in the built-in Apple ''Terminal'' application (available in ''/Applications/Utilities''), or the more powerful [[https://iterm2.com|iTerm2]] application
+  * On a **Mac**, ''ssh'' is directly available in the built-in Apple [[other:ssh#a_recommended_terminal_for_mac|Terminal application]]
-    * A ''Terminal'' window will open a **local Linux-like shell session** on the Mac, where you can use ''ssh'' to connect to another server
 </WRAP>
@@ Line 72: / Line 71: @@
 === IPSL servers ===
-If you want to connect to the **IPSL servers** (only possible with [[other:ssh#using_ssh_keys|ssh keys]]!):
+If you want to connect to the [[https://documentations.ipsl.fr/spirit/spirit_clusters/head_nodes.html|IPSL servers]] (only possible with [[other:ssh#using_ssh_keys|ssh keys]]!):
-  * Connecting to ''ciclad'':\\ ''ssh -A -X my_ciclad_login@ciclad.ipsl.jussieu.fr''
+  * [[https://mesocentre.ipsl.fr/account-opening/|Requesting an account at IPSL]]
-  * [[https://documentations.ipsl.fr/MESO_User/Quick_start.html|More details]]
+  * Connecting to ''spirit1'':
+    * ''ssh -A -X my_meso_login@spirit1.ipsl.fr''
+    * Depending on what you need to do, you can also use ''spirit2'', ''spiritx1'' or ''spiritx2''
+  * [[https://documentations.ipsl.fr/spirit/spirit_clusters/head_nodes.html|More details]]
+  * Note: the ''ciclad'' server may still be accessible when you read this page, but its usage has been deprecated in favor of the ''spirit'' servers
-=== TGCC servers ===
+=== TGCC (super)computers ===
-If you want to connect to the the **TGCC servers**:
+If you want to use the [[https://www-hpc.cea.fr/tgcc-public/en/html/tgcc-public.html|TGCC computers]] (e.g. ''irene''):
-  * Connecting to ''irene'':
-    * Note: you have to go trough ''ssh1'', even if you are on the LSCE network!
-    * ''ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@irene-ccrt.ccc.cea.fr''
-    * The [[https://intranet.lsce.ipsl.fr/informatique/en/tgcc.php|TGCC connection details]] may vary, depending on your login type
-=== IDRIS servers ===
+  * Note: you have to go //trough// the ''ssh1'' LSCE gateway to access the TGCC, even if you are on the LSCE wired network!
+  * ''ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@some_tgcc_login_node''
+    * Once you are on a TGCC login node (e.g. ''irene''), you can get lots of information by typing ''<node>.info'' (e.g. ''irene.info'')
+  * [[https://intranet.lsce.ipsl.fr/informatique/en/tgcc.php|more TGCC connection details]]
+=== IDRIS (super)computers ===
 FIXME
@@ Line 142: / Line 146: @@
 ==== Configuration files ====
-''ssh'' will store all its **configuration text files** in a ''.ssh'' sub-directory of your //home// directory
+''ssh'' will store all its **configuration files** in a ''.ssh'' sub-directory of your //home// directory. The configuration files are in a //text// format.
-  * Linux: ''~/.ssh/'' directory
+  * **Linux**: ''~/.ssh/'' directory
-  * Windows: ''C:\Users\your_windows_login\.ssh'' directory
+  * **Windows**: ''C:\Users\your_windows_login\.ssh'' directory
-  * Mac: ''/Users/your_mac_login/.ssh'' directory (should be the same path as ''~/.ssh/'')
+  * **Mac**: ''/Users/your_mac_login/.ssh'' directory (should be the same path as ''~/.ssh/'')
 You will find (some of) the following text files:
@@ Line 157: / Line 161: @@
 ServerAliveCountMax=90</code>
-  * [[#using_ssh_keys|ssh keys]] related information
+  * [[#using_ssh_keys|ssh keys]] related information:
     * ''authorized_keys'': the //public key(s)// of the account(s) authorized to connect to //this// account.
