SSH-Access

Aus PC2 Doc
Wechseln zu: Navigation, Suche

SSH (Secure SHell) is widely used by HPC users to access remote cluster systems. SSH provides a secure protocol over the unsecured Internet.

OpenSSH

OpenSSH is a suite of SSH utilities. When accessing the remote HPC system is concerned, the most important tools for a user SSH client are:

  • ssh: login to remote hosts
  • ssh-keygen: generate and manage SSH keys
  • ssh-agent and ssh-add: facilitate the SSH public key authentication

Moreover OpenSSH is widely available on many operating systems, e.g. Linux (and other Unix-based systems), macOS as well as Windows.

Info Info: Since Windows 10 version 1803 OpenSSH is included by default.
Warning Warning: Please keep your OpenSSH installation updated with the latest release. Vulnerabilities may have been discovered in older versions and fixed in newer releases.

Access the HPC systems at PC² via SSH with public key authentication

Compared with the password based authentication, the SSH public key authentication is considered to be a more secure way of accessing remote host. We suggest the following four steps as a safe and convenient method for accessing the HPC systems at PC²:

  1. generate the SSH private/public key pair on your local computer
  2. copy the generated SSH public key to the HPC system at PC²
  3. configure your SSH client for accessing the remote host
  4. use ssh-agent and ssh-add for automatic SSH public key authentication

The following is a general guide for accessing the HPC systems at PC² by using SSH public key authentication. [UserName] and [RemoteHostName] are used as example for a user account and the name of one HPC system, respectively. You need to replace [UserName] as well as [RemoteHostName] for your own settings. The usage on Linux, macOS and Windows are all covered herein.

Generate the SSH private/public key pair on your local computer

When you want to generate the SSH private/public key pair on local computer, the ED25519 algorithm is widely recognized to be superior to other algorithms, e.g. DSA, RSA, and ECDSA. The command below generates a new SSH private/public key pair using the ED25519 algorithm.

ssh-keygen -o -a 128 -t ed25519 -f [Path_to_SSHkey]

Here are the explanations for the command line options:

  • -o saves the private key using the new OpenSSH format, which is more robust.
  • -a 128 specifies the number of key derivation function rounds. Here we use -a 128 as a balanced choice by considering both security and efficiency for passphrase verification. A larger number gives increased security, but it can result in slower passphrase verification while login.
  • -t ed25519 specifies the ED25519 type of SSH key to create.
  • -f [Path_to_SSHkey] specifies the file name of the SSH key.
    • on Linux and macOS [Path_to_SSHkey] is usually ~/.ssh/[SSH_key_name]
    • on Windows [Path_to_SSHkey] is %HOMEPATH%\.ssh\[SSH_key_name]

      where [SSH_key_name] is the file storing the SSH private key.

Info Info: ssh-keygen can automatically handle the access permission of the generated SSH key, e.g. only the owner can read and write the private key.
Warning Warning:
  • Please never ever use an empty passphrase when generating an SSH private/public key pair.
  • Please use a strong passphrase to generate the SSH private/public key pair.
  • Your private key is stored in [Path_to_SSHkey]. You must keep it top secret.
  • Your public key is stored in [Path_to_SSHkey].pub and it can be distributed to other systems.

Copy the generated SSH public key to the HPC system at PC²

Then you need to copy the generated SSH public key to the HPC system at PC².

Info Info: If you are an external user, please send us the public key of your SSH key pair to pc2-support@uni-paderborn.de. We can then install it for you.

On Linux and macOS the following command copies your SSH public key to the HPC system:

ssh-copy-id -i [Path_to_SSHkey].pub [UserName]@[RemoteHostName]

The -i [Path_to_SSHkey].pub option appends the SSH public key to ~/.ssh/authorized_keys on the HPC system.

Info Info: ssh-copy-id takes care of the file permission.

On Windows the OpenSSH client does not have the ssh-copy-id command available. Nevertheless the command below can be used to copy your SSH public key:

type [Path_to_SSHkey].pub | ssh [UserName]@[RemoteHostName] "mkdir -p .ssh && cat >> .ssh/authorized_keys && chmod 600 .ssh/authorized_keys"

Configure your SSH client for accessing the remote host

To facilitate the SSH login with public key authentication, you can put the following settings in the SSH client configuration file, which is

  • ~/.ssh/config on Linux and macOS
  • %HOMEPATH%\.ssh\config on Windows

Then for accessing the HPC system at PC² your configuration file should look like this.

