User Tools

Site Tools


other:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
other:ssh [2022/11/18 17:15]
jypeter [More...] emacs info moved to the instructions for new people
other:ssh [2023/05/03 08:32] (current)
jypeter [Windows ssh agent] Improved
Line 71: Line 71:
 === IPSL servers === === IPSL servers ===
  
-If you want to connect to the **IPSL servers** (only possible with [[other:​ssh#​using_ssh_keys|ssh keys]]!): +If you want to connect to the [[https://​documentations.ipsl.fr/​spirit/​spirit_clusters/​head_nodes.html|IPSL servers]] (only possible with [[other:​ssh#​using_ssh_keys|ssh keys]]!): 
-  * Connecting to ''​ciclad'':​\\ ''​ssh -A -X my_ciclad_login@ciclad.ipsl.jussieu.fr''​ +  * Connecting to ''​spirit1'':​ 
-  * [[https://​documentations.ipsl.fr/​MESO_User/Quick_start.html|More details]]+    * ''​ssh -A -X my_meso_login@spirit1.ipsl.fr''​ 
 +    * Depending on what you need to do, you can also use ''​spirit2'',​ ''​spiritx1''​ or ''​spiritx2''​ 
 +  * [[https://​documentations.ipsl.fr/​spirit/spirit_clusters/​head_nodes.html|More details]] 
 +  * Note: the ''​ciclad''​ server may still be accessible when you read this page, but its usage has been deprecated in favor of the ''​spirit''​ servers
  
-=== TGCC servers ​===+=== TGCC (super)computers ​===
  
-If you want to connect to the the **TGCC servers**:​ +If you want to use the [[https://www-hpc.cea.fr/tgcc-public/en/html/tgcc-public.html|TGCC computers]] (e.g. ''​irene''​):​
-  * Connecting to ''​irene'':​ +
-    * Note: you have to go trough ''​ssh1'',​ even if you are on the LSCE network! +
-    * ''​ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@irene-ccrt.ccc.cea.fr''​ +
-    * The [[https://intranet.lsce.ipsl.fr/informatique/en/tgcc.php|TGCC connection details]] may vary, depending on your login type+
  
-=== IDRIS servers ​===+  * Note: you have to go //trough// the ''​ssh1''​ LSCE gateway to access the TGCC, even if you are on the LSCE wired network! 
 +  * ''​ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@some_tgcc_login_node''​ 
 +    * Once you are on a TGCC login node (e.g. ''​irene''​),​ you can get lots of information by typing ''<​node>​.info''​ (e.g. ''​irene.info''​) 
 +  * [[https://​intranet.lsce.ipsl.fr/​informatique/​en/​tgcc.php|more TGCC connection details]] 
 + 
 +=== IDRIS (super)computers ​===
  
 FIXME FIXME
Line 141: Line 145:
 ==== Configuration files ==== ==== Configuration files ====
  
-''​ssh''​ will store all its **configuration ​text files** in a ''​.ssh''​ sub-directory of your //home// directory+''​ssh''​ will store all its **configuration files** in a ''​.ssh''​ sub-directory of your //home// directory. The configuration files are in a //text// format.
  
-  * Linux: ''​~/​.ssh/''​ directory +  ​* **Linux**: ''​~/​.ssh/''​ directory 
-  * Windows: ''​C:​\Users\your_windows_login\.ssh''​ directory +  ​* **Windows**: ''​C:​\Users\your_windows_login\.ssh''​ directory 
-  * Mac: ''/​Users/​your_mac_login/​.ssh''​ directory (should be the same path as ''​~/​.ssh/''​)+  ​* **Mac**: ''/​Users/​your_mac_login/​.ssh''​ directory (should be the same path as ''​~/​.ssh/''​)
  
 You will find (some of) the following text files: You will find (some of) the following text files:
Line 156: Line 160:
 ServerAliveCountMax=90</​code>​ ServerAliveCountMax=90</​code>​
  