-    * the private (and possibly the public) //ssh key(s)// used on this account
+    * the **//private// (and probably the //public//) //ssh key(s)//** used on this account
+      * e.g. ''id_ed25519'' and ''id_ed25519.pub'' files
 ==== A recommended ssh client for Windows ====
@@ Line 167: / Line 172: @@
 ==== A recommended terminal for Mac====
+A ''Terminal'' window will open a local Linux-like shell session on the Mac, where you can use ''ssh'' to connect to another server, or other standard Linux commands
   * Built-in: ''Terminal'' application (available in ''/Applications/Utilities'')
@@ Line 285: / Line 292: @@
 ==== What are ssh keys and why use them? ====
-//ssh keys// are a combination of two specific (and unique) **text files**, **the private key** file and **the public key** file, linked by a special kind of password called **the passphrase**, that can be used instead of a standard password to connect securely from one server to another server
+//ssh keys// are a combination of two specific (and unique) **text files**, **the //private// key** file and **the //public// key** file, linked by a special kind of password called **the passphrase**, that can be used instead of a standard password to connect securely from one server to another server
 ssh keys have to be configured properly (a few easy steps), and are **very convenient** because:
-  * **They** usually **don't expire!**\\ You don't have to change them (except in some extra secure computing centers like TGCC) and you can keep them for years
+  * Contrary to passwords, **they usually don't expire!**\\ You don't have to change ssh keys (except in some extra secure computing centers like TGCC) and you can keep them for years
   * **They don't depend on the accounts and the passwords of the servers where you use them**
-    * You can (and should!) use the same set of ssh keys on several servers: you can then use the same passphrase to access these servers, rather than having to memorize different passwords\\ e.g. if you have your private key on ''account_A'' of ''server_A'' and install the matching public key on ''account_B'' of ''server_B'', etc... you can then use ''ssh'' on ''account_A@server_A'' to access ''account_B@server_B'', ''account_C@server_C'', ... with the same passphrase !
+    * You can (and should!) use the same set of ssh keys on several servers: you can then use the **same** passphrase to access all these servers, rather than having to memorize different passwords\\ e.g. if you have your //private// key on ''account_A'' of ''server_A'' and install the matching //public// key on ''account_B'' of ''server_B'', etc... you can then use ''ssh'' on ''account_A@server_A'' to access ''account_B@server_B'', ''account_C@server_C'', ... with the **same** passphrase !
-    * You can give your public key to somebody and then access their account using your own passphrase (no need to know the password of the other person)
+    * **You can give your public key** to somebody and then access their account using your own passphrase (no need to know the password of the other person)
   * The [[https://mesocentre.ipsl.fr/|IPSL Mésocentre ESPRI]] servers can **only** be accessed with a public key and passphrase (the password is not used)
-  * By default, ''ssh'' will ask you to type your passphrase each time you connect to a server, but **you can use an //ssh agent// to securely store your passphrase for you**\\ Once you have typed your passphrase in the //ssh agent//, you can connect to all the servers that have your public key without having to type your passphrase!
-    * ''scp'' (and [[other:win10apps#winscp|WinSCP]]) and the tools using ''ssh'' on your local computer will not ask your passphrase, if they find the passphrase in a running //ssh agent// on the local computer
+  * By default, ''ssh'' will ask you to type your passphrase each time you connect to a server, but **you can [[other:ssh#using_an_ssh_agent|use an ssh agent]] to securely store your passphrase for you**\\ Once you have typed your passphrase in the //ssh agent//, you can connect to all the servers that have your public key without having to type your passphrase!
+    * ''scp'' (and [[other:win10apps#winscp|WinSCP]] on Windows) and the tools using ''ssh'' on your local computer will not ask your passphrase, if they find the passphrase in a running //ssh agent// on the local computer
       * if you use the ''-A'' option ([[other:ssh#most_common_options|agent forwarding]]), the remote server will also //know// (securely) your passphrase, and you will not have to type the passphrase when using ''ssh'', ''scp'' and tools running //over ssh// on the remote server(s)
-    * the local //ssh agent// is terminated when you log out of your local computer (or reboot it)
+    * the local //ssh agent// is terminated when you log out of your local computer (or reboot the computer)
 ==== Generating ssh keys ====
 === Some common sense advice ===
   * **Generate only one pair of private/public keys and use the same pair of keys everywhere!**\\ Put differently, do not generate a different pair of key on each computer/server you use (even if you always use the same passphrase)!
