Differences

This shows you the differences between two versions of the page.

--- other:ssh [2023/03/10 15:21]
jypeter [Generating ssh keys] Updated the information (esp moved from DSA to ED25519
+++ other:ssh [2023/05/03 08:32] (current)
jypeter [Windows ssh agent] Improved
@@ Line 71: / Line 71: @@
 === IPSL servers ===
-If you want to connect to the **IPSL servers** (only possible with [[other:ssh#using_ssh_keys|ssh keys]]!):
+If you want to connect to the [[https://documentations.ipsl.fr/spirit/spirit_clusters/head_nodes.html|IPSL servers]] (only possible with [[other:ssh#using_ssh_keys|ssh keys]]!):
-  * Connecting to ''ciclad'':\\ ''ssh -A -X my_ciclad_login@ciclad.ipsl.jussieu.fr''
+  * Connecting to ''spirit1'':
-  * [[https://documentations.ipsl.fr/MESO_User/Quick_start.html|More details]]
+    * ''ssh -A -X my_meso_login@spirit1.ipsl.fr''
+    * Depending on what you need to do, you can also use ''spirit2'', ''spiritx1'' or ''spiritx2''
+  * [[https://documentations.ipsl.fr/spirit/spirit_clusters/head_nodes.html|More details]]
+  * Note: the ''ciclad'' server may still be accessible when you read this page, but its usage has been deprecated in favor of the ''spirit'' servers
-=== TGCC servers ===
+=== TGCC (super)computers ===
-If you want to connect to the the **TGCC servers**:
+If you want to use the [[https://www-hpc.cea.fr/tgcc-public/en/html/tgcc-public.html|TGCC computers]] (e.g. ''irene''):
-  * Connecting to ''irene'':
-    * Note: you have to go trough ''ssh1'', even if you are on the LSCE network!
-    * ''ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@irene-ccrt.ccc.cea.fr''
-    * The [[https://intranet.lsce.ipsl.fr/informatique/en/tgcc.php|TGCC connection details]] may vary, depending on your login type
-=== IDRIS servers ===
+  * Note: you have to go //trough// the ''ssh1'' LSCE gateway to access the TGCC, even if you are on the LSCE wired network!
+  * ''ssh -A -X my_LSCE_login@ssh1.lsce.ipsl.fr -t ssh -A -X my_TGCC_login@some_tgcc_login_node''
+    * Once you are on a TGCC login node (e.g. ''irene''), you can get lots of information by typing ''<node>.info'' (e.g. ''irene.info'')
+  * [[https://intranet.lsce.ipsl.fr/informatique/en/tgcc.php|more TGCC connection details]]
+=== IDRIS (super)computers ===
 FIXME
@@ Line 141: / Line 145: @@
 ==== Configuration files ====
-''ssh'' will store all its **configuration text files** in a ''.ssh'' sub-directory of your //home// directory
+''ssh'' will store all its **configuration files** in a ''.ssh'' sub-directory of your //home// directory. The configuration files are in a //text// format.
-  * Linux: ''~/.ssh/'' directory
+  * **Linux**: ''~/.ssh/'' directory
-  * Windows: ''C:\Users\your_windows_login\.ssh'' directory
+  * **Windows**: ''C:\Users\your_windows_login\.ssh'' directory
-  * Mac: ''/Users/your_mac_login/.ssh'' directory (should be the same path as ''~/.ssh/'')
+  * **Mac**: ''/Users/your_mac_login/.ssh'' directory (should be the same path as ''~/.ssh/'')
 You will find (some of) the following text files:
@@ Line 156: / Line 160: @@
 ServerAliveCountMax=90</code>
-  * [[#using_ssh_keys|ssh keys]] related information
+  * [[#using_ssh_keys|ssh keys]] related information:
     * ''authorized_keys'': the //public key(s)// of the account(s) authorized to connect to //this// account.
-    * the private (and possibly the public) //ssh key(s)// used on this account
+    * the **//private// (and probably the //public//) //ssh key(s)//** used on this account
+      * e.g. ''id_ed25519'' and ''id_ed25519.pub'' files
 ==== A recommended ssh client for Windows ====
@@ Line 286: / Line 291: @@
 ==== What are ssh keys and why use them? ====
-//ssh keys// are a combination of two specific (and unique) **text files**, **the private key** file and **the public key** file, linked by a special kind of password called **the passphrase**, that can be used instead of a standard password to connect securely from one server to another server
+//ssh keys// are a combination of two specific (and unique) **text files**, **the //private// key** file and **the //public// key** file, linked by a special kind of password called **the passphrase**, that can be used instead of a standard password to connect securely from one server to another server
 ssh keys have to be configured properly (a few easy steps), and are **very convenient** because:
-  * **They** usually **don't expire!**\\ You don't have to change them (except in some extra secure computing centers like TGCC) and you can keep them for years