-  * [[#​using_ssh_keys|ssh keys]] related information+  * [[#​using_ssh_keys|ssh keys]] related information:
     * ''​authorized_keys'':​ the //public key(s)// of the account(s) authorized to connect to //this// account.     * ''​authorized_keys'':​ the //public key(s)// of the account(s) authorized to connect to //this// account.
-    * the private (and possibly ​the public) //ssh key(s)// used on this account+    * the **//private// (and probably ​the //public//) //ssh key(s)//** used on this account 
 +      * e.g. ''​id_ed25519''​ and ''​id_ed25519.pub''​ files
  
 ==== A recommended ssh client for Windows ==== ==== A recommended ssh client for Windows ====
Line 286: Line 291:
 ==== What are ssh keys and why use them? ==== ==== What are ssh keys and why use them? ====
  
-//ssh keys// are a combination of two specific (and unique) **text files**, **the private key** file and **the public key** file, linked by a special kind of password called **the passphrase**,​ that can be used instead of a standard password to connect securely from one server to another server+//ssh keys// are a combination of two specific (and unique) **text files**, **the //private// key** file and **the //public// key** file, linked by a special kind of password called **the passphrase**,​ that can be used instead of a standard password to connect securely from one server to another server
  
 ssh keys have to be configured properly (a few easy steps), and are **very convenient** because: ssh keys have to be configured properly (a few easy steps), and are **very convenient** because:
  
-  * **They** ​usually ​**don't expire!**\\ You don't have to change ​them (except in some extra secure computing centers like TGCC) and you can keep them for years+  * Contrary to passwords, ​**they usually don't expire!**\\ You don't have to change ​ssh keys (except in some extra secure computing centers like TGCC) and you can keep them for years 
   * **They don't depend on the accounts and the passwords of the servers where you use them**   * **They don't depend on the accounts and the passwords of the servers where you use them**
-    * You can (and should!) use the same set of ssh keys on several servers: you can then use the same passphrase to access these servers, rather than having to memorize different passwords\\ e.g. if you have your private key on ''​account_A''​ of ''​server_A''​ and install the matching public key on ''​account_B''​ of ''​server_B'',​ etc... you can then use ''​ssh''​ on ''​account_A@server_A''​ to access ''​account_B@server_B'',​ ''​account_C@server_C'',​ ... with the same passphrase ! +    * You can (and should!) use the same set of ssh keys on several servers: you can then use the **same** passphrase to access ​all these servers, rather than having to memorize different passwords\\ e.g. if you have your //private// key on ''​account_A''​ of ''​server_A''​ and install the matching ​//public// key on ''​account_B''​ of ''​server_B'',​ etc... you can then use ''​ssh''​ on ''​account_A@server_A''​ to access ''​account_B@server_B'',​ ''​account_C@server_C'',​ ... with the **same** passphrase ! 
-    * You can give your public key to somebody and then access their account using your own passphrase (no need to know the password of the other person)+    ​* **You can give your public key** to somebody and then access their account using your own passphrase (no need to know the password of the other person) 
   * The [[https://​mesocentre.ipsl.fr/​|IPSL Mésocentre ESPRI]] servers can **only** be accessed with a public key and passphrase (the password is not used)   * The [[https://​mesocentre.ipsl.fr/​|IPSL Mésocentre ESPRI]] servers can **only** be accessed with a public key and passphrase (the password is not used)
-  ​* By default, ''​ssh''​ will ask you to type your passphrase each time you connect to a server, but **you can use an //ssh agent// to securely store your passphrase for you**\\ Once you have typed your passphrase in the //ssh agent//, you can connect to all the servers that have your public key without having to type your passphrase! + 
-    * ''​scp''​ (and [[other:​win10apps#​winscp|WinSCP]]) and the tools using ''​ssh''​ on your local computer will not ask your passphrase, if they find the passphrase in a running //ssh agent// on the local computer+  ​* By default, ''​ssh''​ will ask you to type your passphrase each time you connect to a server, but **you can [[other:​ssh#​using_an_ssh_agent|use an ssh agent]] to securely store your passphrase for you**\\ Once you have typed your passphrase in the //ssh agent//, you can connect to all the servers that have your public key without having to type your passphrase! 
 +    * ''​scp''​ (and [[other:​win10apps#​winscp|WinSCP]] ​on Windows) and the tools using ''​ssh''​ on your local computer will not ask your passphrase, if they find the passphrase in a running //ssh agent// on the local computer
       * if you use the ''​-A''​ option ([[other:​ssh#​most_common_options|agent forwarding]]),​ the remote server will also //know// (securely) your passphrase, and you will not have to type the passphrase when using ''​ssh'',​ ''​scp''​ and tools running //over ssh// on the remote server(s)       * if you use the ''​-A''​ option ([[other:​ssh#​most_common_options|agent forwarding]]),​ the remote server will also //know// (securely) your passphrase, and you will not have to type the passphrase when using ''​ssh'',​ ''​scp''​ and tools running //over ssh// on the remote server(s)
-    * the local //ssh agent// is terminated when you log out of your local computer (or reboot ​it)+    * the local //ssh agent// is terminated when you log out of your local computer (or reboot ​the computer)
 ==== Generating ssh keys ==== ==== Generating ssh keys ====
  
