HPC/Network Access/SSH Tunnel Setup and Use: Difference between revisions

From CNM Wiki
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
Line 19: Line 19:
* Steps 4 and 5 can be repeated as often as desired.
* Steps 4 and 5 can be repeated as often as desired.


== Automated setup ==
== Using an ssh config file ==
To simplify connections for routine use, employ (1) ssh public keys and (2) an ssh configuration file.
To simplify connections for routine use, employ (1) ssh public keys and (2) an ssh configuration file.


=== Create your ssh keys ===
=== Config file contents ===
If you do not already have an ssh private/public key pair, create one:
On your own computer, create or modify the file <code>~/.ssh/config</code> and add the following lines:
<font color="green">homebase</font>:/Users/home_id$ <strong>ssh-keygen -t rsa</strong>
 
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/home_id/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): <strong>************</strong>
Enter same passphrase again: <strong>************</strong>
Your identification has been saved in /Users/home_id/.ssh/id_rsa.
Your public key has been saved in /Users/home_id/.ssh/id_rsa.pub.
The key fingerprint is:
42:c3:72:fb:4c:be:c6:80:81:bc:8b:73:d8:88:84:2e home_id@<font color="green">homebase</font>.local
On modern systems, the mere presence of private keys with their default names triggers handling through ''ssh-agent'' and brings up a passphrase dialog at the start of the desktop session or when a key is first requested for an outgoing connection.  This is the case on MacOS X Leopard, where key management is largely automated through its general ''keychain'' concept; on Tiger, use [http://www.sshkeychain.org/ SSHKeychain.app].
 
To verify that an ssh-agent is running and visible to your shell, check for the presence of the environment variable <code>SSH_AUTH_SOCK</code>.  To list the keys it has loaded, use <code>ssh-add -l</code> (lowercase "L").  Typical output is as follows:
; Linux or MacOS X Leopard:
  <font color="green">homebase</font>:/Users/home_id$ <strong>echo $SSH_AUTH_SOCK</strong>
  /tmp/ssh-HCvZKt5478/agent.5478
  <font color="green">homebase</font>:/Users/home_id$ <strong>ssh-add -l</strong>
  1024 b9:65:98:c0:7c:25:da:b6:86:48:98:6b:2a:5a:9d:21 /Users/home_id/.ssh/id_rsa (RSA)
; MacOS X Tiger using [http://www.sshkeychain.org/ SSHKeychain.app]:
  <font color="green">homebase</font>:/Users/home_id $ <strong>echo $SSH_AUTH_SOCK</strong>
  /tmp/55522/SSHKeychain.socket
  <font color="green">homebase</font>:/Users/home_id$ <strong>ssh-add -l</strong>
  1024 b9:65:98:c0:7c:25:da:b6:86:48:98:6b:2a:5a:9d:21 /Users/home_id/.ssh/id_rsa (RSA)
 
On older systems, you need to (a) set up the session to run under ''ssh agent'' and (b) request the passphrase upon login.  Circumstances vary widely.  Ask [http://www.google.com/search?hl=en&q=ssh-agent Google] or your local admin for help.  See also the page [http://kimmo.suominen.com/docs/ssh/ ''Getting started with SSH''].
 
=== Configure <code>~/.ssh/config</code> ===
Create your <code>~/.ssh/config</code> file or, if you already have one (in which case you might already know the procedure anyway), add the following lines.  The first line, to be placed before any other <code>Host</code> entries, is optional.  Use it if your home is shared across machines or you use many of these type of forwards.
  NoHostAuthenticationForLocalhost yes
  NoHostAuthenticationForLocalhost yes
   
   
Line 66: Line 38:
  ForwardX11 yes
  ForwardX11 yes
  ForwardX11Trusted yes
  ForwardX11Trusted yes
As with ''33301'', the other '''<code>port numbers</code>''' refer to ports on your machine (<font color="green">homebase</font>) and are mostly arbitrary.  If you are on a shared machine, it is entirely possible that these ports are busy, especially if someone else follows these very instructions.  Consult <code>/etc/services</code> or [http://www.iana.org/assignments/port-numbers IANA] and pick ports above 1024 that are unassigned.


