| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| other:ssh [2023/03/16 16:03] – [Generating ssh keys] jypeter | other:ssh [2024/11/29 13:58] (current) – [Installing ssh keys] Improved jypeter |
|---|
| === IPSL servers === | === IPSL servers === |
| |
| If you want to connect to the **IPSL servers** (only possible with [[other:ssh#using_ssh_keys|ssh keys]]!): | If you want to connect to the [[https://documentations.ipsl.fr/spirit/spirit_clusters/head_nodes.html|IPSL servers]] (only possible with [[other:ssh#using_ssh_keys|ssh keys]]!): |
| * Connecting to ''ciclad'':\\ ''ssh -A -X my_ciclad_login@ciclad.ipsl.jussieu.fr'' | * [[https://mesocentre.ipsl.fr/account-opening/|Requesting an account at IPSL]] |
| * [[https://documentations.ipsl.fr/MESO_User/Quick_start.html|More details]] | * Connecting to ''spirit1'': |
| | * ''ssh -A -X my_meso_login@spirit1.ipsl.fr'' |
| | * Depending on what you need to do, you can also use ''spirit2'', ''spiritx1'' or ''spiritx2'' |
| | * [[https://documentations.ipsl.fr/spirit/spirit_clusters/head_nodes.html|More details]] |
| | * Note: the ''ciclad'' server may still be accessible when you read this page, but its usage has been deprecated in favor of the ''spirit'' servers |
| |
| === TGCC (super)computers === | === TGCC (super)computers === |
| ==== What are ssh keys and why use them? ==== | ==== What are ssh keys and why use them? ==== |
| |
| //ssh keys// are a combination of two specific (and unique) **text files**, **the private key** file and **the public key** file, linked by a special kind of password called **the passphrase**, that can be used instead of a standard password to connect securely from one server to another server | //ssh keys// are a combination of two specific (and unique) **text files**, **the //private// key** file and **the //public// key** file, linked by a special kind of password called **the passphrase**, that can be used instead of a standard password to connect securely from one server to another server |
| |
| ssh keys have to be configured properly (a few easy steps), and are **very convenient** because: | ssh keys have to be configured properly (a few easy steps), and are **very convenient** because: |
| |
| * **They** usually **don't expire!**\\ You don't have to change them (except in some extra secure computing centers like TGCC) and you can keep them for years | * Contrary to passwords, **they usually don't expire!**\\ You don't have to change ssh keys (except in some extra secure computing centers like TGCC) and you can keep them for years |
| * **They don't depend on the accounts and the passwords of the servers where you use them** | * **They don't depend on the accounts and the passwords of the servers where you use them** |
| * You can (and should!) use the same set of ssh keys on several servers: you can then use the same passphrase to access these servers, rather than having to memorize different passwords\\ e.g. if you have your private key on ''account_A'' of ''server_A'' and install the matching public key on ''account_B'' of ''server_B'', etc... you can then use ''ssh'' on ''account_A@server_A'' to access ''account_B@server_B'', ''account_C@server_C'', ... with the same passphrase ! | * You can (and should!) use the same set of ssh keys on several servers: you can then use the **same** passphrase to access all these servers, rather than having to memorize different passwords\\ e.g. if you have your //private// key on ''account_A'' of ''server_A'' and install the matching //public// key on ''account_B'' of ''server_B'', etc... you can then use ''ssh'' on ''account_A@server_A'' to access ''account_B@server_B'', ''account_C@server_C'', ... with the **same** passphrase ! |
| * You can give your public key to somebody and then access their account using your own passphrase (no need to know the password of the other person) | * **You can give your public key** to somebody and then access their account using your own passphrase (no need to know the password of the other person) |
