• ssh is a program for connecting securely to a remote server and for executing commands on this server
  • More precisely ssh is an SSH client using the SSH protocol

• We assume below that you have a my_login account on the remote remote_server computer, and you know your password
  • This page will also show some examples using the LSCE, IPSL Mésocentre ESPRI and TGCC servers

• Instead of a password, you can also use a set of private and public keys and a passphrase
  • This is the only kind of authentication that will work if you need to use the IPSL Mésocentre ESPRI (aka ciclad and climserv)!

• Many programs are said to work over ssh when they implicitly use the ssh protocol to securely transfer their data from one server to another: scp (copy remote directories and files), rsync (synchronize remote directories and files), …

• Some history: before you were born, and the world and internet were a safer place, people used less secure programs like telnet, rlogin, rsh, ftp, …

• ssh [options] [my_login@]remote_server
  • If your login is the same on the local and remote computer, you can omit the optional my_login@ part:
    e.g. just use ssh ssh1.lsce.ipsl.fr
  • The first time you connect to a new server, ssh will ask if you are sure of what you are doing, and then store some unique information about the remote server in the known_hosts file (details).
    

    PS C:\Users\my_login> ssh ciclad.ipsl.jussieu.fr
    The authenticity of host 'ciclad.ipsl.jussieu.fr (134.157.176.129)' can't be established.
    RSA key fingerprint is SHA256:n6wFvMaJuyInd0LNhp78dfMd04Dr751lEekcU7X2UfU.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'ciclad.ipsl.jussieu.fr,134.157.176.129' (RSA) to the list of known hosts.
    my_login@ciclad.ipsl.jussieu.fr: Permission denied (publickey,hostbased).

    
    ssh will automatically check this security information each time you connect to the same server, and warn you if something seems wrong

• -X: enable X11 forwarding. This option will allow you to use graphical programs on the remote server
  • If -X does not work, use -Y instead (Enable trusted X11 forwarding)
  • More details in the Using an X server to display graphics section

• -A: enable agent forwarding. This is useful when you use ssh keys and an ssh agent

• -t command: this option allows you to execute a specific command on the remote server (without displaying the output of the initial ssh). We use this mostly to chain ssh connections, when we want to automatically go through a specific gateway server to access another server
  e.g. ssh -A -X my_login@ssh1.lsce.ipsl.fr -t ssh -A -X obelix

• -v: verbose mode. Use this option only when you can't connect, or things don't seem to work correctly. Analyzing the verbose output when you start ssh should allow you, or the system administrators, to find out what is wrong

There are several ways to use ssh to connect to the LSCE obelixNN servers (more details about the available LSCE servers)

• If your computer is on the LSCE ethernet/wired network:
  • Go to the server with the smallest load:
    ssh -A -X my_LSCE_login@obelix
    or ssh -A -X my_LSCE_login@obelix.lsce.ipsl.fr
  • Go to a specific obelix (possibly because you have some running processes on this server that you want to monitor with top, or terminate with kill)
    ssh -A -X my_LSCE_login@obelix4
• If your computer is outside LSCE, or on the LSCE WiFi network, you have to:
  • Ask your advisor to send a mail to help-lsce, and request an access to the ssh1 server
  • Go first through the ssh1 gateway server
    ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X obelix

If you want to connect to the IPSL servers:

• Connecting to ciclad:
  ssh -A -X my_ciclad_login@ciclad.ipsl.jussieu.fr
• More details

If you want to connect to the the TGCC servers:

• Connecting to irene:
  ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@irene-ccrt.ccc.cea.fr
  • Note: the TGCC connection details may vary, depending on your login type

If you have to use ssh regularly (with the appropriate options), you should define the following aliases in the ~/.bashrc configuration file of your local Linux account, or properly configure and use PuTTY on Windows

# Connecting to LSCE from a computer on the LSCE network
alias obelix='ssh -A -X my_LSCE_login@obelix'

# Connecting to LSCE from outside the LSCE network
alias sobelix='ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X obelix'

# Connecting to ciclad @ IPSL
alias ciclad='ssh -A -X my_ciclad_login@ciclad.ipsl.jussieu.fr'

# Connnecting to irene @ TGCC
alias sirene='ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@irene-ccrt.ccc.cea.fr' 

If your connection shell is tcsh instead of bash, use the appropriate alias syntax in your ~/.cshrc configuration file,
e.g. alias obelix 'ssh -A -X my_LSCE_login@obelix'

A terminal can be used to display text information
e.g. the output of ls and top, the vi editor, etc…
but also to start programs that will open new (graphical) windows outside of the initial terminal
e.g. evince to display pdf files, eog to display png/jpg images, the emacs editor, ferret, etc…