-  * <wrap em>Do not use an empty passphrase!</wrap>\\ If you do that, somebody gaining access to your private key will be able to access all the accounts where you have installed your public key
+  * <wrap em>Do not use an empty passphrase!</wrap>\\ If you do that, somebody gaining access to your private key will be able to access all the accounts where you have installed your public key... You obviously do not want that, right?
   * **Keep a backup of your your keys outside of the computer where they were generated**
     * Useful if you erase or overwrite the keys by mistake, or if you move to another lab and use a new computer/account, but still need to access the accounts where you have installed your public key...
-    * If you have not used an empty passphrase, and have not saved the passphrase in a file with the keys, the keys can't be used easily by somebody else to gain access to your accounts
+    * If you have not used an empty passphrase, and have not saved the passphrase in the same directory as the keys, the keys can't be used (easily) by somebody else to gain access to your accounts
-  * **Do not forget your passphrase!**\\ Do not write your passphrase on a postit taped to your computer. When you create your keys and type your passphrase, choose something that you will be able to remember during several years
+  * **Do not forget your passphrase!**
+    * Do not write your passphrase on a post-it taped to your computer
+    * When you create your keys and type your passphrase, choose something that you will be able to easily remember during several years. It can even be a long (but easy to remember!) sentence!
+      * Easy to remember passphrase example: "//I love working at LSCE!//"
-=== Generating keys in a terminal ===
+=== Generating keys in a terminal (Linux and Mac) ===
-Remember that if you already have a pair of keys, you probably don't want to generate a new pair, unless you have been asked to, or have lost one of the keys, or forgotten your passphrase. If you generate a new pair of keys, you will probably have to replace the old keys that you were using on all the remote servers
+If you already have a pair of ssh keys, you probably don't want to generate a new pair, unless you have been asked to (e.g. because an old encryption type like //DSA// has been deprecated), or you have lost one of the keys, or forgotten your passphrase. If you generate a new pair of keys, you will have to replace the old keys that you were using on all your desktops/laptops, and all the remote servers
-There are several ways to generate pairs of ssh keys with ''ssh-keygen''. The following one is the one recommended for opening an account on [[https://mesocentre.ipsl.fr/account-opening/|IPSL Mésocentre ESPRI]]. If you open an account on ''ciclad'', but already have a public key, just send your existing public key!
+There are several ways to generate pairs of ssh keys with ''ssh-keygen''. The following one is the one recommended for opening an account on [[https://mesocentre.ipsl.fr/account-opening/|IPSL Mésocentre ESPRI]]. If you open an account on ''spirit'', but already have a public key, just **send your existing public key**!
-  * Type ''ssh-keygen -t rsa -b 4096''
+  * Type ''ssh-keygen  -t ed25519''
     * Accept the default path and key name
     * <wrap em>Do not specify an empty passphrase!</wrap>
-  * This will generate two text //key// files in a sub-directory of your account (''~/.ssh/'' on Linux, ''C:\Users\my_login\.ssh\'' on Windows 10):
+    * Note: ''ssh-keygen -t ed25519'' will also work on Windows! But then you will still have to [[other:putty_conf#converting_existing_ssh_keys_with_puttygen|convert the generated private key with PuTTYgen]]
-    * The private key, that has to be readable only by you: ''id_rsa''\\ <code> > cd ~/.ssh
+  * This will generate two text //key// files in the [[other:ssh#configuration_files|ssh configuration directory]]:
- > ls -l id_dsa
+    * The **//private// key**: ''id_ed25519''
--rw------- 1 my_login my_group some_date id_rsa
+      * Note: on a Linux computer, the private key has to be readable only by you, otherwise ''ssh'' will not work
- > cat id_rsa
+      * <code> > cd ~/.ssh
------BEGIN RSA PRIVATE KEY-----
+ > ls -l id_ed25519
-Proc-Type: 4,ENCRYPTED
+-rw------- 1 my_login my_group some_date id_ed25519
-DEK-Info: AES-128-CBC,906569054A4C58A28AD23CBA28771EDE
+ > cat id_ed25519