+  * Contrary to passwords, **they usually don't expire!**\\ You don't have to change ssh keys (except in some extra secure computing centers like TGCC) and you can keep them for years
   * **They don't depend on the accounts and the passwords of the servers where you use them**
-    * You can (and should!) use the same set of ssh keys on several servers: you can then use the same passphrase to access these servers, rather than having to memorize different passwords\\ e.g. if you have your private key on ''account_A'' of ''server_A'' and install the matching public key on ''account_B'' of ''server_B'', etc... you can then use ''ssh'' on ''account_A@server_A'' to access ''account_B@server_B'', ''account_C@server_C'', ... with the same passphrase !
+    * You can (and should!) use the same set of ssh keys on several servers: you can then use the **same** passphrase to access all these servers, rather than having to memorize different passwords\\ e.g. if you have your //private// key on ''account_A'' of ''server_A'' and install the matching //public// key on ''account_B'' of ''server_B'', etc... you can then use ''ssh'' on ''account_A@server_A'' to access ''account_B@server_B'', ''account_C@server_C'', ... with the **same** passphrase !
-    * You can give your public key to somebody and then access their account using your own passphrase (no need to know the password of the other person)
+    * **You can give your public key** to somebody and then access their account using your own passphrase (no need to know the password of the other person)
   * The [[https://mesocentre.ipsl.fr/|IPSL Mésocentre ESPRI]] servers can **only** be accessed with a public key and passphrase (the password is not used)
-  * By default, ''ssh'' will ask you to type your passphrase each time you connect to a server, but **you can use an //ssh agent// to securely store your passphrase for you**\\ Once you have typed your passphrase in the //ssh agent//, you can connect to all the servers that have your public key without having to type your passphrase!
-    * ''scp'' (and [[other:win10apps#winscp|WinSCP]]) and the tools using ''ssh'' on your local computer will not ask your passphrase, if they find the passphrase in a running //ssh agent// on the local computer
+  * By default, ''ssh'' will ask you to type your passphrase each time you connect to a server, but **you can [[other:ssh#using_an_ssh_agent|use an ssh agent]] to securely store your passphrase for you**\\ Once you have typed your passphrase in the //ssh agent//, you can connect to all the servers that have your public key without having to type your passphrase!
+    * ''scp'' (and [[other:win10apps#winscp|WinSCP]] on Windows) and the tools using ''ssh'' on your local computer will not ask your passphrase, if they find the passphrase in a running //ssh agent// on the local computer
       * if you use the ''-A'' option ([[other:ssh#most_common_options|agent forwarding]]), the remote server will also //know// (securely) your passphrase, and you will not have to type the passphrase when using ''ssh'', ''scp'' and tools running //over ssh// on the remote server(s)
-    * the local //ssh agent// is terminated when you log out of your local computer (or reboot it)
+    * the local //ssh agent// is terminated when you log out of your local computer (or reboot the computer)
 ==== Generating ssh keys ====
 === Some common sense advice ===
   * **Generate only one pair of private/public keys and use the same pair of keys everywhere!**\\ Put differently, do not generate a different pair of key on each computer/server you use (even if you always use the same passphrase)!
@@ Line 317: / Line 324: @@
       * Easy to remember passphrase example: "//I love working at LSCE!//"
-=== Generating keys in a terminal ===
+=== Generating keys in a terminal (Linux and Mac) ===
-Remember that if you already have a pair of keys, you probably don't want to generate a new pair, unless you have been asked to (e.g. because an old encryption type like //DSA// has been deprecated), or have lost one of the keys, or forgotten your passphrase. If you generate a new pair of keys, you will have to replace the old keys that you were using on all your desktops/laptops, and all the remote servers
+If you already have a pair of ssh keys, you probably don't want to generate a new pair, unless you have been asked to (e.g. because an old encryption type like //DSA// has been deprecated), or you have lost one of the keys, or forgotten your passphrase. If you generate a new pair of keys, you will have to replace the old keys that you were using on all your desktops/laptops, and all the remote servers