Argonne staff may wish to append the following to the <code><font color="red">mega</font></code> section to forward access to our ''internal'' Wiki (not this one):
Argonne staff may wish to append the following to the <code><font color="red">mega</font></code> section to forward access to our ''internal'' Wiki (not this one):
LocalForward  33343  wiki.inside.anl.gov:443
LocalForward  33343  wiki.inside.anl.gov:443


=== Establish the tunnel - simple version ===
=== Connecting with a config file ===
Open a separate terminal window:
With the config file in place, the commands above simplify to:
<font color="green">homebase</font>$ <strong>ssh <font color="red">mega</font></strong>
 
This command now uses the ''host alias'' <code><font color="red">mega</font></code>
: 1. Once:
from your <code>.ssh/config</code> file to address the gateway and even set your remote user name.
ssh -v -N mega
You can minimize the window at this point and essentially forget about it until you log out.


Alternatively, you may choose to run:
: 2. As often as needed:
  <font color="green">homebase</font>$ <strong>ssh -N <font color="red">mega</font></strong>
ssh clogin
This will give no more output after the password prompt, but will disallow adding further tunneled connections.
 
== Speeding up logins using ssh keys ==
If you do not already have an ssh private/public key pair, create one:
<font color="green">homebase</font>:/Users/home_id$ <strong>ssh-keygen -t rsa</strong>
 
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/home_id/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/home_id/.ssh/id_rsa.
Your public key has been saved in /Users/home_id/.ssh/id_rsa.pub.
The key fingerprint is:
42:c3:72:fb:4c:be:c6:80:81:bc:8b:73:d8:88:84:2e home_id@<font color="green">homebase</font>.local
 
On modern systems, the mere presence of private keys with their default names triggers handling through ''ssh-agent'' and brings up a passphrase dialog at the start of the desktop session or when a key is first requested for an outgoing connection.  This is the case on MacOS X Leopard, where key management is largely automated through its general ''keychain'' concept; on Tiger, use [http://www.sshkeychain.org/ SSHKeychain.app].
 
To verify that an ssh-agent is running and visible to your shell, check for the presence of the environment variable <code>SSH_AUTH_SOCK</code>.  To list the keys it has loaded, use <code>ssh-add -l</code> (lowercase "L"). Typical output is as follows:
; On Linux or MacOS X Leopard and Lion:
  <font color="green">homebase</font>:/Users/home_id$ <strong>echo $SSH_AUTH_SOCK</strong>
  /tmp/ssh-HCvZKt5478/agent.5478
  <font color="green">homebase</font>:/Users/home_id$ <strong>ssh-add -l</strong>
  1024 b9:65:98:c0:7c:25:da:b6:86:48:98:6b:2a:5a:9d:21 /Users/home_id/.ssh/id_rsa (RSA)
 
On older systems, you need to (a) set up the session to run under ''ssh agent'' and (b) request the passphrase upon login.  Circumstances vary widely.  Ask [http://www.google.com/search?hl=en&q=ssh-agent Google] or your local admin for help.  See also the page [http://kimmo.suominen.com/docs/ssh/ ''Getting started with SSH''].


=== Place your public key on Carbon ===
=== Place your public key on Carbon ===
Line 98: Line 91:


==== Troubleshooting ====
==== Troubleshooting ====
If public keys do not work, use your password to gain access, then check the following:
If public keys do not work, use your password to gain access, then check the following:
; Permissions: The directories and the <code>authorized_keys</code> file must, at the least, not be writable by anyone except yourself; other permissions are recommended to be restrictive as well:
; Permissions: The directories and the <code>authorized_keys</code> file must, at the least, not be writable by anyone except yourself; other permissions are recommended to be restrictive as well:
Line 115: Line 107:
Note that there should '''not''' be anything like <code>BEGIN RSA PRIVATE KEY</code>, which would obviously indicate a private, rather than public key.
Note that there should '''not''' be anything like <code>BEGIN RSA PRIVATE KEY</code>, which would obviously indicate a private, rather than public key.