+-----BEGIN OPENSSH PRIVATE KEY-----
-C/Aacy+qcSWIG56eWc3XQhm2oyfAVKFKVm54pwoCmIZ5nmLx/8kV8XcDcMHxoWIz
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC7W9+Eu7
-xgc3cPwxNczIS/i4A0AOk3uI8JiT8RVLELVbn+B5T0ewbvMjln4Ec/7W9+aNe/NF
 [ lots of literally cryptic lines ]
-v/rj1Ze/PEQ+nVX3dh3FB1TaL/aNm48PBP9WQQXm011PY6isZJklyWANGJ6jtOf9
+cG7sHta/m1cOGM8ej7yD8ejCRMKGX1pEqGx/8=
------END RSA PRIVATE KEY-----</code>
+-----END OPENSSH PRIVATE KEY-----</code>
-    * The public key: ''id_rsa**.pub**''\\ This is the information that you can share. Note that the ''my_login@my_machine'' at the end of the line is just some information about who generated the keys, and where, and can be removed or replaced by something more informative\\ <code> > cat id_rsa.pub
+    * The **//public// key**: ''id_ed25519**.pub**''
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQ [ lots of cryptic characters ] 8WPbpreOOrIbNw== my_login@my_machine</code>
+      * This is the //key// that **you can share**, or that you have to send when opening an account on [[https://mesocentre.ipsl.fr/account-opening/|IPSL Mésocentre ESPRI]].
+        * Note that the ''my_login@my_machine'' string at the end of the line is just some information about who generated the keys, and where, and can be removed or replaced by something more informative
+      * <code> > cat id_ed25519.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NT [ lots of cryptic characters ] Frx8rRFKthpmqRdkXl my_login@my_machine</code>
-=== Generating or importing keys with PuTTY on a Windows computer ===
+=== Generating or importing keys with PuTTY (Windows) ===
-Read the //Converting/Creating ssh keys with PuTTYgen// sub-sections of [[other:putty_conf#using_ssh_keys|Using ssh keys]], on the ''PuTTY'' page
+Read [[other:putty_conf#converting_existing_ssh_keys_with_puttygen|Converting existing ssh keys with PuTTYgen]], or [[other:putty_conf#creating_ssh_keys_with_puttygen|Creating ssh keys with PuTTYgen]]
 ==== Installing ssh keys ====
+<note tip>**Special case**:
+  *  ''spirit[x]'' servers: if you need to use the [[other:ssh#ipsl_servers|IPSL spirit[x] servers]], you have to send your //public// key when you request your account, and the IT people will take care of putting your //public// key in the correct place when they create your account
+</note>
+The **required //ssh key// files have to be present in the ''.ssh'' [[other:ssh#configuration_files|directory where ssh stores its configuration files]]**, on the //source// **and** //target// computers. You do not need the same key files on the //source// **and** //target// computers, but it is easier to have all the key files in all the ''.ssh'' directories. This will also act as a backup of the key files in different locations.
+We assume below that you have copied the required key files in the ''.ssh'' directory of both //source// and //target// computers. We also assume that we are dealing with ''ed25519'' keys, so the //key// files will are named: ''id_ed25519'' (and ''id_ed25519**.ppk**'' on a Windows computer, if you use [[other:putty_conf#using_ssh_keys_with_putty_pageant|PuTTY/Pageant]]), and ''id_ed25519**.pub**''.
+  * on the **//source// computer**\\ (your local desktop/laptop, or a remote Linux server if you will use ''ssh''/''scp'' from this remote server to another remote server)\\ \\
+    * you need **the //private// key**: e.g. ''id_ed25519''
+      * remember that **the private key has to be readable only by the file owner (you!)** on a linux (or Mac) computer\\ <code>$ chmod 600 ~/.ssh/id_ed25519
+$ ls -l ~/.ssh/id_ed25519
+-rw------- [...] /some_path/your_login/.ssh/id_ed25519</code>
+  * and the **//target// computer**\\ (a remote Linux server)\\ \\
+    * you need **the //public// key**: e.g. ''id_ed25519.pub''
+    * you need a copy of the //public// key in the ''authorized_keys'' file
+      * **if the ''authorized_keys'' file does not exist yet**, just copy the //public// key file\\ <code>$ cd ~/.ssh
+$ ls -l authorized_keys
+ls: cannot access authorized_keys: No such file or directory
+$ cp -p id_ed25519.pub authorized_keys</code>
+      * **if there is already an ''authorized_keys'' file** (possibly with older public keys), just create a backup of the existing file, and **add the new public key at the end of the file**\\ <code>$ cd ~/.ssh
+$ cat authorized_keys
+ssh-dss AAAAB3NzaC1kc3MAAACBAM9w0bY604COfD5yLwlBLaSDSbi2eKfhPJBl/
+[...]