| * The [[https://mesocentre.ipsl.fr/|IPSL Mésocentre ESPRI]] servers can **only** be accessed with a public key and passphrase (the password is not used) | * The [[https://mesocentre.ipsl.fr/|IPSL Mésocentre ESPRI]] servers can **only** be accessed with a public key and passphrase (the password is not used) |
| * By default, ''ssh'' will ask you to type your passphrase each time you connect to a server, but **you can use an //ssh agent// to securely store your passphrase for you**\\ Once you have typed your passphrase in the //ssh agent//, you can connect to all the servers that have your public key without having to type your passphrase! | |
| * ''scp'' (and [[other:win10apps#winscp|WinSCP]]) and the tools using ''ssh'' on your local computer will not ask your passphrase, if they find the passphrase in a running //ssh agent// on the local computer | * By default, ''ssh'' will ask you to type your passphrase each time you connect to a server, but **you can [[other:ssh#using_an_ssh_agent|use an ssh agent]] to securely store your passphrase for you**\\ Once you have typed your passphrase in the //ssh agent//, you can connect to all the servers that have your public key without having to type your passphrase! |
| | * ''scp'' (and [[other:win10apps#winscp|WinSCP]] on Windows) and the tools using ''ssh'' on your local computer will not ask your passphrase, if they find the passphrase in a running //ssh agent// on the local computer |
| * if you use the ''-A'' option ([[other:ssh#most_common_options|agent forwarding]]), the remote server will also //know// (securely) your passphrase, and you will not have to type the passphrase when using ''ssh'', ''scp'' and tools running //over ssh// on the remote server(s) | * if you use the ''-A'' option ([[other:ssh#most_common_options|agent forwarding]]), the remote server will also //know// (securely) your passphrase, and you will not have to type the passphrase when using ''ssh'', ''scp'' and tools running //over ssh// on the remote server(s) |
| * the local //ssh agent// is terminated when you log out of your local computer (or reboot it) | * the local //ssh agent// is terminated when you log out of your local computer (or reboot the computer) |
| ==== Generating ssh keys ==== | ==== Generating ssh keys ==== |
| |
| ==== Installing ssh keys ==== | ==== Installing ssh keys ==== |
| |
| | <note tip>**Special case**: |
| |
| | * ''spirit[x]'' servers: if you need to use the [[other:ssh#ipsl_servers|IPSL spirit[x] servers]], you have to send your //public// key when you request your account, and the IT people will take care of putting your //public// key in the correct place when they create your account |
| | |
| | </note> |
| | |
| | The **required //ssh key// files have to be present in the ''.ssh'' [[other:ssh#configuration_files|directory where ssh stores its configuration files]]**, on the //source// **and** //target// computers. You do not need the same key files on the //source// **and** //target// computers, but it is easier to have all the key files in all the ''.ssh'' directories. This will also act as a backup of the key files in different locations. |
| | |
| | |
| | We assume below that you have copied the required key files in the ''.ssh'' directory of both //source// and //target// computers. We also assume that we are dealing with ''ed25519'' keys, so the //key// files will are named: ''id_ed25519'' (and ''id_ed25519**.ppk**'' on a Windows computer, if you use [[other:putty_conf#using_ssh_keys_with_putty_pageant|PuTTY/Pageant]]), and ''id_ed25519**.pub**''. |
| | |
| | |
| | * on the **//source// computer**\\ (your local desktop/laptop, or a remote Linux server if you will use ''ssh''/''scp'' from this remote server to another remote server)\\ \\ |