== Routine use ==
== Remote graphics ==
The commands above describe a one-off setup process. Once all the necessary files are in place, all that is needed for routine access is to open the tunnel once per login session, and then use it as often as needed.  The host aliases defined in the config file allow the tunnel "entrance" to appear like a regularly named machine.
=== I - Establish the tunnel - advanced version ===
If a tunnel session is not already running, open one.
You can use one of the ways described above, or add a twist as follows:
  <strong>ssh -v <font color="red">mega</font>  iostat -w 60</strong>
This command will give you a life sign from the tunnel machine every minute.  This may be helpful with choppy network connections.
The actual output (the load average on the gateway machine) is useful only for an admin who will note if the machine should get bogged down.
The <code>-v</code> option will give you some ssh chatter, especially when the tunnel is being used.
As before, you can still minimize this window and forget about it until the end of your desktop session.
Note that you will ''always'' have to type your domain password to reach <font color="red">mega</font>.
 
Keep in mind that either one of the above methods to establish the tunnel
is necessary only ''once'' for each desktop session on your workstation.
 
=== II - Access the cluster ===
Once the tunnel is established, you can access the cluster through the tunnel as often as you like.
If you've set up the ''ssh agent'' on your external machine, you no longer need to type your domain password
for any of the following commands.
 
'''Note:''' Run any of these commands <font color="#c00">'''from your computer'''</font>, not from <font color="red">mega</font>.
==== Open an interactive shell ====
'''ssh clogin'''
==== Remote graphics ====
At the Carbon prompt:
At the Carbon prompt:
  login5% '''echo $DISPLAY'''
  login5% '''echo $DISPLAY'''
Line 155: Line 124:
  gnuplot> '''exit'''
  gnuplot> '''exit'''


==== Execute a single remote command ====
== File transfer ==
'''ssh clogin qstat'''
* There are many ways to transfer files through an ssh tunnel. However, you must always initiate the connection from the remote machine (your home computer), and either ''push'' files to Carbon or ''pull'' files from Carbon.
==== Copy a file ''to'' Carbon (''push'' from outside) ====
* With the above tunnel setup you cannot initiate a file transfer from Carbon or mega.
* Do not use mega as an intermediate. Files stored there wil be deleted.
 
=== Copy a file ''to'' Carbon (''push'' from outside) ===
  '''scp -p foo clogin:remote/path/'''
  '''scp -p foo clogin:remote/path/'''
==== Copy a whole directory ''to'' Carbon ====
=== Copy a whole directory ''to'' Carbon ===
Short of using tar or zip:
Short of using tar or zip:
  '''scp -rp local/path/ clogin:remote/path/'''
  '''scp -rp local/path/ clogin:remote/path/'''
This method does not preserve symbolic links.
This method does not preserve symbolic links.
==== Copy a file ''from'' Carbon (''pull'' from outside) ====
=== Copy a file ''from'' Carbon (''pull'' from outside) ===
  '''scp -p clogin:remote/path/foo  local/path/'''
  '''scp -p clogin:remote/path/foo  local/path/'''
  '''scp -p clogin:remote/path/foo  .'''
  '''scp -p clogin:remote/path/foo  .'''
Line 175: Line 147:
# a <code>.ssh/config</code> file on Carbon, and
# a <code>.ssh/config</code> file on Carbon, and
# specifying <code>-R</code> command line options or <code>RemoteForward</code> config file directives when accessing clogin at the second stage.
# specifying <code>-R</code> command line options or <code>RemoteForward</code> config file directives when accessing clogin at the second stage.
==== Bonus – Intranet web access ====
=== Bonus – Intranet web access ===
Open the following links in a browser ''on your external workstation'':
Open the following links in a browser ''on your external workstation'':
  https://localhost:33343/cnm/HPC
  https://localhost:33343/cnm/HPC

Revision as of 06:11, February 7, 2012

The following sections document how to establish ssh tunneling on a Linux or MacOS X machine running OpenSSH. Numerous Windows solutions are available to provide the same functionality, but details vary considerably.