 === Some common sense advice === === Some common sense advice ===
- 
  
   * **Generate only one pair of private/​public keys and use the same pair of keys everywhere!**\\ Put differently,​ do not generate a different pair of key on each computer/​server you use (even if you always use the same passphrase)!   * **Generate only one pair of private/​public keys and use the same pair of keys everywhere!**\\ Put differently,​ do not generate a different pair of key on each computer/​server you use (even if you always use the same passphrase)!
  
-  * <wrap em>Do not use an empty passphrase!</​wrap>​\\ If you do that, somebody gaining access to your private key will be able to access all the accounts where you have installed your public key+  * <wrap em>Do not use an empty passphrase!</​wrap>​\\ If you do that, somebody gaining access to your private key will be able to access all the accounts where you have installed your public key... You obviously do not want that, right?
  
   * **Keep a backup of your your keys outside of the computer where they were generated**   * **Keep a backup of your your keys outside of the computer where they were generated**
     * Useful if you erase or overwrite the keys by mistake, or if you move to another lab and use a new computer/​account,​ but still need to access the accounts where you have installed your public key...     * Useful if you erase or overwrite the keys by mistake, or if you move to another lab and use a new computer/​account,​ but still need to access the accounts where you have installed your public key...
-    * If you have not used an empty passphrase, and have not saved the passphrase in a file with the keys, the keys can't be used easily by somebody else to gain access to your accounts ​+    * If you have not used an empty passphrase, and have not saved the passphrase in the same directory as the keys, the keys can't be used (easilyby somebody else to gain access to your accounts ​
  
-  * **Do not forget your passphrase!**\\ Do not write your passphrase on a postit ​taped to your computerWhen you create your keys and type your passphrase, choose something that you will be able to remember during several years+  * **Do not forget your passphrase!** 
 +    * Do not write your passphrase on a post-it ​taped to your computer 
 +    * When you create your keys and type your passphrase, choose something that you will be able to easily ​remember during several years. It can even be a long (but easy to remember!) sentence! 
 +      * Easy to remember passphrase example: "//I love working at LSCE!//"​
  
-=== Generating keys in a terminal ===+=== Generating keys in a terminal ​(Linux and Mac) ===
  
-Remember that if you already have a pair of keys, you probably don't want to generate a new pair, unless you have been asked to, or have lost one of the keys, or forgotten your passphrase. If you generate a new pair of keys, you will probably ​have to replace the old keys that you were using on all the remote servers+If you already have a pair of ssh keys, you probably don't want to generate a new pair, unless you have been asked to (e.g. because an old encryption type like //DSA// has been deprecated), or you have lost one of the keys, or forgotten your passphrase. If you generate a new pair of keys, you will have to replace the old keys that you were using on all your desktops/​laptops,​ and all the remote servers
  