 There are several ways to generate pairs of ssh keys with ''ssh-keygen''. The following one is the one recommended for opening an account on [[https://mesocentre.ipsl.fr/account-opening/|IPSL Mésocentre ESPRI]]. If you open an account on ''spirit'', but already have a public key, just **send your existing public key**!
@@ Line 326: / Line 333: @@
     * Accept the default path and key name
     * <wrap em>Do not specify an empty passphrase!</wrap>
-  * This will generate two text //key// files in a sub-directory of your account (''~/.ssh/'' on Linux, ''C:\Users\my_login\.ssh\'' on Windows 10):
+    * Note: ''ssh-keygen -t ed25519'' will also work on Windows! But then you will still have to [[other:putty_conf#converting_existing_ssh_keys_with_puttygen|convert the generated private key with PuTTYgen]]
+  * This will generate two text //key// files in the [[other:ssh#configuration_files|ssh configuration directory]]:
     * The **//private// key**: ''id_ed25519''
       * Note: on a Linux computer, the private key has to be readable only by you, otherwise ''ssh'' will not work
@@ Line 339: / Line 347: @@
 -----END OPENSSH PRIVATE KEY-----</code>
     * The **//public// key**: ''id_ed25519**.pub**''
-      * This is the information that you can share. Note that the ''my_login@my_machine'' at the end of the line is just some information about who generated the keys, and where, and can be removed or replaced by something more informative
+      * This is the //key// that **you can share**, or that you have to send when opening an account on [[https://mesocentre.ipsl.fr/account-opening/|IPSL Mésocentre ESPRI]].
+        * Note that the ''my_login@my_machine'' string at the end of the line is just some information about who generated the keys, and where, and can be removed or replaced by something more informative
       * <code> > cat id_ed25519.pub
 ssh-ed25519 AAAAC3NzaC1lZDI1NT [ lots of cryptic characters ] Frx8rRFKthpmqRdkXl my_login@my_machine</code>
-=== Generating or importing keys with PuTTY on a Windows computer ===
+=== Generating or importing keys with PuTTY (Windows) ===
-Read the //Converting/Creating ssh keys with PuTTYgen// sub-sections of [[other:putty_conf#using_ssh_keys|Using ssh keys]], on the ''PuTTY'' page
+Read [[other:putty_conf#converting_existing_ssh_keys_with_puttygen|Converting existing ssh keys with PuTTYgen]], or [[other:putty_conf#creating_ssh_keys_with_puttygen|Creating ssh keys with PuTTYgen]]
 ==== Installing ssh keys ====
@@ Line 367: / Line 376: @@
 ==== Windows ssh agent ====
-On Windows, you should use [[other:putty_conf|Pageant]] as an ssh agent
+  * On Windows, we recommend using [[other:putty_conf#using_the_private_key_in_pageant|Pageant/PuTTY]] as an //ssh agent//, because:
+    * [[other:putty_conf#launching_putty_pageant|Pageant/PuTTY]] also offers a very easy and convenient way to define profiles to connect to your favorite servers
+    * Some programs that use ''ssh'' to transfer files will automatically use the keys stored in ''Pageant'': [[other:win10apps#winscp|WinSCP]], [[other:emacs_doc|emacs]], ...
+  * It is also possible (but less convenient) to use the Windows built-in ''ssh-agent'' and ''ssh'' commands!
+    * Note that the //agent service// is not activated by default and you will get the following error when you try to use ''ssh-add''
+      * <code>C: > ssh-add
+Error connecting to agent: No such file or directory</code>
+    * It is necessary to first **activate the agent Windows //service//** (in an **//elevated// PowerShell**, i.e with //Administrator// privileges) as explained in the [[https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement#user-key-generation|User key generation]] section
+      * <code>C: > Get-Service ssh-agent
+Status   Name               DisplayName
+------   ----               -----------
+Stopped  ssh-agent          OpenSSH Authentication Agent
+C: > Get-Service ssh-agent | Set-Service -StartupType Automatic
+C: > Start-Service ssh-agent
+C: > Get-Service ssh-agent
+Status   Name               DisplayName
+------   ----               -----------
+Running  ssh-agent          OpenSSH Authentication Agent
+C: > ssh-add
+Enter passphrase for C:\Users\your_login/.ssh/id_dsa: XXXX_Type_Your_Passphrase_Here_XXXX
+Identity added: C:\Users\your_login/.ssh/id_dsa
+Identity added: C:\Users\your_login/.ssh/id_ed25519
+C: > ssh-add -l
+SHA256:/vC3Ma6s9Wj[Some_Summary_Info_About_The_Key]c1Q4 (DSA)
+SHA256:8BGKU+zBnJXH[Some_Summary_Info_About_The_Key]2Al8 jypeter@obelix5 (ED25519)</code>
 ==== Mac ssh agent ====

PMIP3 wiki

User Tools

Site Tools

Differences

Page Tools