Manual setup

  • On your own computer:
1. Open a terminal window (such as Mac Terminal, Cygwin, PuTTY, or xterm)
2. Type:
ssh -v -N -L 33301:clogin:22  username@mega.cnm.anl.gov
3. Minimize that window - no further commands need be typed there.
4. Open another terminal window.
5. Type:
ssh -Y -p 33301 username@localhost
  • Replace username by the name of your Argonne account name.
  • Steps 4 and 5 can be repeated as often as desired.

Using an ssh config file

To simplify connections for routine use, employ (1) ssh public keys and (2) an ssh configuration file.

Config file contents

On your own computer, create or modify the file ~/.ssh/config and add the following lines: 

NoHostAuthenticationForLocalhost yes

Host mega
	Hostname mega.cnm.anl.gov
	User  argonne_id
	LocalForward  33301  clogin:22
	LocalForward  33380  carbon:80

Host clogin
	Hostname localhost
	User argonne_id
	Port          33301
	ForwardX11 yes
	ForwardX11Trusted yes

Argonne staff may wish to append the following to the mega section to forward access to our internal Wiki (not this one): LocalForward 33343 wiki.inside.anl.gov:443

Connecting with a config file

With the config file in place, the commands above simplify to:

1. Once:
ssh -v -N mega
2. As often as needed:
ssh clogin

Speeding up logins using ssh keys

If you do not already have an ssh private/public key pair, create one: 

homebase:/Users/home_id$ ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/home_id/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/home_id/.ssh/id_rsa.
Your public key has been saved in /Users/home_id/.ssh/id_rsa.pub.
The key fingerprint is:
42:c3:72:fb:4c:be:c6:80:81:bc:8b:73:d8:88:84:2e home_id@homebase.local

On modern systems, the mere presence of private keys with their default names triggers handling through ssh-agent and brings up a passphrase dialog at the start of the desktop session or when a key is first requested for an outgoing connection. This is the case on MacOS X Leopard, where key management is largely automated through its general keychain concept; on Tiger, use SSHKeychain.app.

To verify that an ssh-agent is running and visible to your shell, check for the presence of the environment variable SSH_AUTH_SOCK. To list the keys it has loaded, use ssh-add -l (lowercase "L"). Typical output is as follows:

On Linux or MacOS X Leopard and Lion
 homebase:/Users/home_id$ echo $SSH_AUTH_SOCK
 /tmp/ssh-HCvZKt5478/agent.5478
 homebase:/Users/home_id$ ssh-add -l
 1024 b9:65:98:c0:7c:25:da:b6:86:48:98:6b:2a:5a:9d:21 /Users/home_id/.ssh/id_rsa (RSA)

On older systems, you need to (a) set up the session to run under ssh agent and (b) request the passphrase upon login. Circumstances vary widely. Ask Google or your local admin for help. See also the page Getting started with SSH.

Place your public key on Carbon

To productively use your ssh key pair, you need to transfer the public half to Carbon.

Requirements:

  • you have a public/private ssh key pair on your machine (called homebase in this example).
  • the public file on homebase is named ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub (either one will work).
  • the ssh host alias mega has been set up on homebase in ~/.ssh/config and defines tunnels using LocalForward declarations.
  • the tunnel connection for mega is open, i.e., on homebase, ssh mega runs in another terminal.
  • the ssh alias clogin has been set up as described above.
  • an interactive session ssh clogin succeeds.