| | * you need **the //private// key**: e.g. ''id_ed25519'' |
| | * remember that **the private key has to be readable only by the file owner (you!)** on a linux (or Mac) computer\\ <code>$ chmod 600 ~/.ssh/id_ed25519 |
| | |
| | $ ls -l ~/.ssh/id_ed25519 |
| | -rw------- [...] /some_path/your_login/.ssh/id_ed25519</code> |
| | |
| | |
| | * and the **//target// computer**\\ (a remote Linux server)\\ \\ |
| | * you need **the //public// key**: e.g. ''id_ed25519.pub'' |
| | * you need a copy of the //public// key in the ''authorized_keys'' file |
| | * **if the ''authorized_keys'' file does not exist yet**, just copy the //public// key file\\ <code>$ cd ~/.ssh |
| | |
| | $ ls -l authorized_keys |
| | ls: cannot access authorized_keys: No such file or directory |
| | |
| | $ cp -p id_ed25519.pub authorized_keys</code> |
| | * **if there is already an ''authorized_keys'' file** (possibly with older public keys), just create a backup of the existing file, and **add the new public key at the end of the file**\\ <code>$ cd ~/.ssh |
| | |
| | $ cat authorized_keys |
| | ssh-dss AAAAB3NzaC1kc3MAAACBAM9w0bY604COfD5yLwlBLaSDSbi2eKfhPJBl/ |
| | [...] |
| | OUZ8jrQrhDbq2P7GNTTaEEdy+JvtDvZSZLG4+DwhWSkxqPZ35yD8wfOi5WInpG3Cms some_login |
| | |
| | $ mv authorized_keys authorized_keys.save |
| | |
| | $ cat authorized_keys.save id_ed25519.pub > authorized_keys |
| | |
| | $ cat authorized_keys |
| | ssh-dss AAAAB3NzaC1kc3MAAACBAM9w0bY604COfD5yLwlBLaSDSbi2eKfhPJBl/ |
| | [...] |
| | OUZ8jrQrhDbq2P7GNTTaEEdy+JvtDvZSZLG4+DwhWSkxqPZ35yD8wfOi5WInpG3Cms some_login |
| | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICD35IUxzgjlslHsrOZQ2ARZsXN1RuDcJ+ncyBKLwHr another_login |
| | </code> |
| ==== Using the keys ==== | ==== Using the keys ==== |
| |
| ==== Windows ssh agent ==== | ==== Windows ssh agent ==== |
| |
| On Windows, you should use [[other:putty_conf|Pageant]] as an ssh agent | * On Windows, we recommend using [[other:putty_conf#using_the_private_key_in_pageant|Pageant/PuTTY]] as an //ssh agent//, because: |
| | * [[other:putty_conf#launching_putty_pageant|Pageant/PuTTY]] also offers a very easy and convenient way to define profiles to connect to your favorite servers |
| | * Some programs that use ''ssh'' to transfer files will automatically use the keys stored in ''Pageant'': [[other:win10apps#winscp|WinSCP]], [[other:emacs_doc|emacs]], ... |
| | |
| | * It is also possible (but less convenient) to use the Windows built-in ''ssh-agent'' and ''ssh'' commands! |
| | * Note that the //agent service// is not activated by default and you will get the following error when you try to use ''ssh-add'' |
| | * <code>C: > ssh-add |
| | Error connecting to agent: No such file or directory</code> |
| | * It is necessary to first **activate the agent Windows //service//** (in an **//elevated// PowerShell**, i.e with //Administrator// privileges) as explained in the [[https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement#user-key-generation|User key generation]] section |
| | * <code>C: > Get-Service ssh-agent |
| | Status Name DisplayName |
| | ------ ---- ----------- |
| | Stopped ssh-agent OpenSSH Authentication Agent |
| | |
| | C: > Get-Service ssh-agent | Set-Service -StartupType Automatic |
| | |
| | C: > Start-Service ssh-agent |
| | |
| | C: > Get-Service ssh-agent |
| | Status Name DisplayName |
| | ------ ---- ----------- |
| | Running ssh-agent OpenSSH Authentication Agent |
| | |
| | C: > ssh-add |
| | Enter passphrase for C:\Users\your_login/.ssh/id_dsa: XXXX_Type_Your_Passphrase_Here_XXXX |
| | Identity added: C:\Users\your_login/.ssh/id_dsa |
| | Identity added: C:\Users\your_login/.ssh/id_ed25519 |
| | |
| | C: > ssh-add -l |
| | 1024 SHA256:/vC3Ma6s9Wj[Some_Summary_Info_About_The_Key]c1Q4 (DSA) |
| | 256 SHA256:8BGKU+zBnJXH[Some_Summary_Info_About_The_Key]2Al8 jypeter@obelix5 (ED25519)</code> |
| |
| ==== Mac ssh agent ==== | ==== Mac ssh agent ==== |