If you want to use ssh to start graphical programs on a remote server, you need to:

• use ssh -X (or ssh -Y if -X does not work) to connect to the remote server
  • -X: enable X11 forwarding
  • -Y: enable trusted X11 forwarding (low security, but you trust the remote server)
  • Using the -X/-Y option will automatically define the DISPLAY environment variable that is required by graphical programs on the remote server to determine where to display the graphical windows.
    DISPLAY will not be defined if you forget to use -X/-Y
    
  • Example:
    

    my_login@my_local_computer:~$ echo $DISPLAY
    localhost:0.0
    
    my_login@my_local_computer:~$ ssh ssh1.lsce.ipsl.fr
    Last login: Wed Jul  8 14:45:31 2020 from [...some address...]
    [my_login@ssh1 ~]$ echo $DISPLAY
    DISPLAY: Undefined variable.
    [my_login@ssh1 ~]$ logout
    Connection to ssh1.lsce.ipsl.fr closed.
    
    my_login@my_local_computer:~$ ssh -X ssh1.lsce.ipsl.fr
    [my_login@ssh1 ~]$ echo $DISPLAY
    localhost:43.0

• and have a local X server running!
  An X server is basically a program running on your computer that understands the X Windows System protocol used by the remote server to display graphics
  • Linux computer: nothing to do, an X server is already running !
  • Windows: install, configure and launch VcXsrv
  • Mac:

ssh will store all its configuration text files in the ~/.ssh/ directory (C:\Users\your_windows_login\.ssh on Windows 10)

• known_hosts: the text file were ssh stores one line of security information about each server you have connected to from this computer
  e.g. ciclad.ipsl.jussieu.fr,134.157.176.253 ssh-rsa AAAAB3NzaC1y[a long identifier…]

• config: an optional configuration text file, e.g.
  

  # Empty lines and lines starting with '#' are "comments"
  # More details => man ssh_config
  
  ServerAliveInterval=120
  ServerAliveCountMax=90

• authorized_keys: the public keys of the accounts authorized to connect to this account

• the private and public ssh keys used on this account

PuTTY is a convenient and user-friendly ssh client for Windows

• You want to start a graphical program on a remote server, but get a Can't open display: [NO VALUE DISPLAYED HERE] error
  

  $ xterm &
  $ xterm: Xt error: Can't open display:
  xterm: DISPLAY is not set
  $ echo $DISPLAY
  
  

  
  The DISPLAY variable is probably not defined because you have not specified the -X (or -Y) option when connecting to the remote server. See Using an X server to display graphics

• You want to start a graphical program on a remote server, but get a Can't open display: localhost:[SOME VALUE] error
  

  $ xterm &
  $ connect localhost port 6000: Connection refused
  xterm: Xt error: Can't open display: localhost:12.0

  
  The DISPLAY variable is defined correctly, but you probably don't have a local X server running. See Using an X server to display graphics

• Other types of errors: remember that you can run ssh in verbose mode to help you determine what is wrong (-v option)

Sometimes you just need to copy files from one remote server (or your desktop) to the other. The files can be securely copied over ssh with the scp command

Note: if you work with big data files, you should keep the files were they are instead of duplicating them, and move the data processing (your scripts, etc…) to the server where the files are located (e.g. the ciclad server at IPSL)

• scp [options] local_path_or_file [my_login@]remote_server:remote_path
  or scp [options] [my_login@]remote_server:remote_path_or_file local_path
  • If your login is the same on the local and remote computer, you can omit the optional my_login@ part

• Most common options:
  • -p: preserves modification times, access times, and modes from the original file.
    This option is very useful if you want the copied file(s) to have the same date/time as the original file(s). Otherwise, the time will be the time when you copy the file(s)
  • -r: recursively copy entire directories.
    You have to use this option if the source location is a directory. scp -r will copy the complete content of the directory (including sub-directories)

WinSCP is a convenient and user-friendly scp client for Windows

In some cases, you may want to synchronize the content of directories:

• because you are creating a backup
• because you have lots of files, possibly (very) big, and you don't want to start copying everything again if the copy fails due to temporary network problems
• …

In that case, you should use the rsync command, that will only copy files that are not already in the destination (and that have not changed since the previous copy).

rsync has lots of complex options and rules, and should be used carefully if you do not want to lose files. This page does not cover this topic. Use man rsync or ask somebody

• If you want to know more (options, etc…), check the man(ual) page on Linux: man ssh
• emacs

[ PMIP3 Wiki Home ] - [ Help! ] - [ Wiki syntax ]