Then, to transfer your public key from homebase to the Carbon login nodes, type: 

 homebase$ cat ~/.ssh/id_rsa.pub | ssh clogin "umask 033; mkdir -p .ssh; cat >> .ssh/authorized_keys"

This command will append the contents of your ssh public key on homebase to an authorized_keys file on Carbon. The command above is more reliable than cut&paste across interactive terminal sessions. If you created a dsa-type key, or chose your own name for the key pair, you'll have to cat the appropriate file instead. Remember to use the public part of the key, i.e. the file id_foo.pub.

Troubleshooting

If public keys do not work, use your password to gain access, then check the following:

Permissions
The directories and the authorized_keys file must, at the least, not be writable by anyone except yourself; other permissions are recommended to be restrictive as well:
 /home/argonne_id$ ls -ld ~ ~/.ssh ~/.ssh/authorized_keys
 drwxr-xr-x 28 argonne_id users 4096 Feb 22 13:52 /home/argonne_id
 drwx------  4 argonne_id argonne_id 4096 Feb 18 21:25 /home/argonne_id/.ssh
 -rw-------  1 argonne_id argonne_id  829 Oct  9 10:55 /home/argonne_id/.ssh/authorized_keys
To change:
 /home/argonne_id$ chmod go-w ~
 /home/argonne_id$ chmod go-rwx ~/.ssh ~/.ssh/authorized_keys
Corruption of authorized_keys file
The file should contain public keys in OpenSSH format, one per line, without additional line breaks. One way to check is:
 /home/argonne_id $ cut -c1-50 ~/.ssh/authorized_keys
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEjdsfjJSAHkjh88y
 ssh-dss AAAAB3NzaC1kc3MAAACBAkkjsadfJFg7EFjDJhWEjk

The output should look similar to the sample above. Use your favorite text editor to join erroneously broken lines. Note that there should not be anything like BEGIN RSA PRIVATE KEY, which would obviously indicate a private, rather than public key.

Remote graphics

At the Carbon prompt: 

login5% echo $DISPLAY

You should get something like: 

localhost:17.0
HPC 2011-06-23 xload example.png

The numeric part will vary. Now test a simple X11 program: 

xload

You should see a small window pop up on your screen. Push the window's close button or press Ctrl-C in the command line to terminate xload.

HPC 2011-06-23 gnuplot example.png

You can now use graphical applications on Carbon, for instance: 

login5% gnuplot
…
gnuplot> plot sin(x)
gnuplot> exit

File transfer

  • There are many ways to transfer files through an ssh tunnel. However, you must always initiate the connection from the remote machine (your home computer), and either push files to Carbon or pull files from Carbon.
  • With the above tunnel setup you cannot initiate a file transfer from Carbon or mega.
  • Do not use mega as an intermediate. Files stored there wil be deleted.

Copy a file to Carbon (push from outside)

scp -p foo clogin:remote/path/

Copy a whole directory to Carbon

Short of using tar or zip: 

scp -rp local/path/ clogin:remote/path/

This method does not preserve symbolic links.

Copy a file from Carbon (pull from outside)

scp -p clogin:remote/path/foo  local/path/
scp -p clogin:remote/path/foo  .

Note the trailing "." in the last example to copy to your current directory.

Reverse tunneling

The file copy operations above must all be initiated on the outside host. It is possible to set up tunnels to be able to initiate file operations on the inside. However, this is more complex and will be left as an exercise for advanced users. It involves setting up:

  1. agent forwarding
  2. a .ssh/config file on Carbon, and
  3. specifying -R command line options or RemoteForward config file directives when accessing clogin at the second stage.

Bonus – Intranet web access

Open the following links in a browser on your external workstation: 

https://localhost:33343/cnm/HPC
http://localhost:33380/
Retrieved from "https://wiki.anl.gov/wiki_cnm/index.php?title=HPC/Network_Access/SSH_Tunnel_Setup_and_Use&oldid=3540"