+OUZ8jrQrhDbq2P7GNTTaEEdy+JvtDvZSZLG4+DwhWSkxqPZ35yD8wfOi5WInpG3Cms some_login
+$ mv authorized_keys authorized_keys.save
+$ cat authorized_keys.save id_ed25519.pub > authorized_keys
+$ cat authorized_keys
+ssh-dss AAAAB3NzaC1kc3MAAACBAM9w0bY604COfD5yLwlBLaSDSbi2eKfhPJBl/
+[...]
+OUZ8jrQrhDbq2P7GNTTaEEdy+JvtDvZSZLG4+DwhWSkxqPZ35yD8wfOi5WInpG3Cms some_login
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICD35IUxzgjlslHsrOZQ2ARZsXN1RuDcJ+ncyBKLwHr another_login
+</code>
 ==== Using the keys ====
@@ Line 363: / Line 422: @@
 ==== Windows ssh agent ====
-On Windows, you should use [[other:putty_conf|Pageant]] as an ssh agent
+  * On Windows, we recommend using [[other:putty_conf#using_the_private_key_in_pageant|Pageant/PuTTY]] as an //ssh agent//, because:
+    * [[other:putty_conf#launching_putty_pageant|Pageant/PuTTY]] also offers a very easy and convenient way to define profiles to connect to your favorite servers
+    * Some programs that use ''ssh'' to transfer files will automatically use the keys stored in ''Pageant'': [[other:win10apps#winscp|WinSCP]], [[other:emacs_doc|emacs]], ...
+  * It is also possible (but less convenient) to use the Windows built-in ''ssh-agent'' and ''ssh'' commands!
+    * Note that the //agent service// is not activated by default and you will get the following error when you try to use ''ssh-add''
+      * <code>C: > ssh-add
+Error connecting to agent: No such file or directory</code>
+    * It is necessary to first **activate the agent Windows //service//** (in an **//elevated// PowerShell**, i.e with //Administrator// privileges) as explained in the [[https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement#user-key-generation|User key generation]] section
+      * <code>C: > Get-Service ssh-agent
+Status   Name               DisplayName
+------   ----               -----------
+Stopped  ssh-agent          OpenSSH Authentication Agent
+C: > Get-Service ssh-agent | Set-Service -StartupType Automatic
+C: > Start-Service ssh-agent
+C: > Get-Service ssh-agent
+Status   Name               DisplayName
+------   ----               -----------
+Running  ssh-agent          OpenSSH Authentication Agent
+C: > ssh-add
+Enter passphrase for C:\Users\your_login/.ssh/id_dsa: XXXX_Type_Your_Passphrase_Here_XXXX
+Identity added: C:\Users\your_login/.ssh/id_dsa
+Identity added: C:\Users\your_login/.ssh/id_ed25519
+C: > ssh-add -l
+SHA256:/vC3Ma6s9Wj[Some_Summary_Info_About_The_Key]c1Q4 (DSA)
+SHA256:8BGKU+zBnJXH[Some_Summary_Info_About_The_Key]2Al8 jypeter@obelix5 (ED25519)</code>
 ==== Mac ssh agent ====
@@ Line 381: / Line 470: @@
   * If you want to **know more** (options, etc...), check the //man(ual) page// on Linux: ''man ssh''
-  * Editing **remote text files** with emacs (implicit scp): ''/user@server:/path/file''
+  * Editing **remote text files** with emacs (and automatic ''scp''): check the ''emacs'' section of the [[other:newppl:starting#text_editors|Text editors]]
-    * Use the ''tramp'' lines from the {{:other:emacs_linux_150806.tar|recommended .emacs file}}
   * Digging **ssh tunnels** when using //ipython notebooks//