-There are several ways to generate pairs of ssh keys with ''​ssh-keygen''​. The following one is the one recommended for opening an account on [[https://​mesocentre.ipsl.fr/​account-opening/​|IPSL Mésocentre ESPRI]]. If you open an account on ''​ciclad'',​ but already have a public key, just send your existing public key!+There are several ways to generate pairs of ssh keys with ''​ssh-keygen''​. The following one is the one recommended for opening an account on [[https://​mesocentre.ipsl.fr/​account-opening/​|IPSL Mésocentre ESPRI]]. If you open an account on ''​spirit'',​ but already have a public key, just **send your existing public key**!
  
-  * Type ''​ssh-keygen -t rsa -b 4096''​+  * Type ''​ssh-keygen ​ -t ed25519''​
     * Accept the default path and key name     * Accept the default path and key name
     * <wrap em>Do not specify an empty passphrase!</​wrap>​     * <wrap em>Do not specify an empty passphrase!</​wrap>​
-  ​* This will generate two text //key// files in a sub-directory ​of your account (''​~/.ssh/'' ​on Linux, ​''​C:​\Users\my_login\.ssh\''​ on Windows 10): +    * Note: ''​ssh-keygen -t ed25519''​ will also work on Windows! But then you will still have to [[other:​putty_conf#​converting_existing_ssh_keys_with_puttygen|convert the generated private key with PuTTYgen]] 
-    The private key, that has to be readable only by you''​id_rsa''​\\ <​code>​ > cd ~/.ssh +  ​* This will generate two text //key// files in the [[other:​ssh#​configuration_files|ssh configuration ​directory]]: 
- > ls -l id_dsa +    * The **//private// key**: ​''​id_ed25519''​ 
--rw------- 1 my_login my_group some_date ​id_rsa +      Note: on a Linux computer, the private key has to be readable only by you, otherwise ​''​ssh'' ​will not work 
- > cat id_rsa +      * <​code>​ > cd ~/.ssh 
------BEGIN ​RSA PRIVATE KEY----- + > ls -l id_ed25519 
-Proc-Type: 4,​ENCRYPTED +-rw------- 1 my_login my_group some_date ​id_ed25519 
-DEK-Info: AES-128-CBC,​906569054A4C58A28AD23CBA28771EDE + > cat id_ed25519 
- +-----BEGIN ​OPENSSH ​PRIVATE KEY----- 
-C/Aacy+qcSWIG56eWc3XQhm2oyfAVKFKVm54pwoCmIZ5nmLx/​8kV8XcDcMHxoWIz +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC7W9+Eu7
-xgc3cPwxNczIS/​i4A0AOk3uI8JiT8RVLELVbn+B5T0ewbvMjln4Ec/​7W9+aNe/​NF+
 [ lots of literally cryptic lines ] [ lots of literally cryptic lines ]
-v/rj1Ze/PEQ+nVX3dh3FB1TaL/​aNm48PBP9WQQXm011PY6isZJklyWANGJ6jtOf9 +cG7sHta/m1cOGM8ej7yD8ejCRMKGX1pEqGx/8= 
------END ​RSA PRIVATE KEY-----</​code>​ +-----END ​OPENSSH ​PRIVATE KEY-----</​code>​ 
-    * The public key: ''​id_rsa**.pub**''​\\ This is the information ​that you can share. Note that the ''​my_login@my_machine''​ at the end of the line is just some information about who generated the keys, and where, and can be removed or replaced by something more informative\\ <​code>​ > cat id_rsa.pub +    * The **//public// key**: ''​id_ed25519**.pub**''​ 
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQ ​[ lots of cryptic characters ] 8WPbpreOOrIbNw== ​my_login@my_machine</​code>​+      * This is the //​key// ​that **you can share**, or that you have to send when opening an account on [[https://​mesocentre.ipsl.fr/​account-opening/​|IPSL Mésocentre ESPRI]]. 
 +        * Note that the ''​my_login@my_machine'' ​string ​at the end of the line is just some information about who generated the keys, and where, and can be removed or replaced by something more informative 
 +      * <​code>​ > cat id_ed25519.pub 
 +ssh-ed25519 AAAAC3NzaC1lZDI1NT ​[ lots of cryptic characters ] Frx8rRFKthpmqRdkXl ​my_login@my_machine</​code>​
  
