This is an old revision of the document!
Everything you always wanted to know about ssh, ssh keys, the passphrase and ssh agent, but were afraid to ask
At least everything you need to know in order to work efficiently, without getting bored to death
ssh
is a program for connecting securely to a remote server and for executing commands on this serverssh
is an SSH client using the SSH protocolmy_login
account on the remote remote_server
computer, and you know your passwordscp
(copy remote directories and files), rsync
(synchronize remote directories and files), …telnet
, rlogin
, rsh
, ftp
, …ssh
is directly available in a Windows Powershell
, a Windows Terminal or the old cmd
, but the most user-friendly way to use ssh
is to use PuTTYssh [options] [my_login@]remote_server
my_login@
part:ssh ssh1.lsce.ipsl.fr
instead of ssh my_login@ssh1.lsce.ipsl.fr
ssh
will ask if you are sure of what you are doing, and then store some unique information about the remote server in the known_hosts
file (details).PS C:\Users\my_login> ssh ciclad.ipsl.jussieu.fr The authenticity of host 'ciclad.ipsl.jussieu.fr (134.157.176.129)' can't be established. RSA key fingerprint is SHA256:n6wFvMaJuyInd0LNhp78dfMd04Dr751lEekcU7X2UfU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ciclad.ipsl.jussieu.fr,134.157.176.129' (RSA) to the list of known hosts. my_login@ciclad.ipsl.jussieu.fr: Permission denied (publickey,hostbased).
ssh
will automatically check this security information each time you connect to the same server, and warn you if something seems wrong.
-X
: enable X11 forwarding. This option will allow you to use graphical programs on the remote server-X
does not work, use -Y
instead (Enable trusted X11 forwarding)-A
: enable agent forwarding. This is useful when you use ssh keys and an ssh agent-t command
: this option allows you to execute a specific command on the remote server (without displaying the output of the initial ssh
). We use this mostly to chain ssh connections, when we want to automatically go through a specific gateway server to access another serverssh -A -X my_login@ssh1.lsce.ipsl.fr -t ssh -A -X obelix
-v
: verbose mode. Use this option only when you can't connect, or things don't seem to work correctly. Analyzing the verbose output when you start ssh
should allow you, or the system administrators, to find out what is wrong
There are several ways to use ssh to connect to the LSCE obelixNN
servers (more details about the available LSCE servers)
ssh1
serverssh1
gateway serverssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X obelix
If you want to connect to the IPSL servers:
ciclad
:ssh -A -X my_ciclad_login@ciclad.ipsl.jussieu.fr
If you want to connect to the the TGCC servers:
irene
:ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@irene-ccrt.ccc.cea.fr
If you have to use ssh
regularly (with the appropriate options), you should define the following aliases in the ~/.bashrc
configuration file of your local Linux account, or properly configure and use PuTTY on Windows
# Connecting to LSCE from a computer on the LSCE network alias obelix='ssh -A -X my_LSCE_login@obelix' # Connecting to LSCE from outside the LSCE network alias sobelix='ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X obelix' # Connecting to ciclad @ IPSL alias ciclad='ssh -A -X my_ciclad_login@ciclad.ipsl.jussieu.fr' # Connnecting to irene @ TGCC alias sirene='ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@irene-ccrt.ccc.cea.fr'
If your connection shell is tcsh
instead of bash
, use the appropriate alias syntax in your ~/.cshrc
configuration file,
e.g. alias obelix 'ssh -A -X my_LSCE_login@obelix'
A terminal can be used to display text information
e.g. the output of ls
and top
, the vi
editor, etc…
but also to start programs that will open new (graphical) windows outside of the initial terminal
e.g. evince
to display pdf files, eog
to display png/jpg images, the emacs
editor, ferret
, etc…
If you want to use ssh
to start graphical programs on a remote server, you need to:
ssh -X
(or ssh -Y
if -X
does not work) to connect to the remote server-X
: enable X11 forwarding-Y
: enable trusted X11 forwarding (low security, but you trust the remote server)-X
/-Y
option will automatically define the DISPLAY
environment variable that is required by graphical programs on the remote server to determine where to display the graphical windows.DISPLAY
will not be defined if you forget to use -X
/-Y
my_login@my_local_computer:~$ echo $DISPLAY localhost:0.0 my_login@my_local_computer:~$ ssh ssh1.lsce.ipsl.fr Last login: Wed Jul 8 14:45:31 2020 from [...some address...] [my_login@ssh1 ~]$ echo $DISPLAY DISPLAY: Undefined variable. [my_login@ssh1 ~]$ logout Connection to ssh1.lsce.ipsl.fr closed. my_login@my_local_computer:~$ ssh -X ssh1.lsce.ipsl.fr [my_login@ssh1 ~]$ echo $DISPLAY localhost:43.0
ssh
will store all its configuration text files in a .ssh
sub-directory of your home directory
~/.ssh/
directoryC:\Users\your_windows_login\.ssh
You will find (some of) the following text files:
known_hosts
: the text file were ssh
stores one line of security information about each server you have connected to from this computerciclad.ipsl.jussieu.fr,134.157.176.253 ssh-rsa AAAAB3NzaC1y[a long identifier…]
config
: an optional configuration text file, e.g.# Empty lines and lines starting with '#' are "comments" # More details => man ssh_config ServerAliveInterval=120 ServerAliveCountMax=90
