SSH (Secure SHell) is widely used by HPC users to access remote cluster systems. SSH provides a secure protocol over the unsecured Internet.
- 1 OpenSSH
- 2 Access the HPC systems at PC² via SSH with public key authentication
- 3 Access the OCuLUS system at PC²
- 4 Access the Noctua system at PC²
OpenSSH is a suite of SSH utilities. When accessing the remote HPC system is concerned, the most important tools for a user SSH client are:
ssh: login to remote hosts
ssh-keygen: generate and manage SSH keys
ssh-add: facilitate the SSH public key authentication
Moreover OpenSSH is widely available on many operating systems, e.g. Linux (and other Unix-based systems), macOS as well as Windows.
|Info:||Since Windows 10 version 1803 OpenSSH is included by default.|
|Warning:||Please keep your OpenSSH installation updated with the latest release. Vulnerabilities may have been discovered in older versions and fixed in newer releases.|
Access the HPC systems at PC² via SSH with public key authentication
Compared with the password based authentication, the SSH public key authentication is considered to be a more secure way of accessing remote host. We suggest the following four steps as a safe and convenient method for accessing the HPC systems at PC²:
- generate the SSH private/public key pair on your local computer
- copy the generated SSH public key to the HPC system at PC²
- configure your SSH client for accessing the remote host
ssh-addfor automatic SSH public key authentication
The following is a general guide for accessing the HPC systems at PC² by using SSH public key authentication.
[RemoteHostName] are used as example for a user account and the name of one HPC system, respectively. You need to replace
[UserName] as well as
[RemoteHostName] for your own settings. The usage on Linux, macOS and Windows are all covered herein.
Generate the SSH private/public key pair on your local computer
When you want to generate the SSH private/public key pair on local computer, the ED25519 algorithm is widely recognized to be superior to other algorithms, e.g. DSA, RSA, and ECDSA. The command below generates a new SSH private/public key pair using the ED25519 algorithm.
ssh-keygen -o -a 128 -t ed25519 -f [Path_to_SSHkey]
Here are the explanations for the command line options:
-osaves the private key using the new OpenSSH format, which is more robust.
-a 128specifies the number of key derivation function rounds. Here we use
-a 128as a balanced choice by considering both security and efficiency for passphrase verification. A larger number gives increased security, but it can result in slower passphrase verification while login.
-t ed25519specifies the ED25519 type of SSH key to create.
-f [Path_to_SSHkey]specifies the file name of the SSH key.
- on Linux and macOS
- on Windows
[SSH_key_name]is the file storing the SSH private key.
- on Linux and macOS
Copy the generated SSH public key to the HPC system at PC²
Then you need to copy the generated SSH public key to the HPC system at PC².
|Info:||If you are an external user, please send us the public key of your SSH key pair to firstname.lastname@example.org. We can then install it for you.|
On Linux and macOS the following command copies your SSH public key to the HPC system:
ssh-copy-id -i [Path_to_SSHkey].pub [UserName]@[RemoteHostName]
-i [Path_to_SSHkey].pub option appends the SSH public key to
~/.ssh/authorized_keys on the HPC system.
On Windows the OpenSSH client does not have the
ssh-copy-id command available. Nevertheless the command below can be used to copy your SSH public key:
type [Path_to_SSHkey].pub | ssh [UserName]@[RemoteHostName] "mkdir -p .ssh && cat >> .ssh/authorized_keys && chmod 600 .ssh/authorized_keys"
Configure your SSH client for accessing the remote host
To facilitate the SSH login with public key authentication, you can put the following settings in the SSH client configuration file, which is
~/.ssh/configon Linux and macOS
Then for accessing the HPC system at PC² your configuration file should look like this.
Host hpc_pc2 HostName [RemoteHostName] User [UserName] RequestTTY force IdentityFile [Path_to_SSHkey] IdentitiesOnly yes
Here is a brief explanation of the configuration file:
Host hpc_pc2creates a specification section, which can be used directly with the
sshcommand to login the HPC system at PC².
HostName [RemoteHostName]specifies the host name of one HPC system.
User [UserName]specifies your account on the HPC system.
RequestTTY forcerequests a TTY for the session. Screen-based programs, e.g. Emacs, need TTY allocation.
IdentityFile [Path_to_SSHkey]specifies the SSH identity key for authentication.
IdentitiesOnly yesspecifies that only the identity file should be used for login authentication.
Then you can access the HPC system at PC² using the SSH public key authentication with the command below:
As you will see, the passphrase for the SSH private key, instead of your account password, is asked for login.
ssh-add for automatic SSH public key authentication
It can be inconvenient to type the lengthy passphrase every time to login the HPC system at PC². Here we describe an automatic authentication by using
First we check whether
ssh-agent is running by querying the list of identities in the SSH agent on your local computer.
|Info:||Whether the SSH agent is automatically started or not depends on the relevant setting in an operating system. Windows, macOS and different Linux distributions may have different default settings for starting the SSH agent. Thus it is better to check with the |
If the SSH agent has been started, either a list of identities or
The agent has no identities will be shown. Otherwise an error message, e.g.
Could not open a connection to your authentication agent, is emitted and you have to start the SSH agent manually, which is operating system dependent:
- on Linux and macOS the command is
- on Windows you need to run the command
Start-Service ssh-agentin Windows PowerShell
|Info:||On Windows if |
If your SSH identity is not listed by
ssh-add -l, then you need to add it by using
You'll be asked for the passphrase of your SSH private key once. Afterwards any SSH sessions using this identity for authentication can be performed without entering the passphrase, because it has been cached in the SSH agent.
Once your work on the HPC system is finished and you have logged out, it's a good practice to evict the cached SSH identity from the SSH agent for security reasons. This can be achieved by using the command below:
If necessary, you may also want to stop the SSH agent as well.
- on Linux and macOS the command is
kill -9 $SSH_AGENT_PID
- on Windows you need to run Windows PowerShell in Administrator mode and use the command
Access the OCuLUS system at PC²
To access the OCuLUS system at PC², please replace
[RemoteHostName] used as example in the previous section with one of the following host names
A specific section for OCuLUS can also be created in your SSH client configuration file to facilitate the login. The following is an example for fe.pc2.uni-paderborn.de
Host oculus HostName fe.pc2.uni-paderborn.de User [UserName] RequestTTY force IdentityFile [Path_to_SSHkey] IdentitiesOnly yes
Please also replace
[Path_to_SSHkey] with your account on OCuLUS and the associated SSH identity file, respectively. Then you can login to OCuLUS by simply entering
Access the Noctua system at PC²
To access the Noctua system at PC², please replace
[RemoteHostName] used as example in the previous section with
fe.noctua.pc2.uni-paderborn.de is the jump host of the Noctua system. To establish a connection to one of the two physical frontends of Noctua, please add
RemoteCommand ssh noctua in your SSH client configuration file. An example configuration is shown below.
Host noctua HostName fe.noctua.pc2.uni-paderborn.de User [UserName] RequestTTY force IdentityFile [Path_to_SSHkey] IdentitiesOnly yes RemoteCommand ssh noctua
Please also replace
[Path_to_SSHkey] with your account on Noctua and the associated SSH identity file, respectively. Then you can login to Noctua by simply entering