-=== Generating or importing keys with PuTTY on a Windows ​computer ​===+=== Generating or importing keys with PuTTY (Windows===
  
-Read the //Converting/​Creating ​ssh keys with PuTTYgen// sub-sections of [[other:​putty_conf#​using_ssh_keys|Using ssh keys]], on the ''​PuTTY''​ page+Read [[other:​putty_conf#​converting_existing_ssh_keys_with_puttygen|Converting ​existing ​ssh keys with PuTTYgen]], or [[other:​putty_conf#​creating_ssh_keys_with_puttygen|Creating ​ssh keys with PuTTYgen]]
  
 ==== Installing ssh keys ==== ==== Installing ssh keys ====
Line 364: Line 376:
 ==== Windows ssh agent ==== ==== Windows ssh agent ====
  
-On Windows, ​you should use [[other:​putty_conf|Pageant]] as an ssh agent+  * On Windows, ​we recommend using [[other:​putty_conf#​using_the_private_key_in_pageant|Pageant/PuTTY]] as an //ssh agent//, because: 
 +    * [[other:​putty_conf#​launching_putty_pageant|Pageant/​PuTTY]] also offers a very easy and convenient way to define profiles to connect to your favorite servers 
 +    * Some programs that use ''​ssh''​ to transfer files will automatically use the keys stored in ''​Pageant'':​ [[other:​win10apps#​winscp|WinSCP]],​ [[other:​emacs_doc|emacs]],​ ... 
 + 
 +  * It is also possible (but less convenient) to use the Windows built-in ''​ssh-agent''​ and ''​ssh''​ commands! 
 +    * Note that the //agent service// is not activated by default and you will get the following error when you try to use ''​ssh-add''​ 
 +      * <​code>​C:​ > ssh-add 
 +Error connecting to agent: No such file or directory</​code>​ 
 +    * It is necessary to first **activate the agent Windows //​service//​** (in an **//​elevated//​ PowerShell**,​ i.e with //​Administrator//​ privileges) as explained in the [[https://​learn.microsoft.com/​en-us/​windows-server/​administration/​openssh/​openssh_keymanagement#​user-key-generation|User key generation]] section 
 +      * <​code>​C:​ > Get-Service ssh-agent 
 +Status ​  ​Name ​              ​DisplayName 
 +------ ​  ​---- ​              ​----------- 
 +Stopped ​ ssh-agent ​         OpenSSH Authentication Agent 
 + 
 +C: > Get-Service ssh-agent | Set-Service -StartupType Automatic 
 + 
 +C: > Start-Service ssh-agent 
 + 
 +C: > Get-Service ssh-agent 
 +Status ​  ​Name ​              ​DisplayName 
 +------ ​  ​---- ​              ​----------- 
 +Running ​ ssh-agent ​         OpenSSH Authentication Agent 
 + 
 +C: > ssh-add 
 +Enter passphrase for C:​\Users\your_login/​.ssh/​id_dsa:​ XXXX_Type_Your_Passphrase_Here_XXXX 
 +Identity added: C:​\Users\your_login/​.ssh/​id_dsa 
 +Identity added: C:​\Users\your_login/​.ssh/​id_ed25519 
 + 
 +C: > ssh-add -l 
 +1024 SHA256:/​vC3Ma6s9Wj[Some_Summary_Info_About_The_Key]c1Q4 (DSA) 
 +256 SHA256:​8BGKU+zBnJXH[Some_Summary_Info_About_The_Key]2Al8 jypeter@obelix5 (ED25519)</​code>​
  
 ==== Mac ssh agent ==== ==== Mac ssh agent ====
other/ssh.1668791716.txt.gz · Last modified: 2022/11/18 17:15 by jypeter