authorized_keys
: the public key(s) of the account(s) authorized to connect to this account.PuTTY is a convenient and user-friendly ssh client for Windows
Can't open display: [NO VALUE DISPLAYED HERE]
error$ xterm & $ xterm: Xt error: Can't open display: xterm: DISPLAY is not set $ echo $DISPLAY
The DISPLAY
variable is probably not defined because you have not specified the -X
(or -Y
) option when connecting to the remote server. See Using an X server to display graphics
Can't open display: localhost:[SOME VALUE]
error$ xterm & $ connect localhost port 6000: Connection refused xterm: Xt error: Can't open display: localhost:12.0
The DISPLAY
variable is defined correctly, but you probably don't have a local X server running. See Using an X server to display graphics
ssh
in verbose mode to help you determine what is wrong (-v
option)
Sometimes you just need to copy files from one remote server (or your desktop) to the other. The files can be securely copied over ssh with the scp
command
Note: if you work with big data files, you should keep the files were they are instead of duplicating them, and move the data processing (your scripts, etc…) to the server where the files are located (e.g. the ciclad
server at IPSL)
Note: the following will work in a Linux terminal, but can also work in a terminal on a Mac or on a Windows 10 computer (scp
is directly available in Windows Powershell
, Windows Terminal or the old cmd
, but it is not the most user-friendly way to use scp
on Windows)
If you have a Windows computer, it is much easier to use WinSCP for copying files
scp [options] local_path_or_file(s) [my_login@]remote_server:remote_path
scp [options] [my_login@]remote_server:remote_path_or_file(s) local_path
my_login@
part.
instead of the full path of the local directory:$ cd /some/path $ scp -p ssh1.lsce.ipsl.fr:/some/remote/path/scatter_regress_example.py . scatter_regress_example.py 100% 4988 134.6KB/s 00:00
$ scp -p ssh1.lsce.ipsl.fr:'/some/remote/path/matplotlib/plot_lat_test.*' . plot_lat_test.eps 100% 43KB 1.0MB/s 00:00 plot_lat_test.pdf 100% 20KB 853.8KB/s 00:00 plot_lat_test.png 100% 77KB 1.5MB/s 00:00
-p
: preserves modification times, access times, and modes from the original file.-r
: recursively copy entire directories.scp -r
will copy the complete content of the directory (including sub-directories)WinSCP is a convenient and user-friendly scp client for Windows
In some cases, you may want to synchronize the content of directories:
In that case, you should use the rsync
command, that will only copy files that are not already in the destination (and that have not changed since the previous copy).
rsync
has lots of complex options and rules, and should be used carefully if you do not want to lose files. This page does not cover this topic. Use man rsync
or ask somebody
ssh keys are a combination of two specific (and unique) text files, the private key file and the public key file, linked by a special kind of password called the passphrase, that can be used instead of a standard password to connect securely from one server to another server
ssh keys have to be configured properly (a few easy steps), and are very convenient because:
account_A
of server_A
and install the matching public key on account_B
of server_B
, etc… you can then use ssh
to access account_B@server_B
, account_C@server_C
, … with the same passphrase !ssh
will ask you to type your passphrase each time you connect to a server, but you can use an ssh agent to securely store your passphrase for youscp
(and WinSCP
) and the tools using ssh
on your local computer will not ask your passphrase, if they find the passphrase in a running local ssh agent-A
option (agent forwarding), the remote will also know (securely) your passphrase, and you will not have to type the passphrase when using ssh
, scp
and tools running over ssh on the remote server(s)Remember that if you already have a pair of keys, you probably don't want to generate a new pair, unless you have been asked to, or have lost one of the keys, or forgotten your passphrase. If you generate a new pair of keys, you will probably have to replace the old keys that you were using on all the remote servers
There are several ways to generate pairs of ssh keys with ssh-keygen
. The following one is the one recommended for opening an account on IPSL Mésocentre ESPRI. If you open an account on ciclad, but already have a public key, just send the existing key!
ssh-keygen -t rsa -b 4096
~/.ssh
on Linux, C:\Users\my_login/.ssh/
on Windows 10):id_rsa
> cd ~/.ssh > ls -l id_dsa -rw------- 1 my_login my_group some_date id_rsa > cat id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,906569054A4C58A28AD23CBA28771EDE C/Aacy+qcSWIG56eWc3XQhm2oyfAVKFKVm54pwoCmIZ5nmLx/8kV8XcDcMHxoWIz xgc3cPwxNczIS/i4A0AOk3uI8JiT8RVLELVbn+B5T0ewbvMjln4Ec/7W9+aNe/NF [ lots of literally cryptic lines ] v/rj1Ze/PEQ+nVX3dh3FB1TaL/aNm48PBP9WQQXm011PY6isZJklyWANGJ6jtOf9 -----END RSA PRIVATE KEY-----
id_rsa.pub
my_login@my_machine
at the end of the line is just some information about who generated the keys, and where, and can be removed or replaced by something more informative> cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQ [ lots of cryptic characters ] 8WPbpreOOrIbNw== my_login@my_machine
Read the Importing or creating ssh keys with PuTTYgen section
man ssh
[ PMIP3 Wiki Home ] - [ Help! ] - [ Wiki syntax ]