Host hpc_pc2
   HostName [RemoteHostName]
   User [UserName]
   RequestTTY force
   IdentityFile [Path_to_SSHkey]
   IdentitiesOnly yes

Here is a brief explanation of the configuration file:

  • Host hpc_pc2 creates a specification section, which can be used directly with the ssh command to login the HPC system at PC².
  • HostName [RemoteHostName] specifies the host name of one HPC system.
  • User [UserName] specifies your account on the HPC system.
  • RequestTTY force requests a TTY for the session. Screen-based programs, e.g. Emacs, need TTY allocation.
  • IdentityFile [Path_to_SSHkey] specifies the SSH identity key for authentication.
  • IdentitiesOnly yes specifies that only the identity file should be used for login authentication.

Then you can access the HPC system at PC² using the SSH public key authentication with the command below:

ssh hpc_pc2

As you will see, the passphrase for the SSH private key, instead of your account password, is asked for login.

Use ssh-agent and ssh-add for automatic SSH public key authentication

It can be inconvenient to type the lengthy passphrase every time to login the HPC system at PC². Here we describe an automatic authentication by using ssh-agent and ssh-add.

First we check whether ssh-agent is running by querying the list of identities in the SSH agent on your local computer.

ssh-add -l


Info Info: Whether the SSH agent is automatically started or not depends on the relevant setting in an operating system. Windows, macOS and different Linux distributions may have different default settings for starting the SSH agent. Thus it is better to check with the ssh-add -l command beforehand.

If the SSH agent has been started, either a list of identities or The agent has no identities will be shown. Otherwise an error message, e.g. Could not open a connection to your authentication agent, is emitted and you have to start the SSH agent manually, which is operating system dependent:

  • on Linux and macOS the command is eval $(ssh-agent)
  • on Windows you need to run the command Start-Service ssh-agent in Windows PowerShell
Info Info: On Windows if Start-Service ssh-agent emits an error message, you may need to run Set-Service ssh-agent -StartupType Manual as Administrator in PowerShell in advance.

If your SSH identity is not listed by ssh-add -l, then you need to add it by using

ssh-add [Path_to_SSHkey]

You'll be asked for the passphrase of your SSH private key once. Afterwards any SSH sessions using this identity for authentication can be performed without entering the passphrase, because it has been cached in the SSH agent.

Once your work on the HPC system is finished and you have logged out, it's a good practice to evict the cached SSH identity from the SSH agent for security reasons. This can be achieved by using the command below:

ssh-add -D

If necessary, you may also want to stop the SSH agent as well.

  • on Linux and macOS the command is kill -9 $SSH_AGENT_PID
  • on Windows you need to run Windows PowerShell in Administrator mode and use the command Stop-Service ssh-agent

Access the OCuLUS system at PC²

To access the OCuLUS system at PC², please replace [RemoteHostName] used as example in the previous section with one of the following host names

  • fe.pc2.uni-paderborn.de
  • fe-2.cv2012.pc2.uni-paderborn.de

A specific section for OCuLUS can also be created in your SSH client configuration file to facilitate the login. The following is an example for fe.pc2.uni-paderborn.de

Host oculus
   HostName fe.pc2.uni-paderborn.de
   User [UserName]
   RequestTTY force
   IdentityFile [Path_to_SSHkey]
   IdentitiesOnly yes

Please also replace [UserName] and [Path_to_SSHkey] with your account on OCuLUS and the associated SSH identity file, respectively. Then you can login to OCuLUS by simply entering

ssh oculus

Access the Noctua system at PC²

To access the Noctua system at PC², please replace [RemoteHostName] used as example in the previous section with

  • fe.noctua.pc2.uni-paderborn.de

fe.noctua.pc2.uni-paderborn.de is the jump host of the Noctua system. To establish a connection to one of the two physical frontends of Noctua, please add RemoteCommand ssh noctua in your SSH client configuration file. An example configuration is shown below.

Host noctua
   HostName fe.noctua.pc2.uni-paderborn.de
   User [UserName]
   RequestTTY force
   IdentityFile [Path_to_SSHkey]
   IdentitiesOnly yes
   RemoteCommand ssh noctua

Please also replace [UserName] and [Path_to_SSHkey] with your account on Noctua and the associated SSH identity file, respectively. Then you can login to Noctua by simply entering

ssh noctua