HPC/Network Access/SSH Tunnel Setup and Use: Difference between revisions

From CNM Wiki
Jump to navigation Jump to search
mNo edit summary
Line 3: Line 3:
== Manual setup ==
== Manual setup ==
[[Image:HPC 2012-02-06 screenshot sketch ssh tunneling windows.png|350px|right]]
[[Image:HPC 2012-02-06 screenshot sketch ssh tunneling windows.png|350px|right]]
On your own computer, run the following commands:
'''On your computer''', run the following commands:


0. (Windows only) Start your X11 server if you have one.
0. (Windows only) Start your X11 server if you have one.
Line 23: Line 23:


== Using an ssh config file ==
== Using an ssh config file ==
To simplify making connections, use an ssh configuration file.
To simplify making connections from your computer, create or use an ssh configuration file there.


=== Config file contents ===
=== Config file contents ===
On your own computer, create or modify the file <code>~/.ssh/config</code> and add the following lines:
'''On your computer''':
* Close any Carbon windows opened previously.
* Create or modify the file <code>~/.ssh/config</code> and add the following lines, replacing <code>''username''</code> with your Argonne account name.
  NoHostAuthenticationForLocalhost yes
  NoHostAuthenticationForLocalhost yes
   
   
Line 41: Line 43:
  ForwardX11        yes
  ForwardX11        yes
  ForwardX11Trusted yes
  ForwardX11Trusted yes
See "man ssh_config" for detailed documentation.


Make sure to remove for anyone but you write permissions to the config file, its parent directory, and your home:
* Remove write permissions to the config file, its parent directory, and your home for anyone but you:
  chmod go-rwx ~/.ssh ~/.ssh/config
  chmod go-rwx ~/.ssh ~/.ssh/config
  chmod go-w ~
  chmod go-w ~
* Advanced users: See the ssh_config man page for syntax and options of the config file.


=== Connecting with a config file ===
=== Connecting with a config file ===
With the config file in place, the commands above simplify to:
With the config file in place, the commands in section [[#Manual setup]] above simplify to:


: 1. Once:
: 1. Once:
Line 56: Line 59:
  <font color="darkgreen">ssh clogin</font>
  <font color="darkgreen">ssh clogin</font>


== Remote graphics ==
== Test remote graphics using X11 ==
At the Carbon prompt:
* In a terminal '''connected to a Carbon login node''', run the command:
  login5% '''echo $DISPLAY'''
  echo $DISPLAY
You should get something like:
: You should get something like:
  localhost:''17.0''
  localhost:''17.0''
[[Image:HPC 2011-06-23 xload example.png|right|60px]]
[[Image:HPC 2011-06-23 xload example.png|right|60px]]
The numeric part will vary. Now test a simple X11 program:
: The numeric part will vary.
* Start a simple X11 program:
  xload
  xload
You should see a small window pop up on your screen. Push the window's close button or press Ctrl-C in the command line to terminate xload.
: You should see a small window pop up on your screen.
* Close the window using its close button or press Ctrl-C in the terminal window.


[[Image:HPC 2011-06-23 gnuplot example.png|right|300px]]
[[Image:HPC 2011-06-23 gnuplot example.png|right|300px]]
You can now use graphical applications on Carbon, for instance:
 
  login5% '''gnuplot'''
* You can now use graphical applications on Carbon, for instance:
  gnuplot
  gnuplot> '''plot sin(x)'''
: This will start the gnuplot interpreter in a terminal.
  gnuplot> '''exit'''
* Create a sample plot:
  plot sin(x)
* To exit the program:
  exit


== File transfer ==
== File transfer ==
Line 110: Line 118:
=== Create a key ===
=== Create a key ===
Create an ssh key pair key ''if you do not already have one'' :
Create an ssh key pair key ''if you do not already have one'' :
  <font color="green">homebase</font>:/Users/home_id$ <strong>ssh-keygen -t rsa</strong>
  <font color="green">yourcomputer</font>:/Users/home_id$ <strong>ssh-keygen -t rsa</strong>
The output will look like:
The output will look like:
  Generating public/private rsa key pair.
  Generating public/private rsa key pair.
Line 120: Line 128:
  Your public key has been saved in /Users/home_id/.ssh/id_rsa.pub.
  Your public key has been saved in /Users/home_id/.ssh/id_rsa.pub.
  The key fingerprint is:
  The key fingerprint is:
  42:c3:72:fb:4c:be:c6:80:81:bc:8b:73:d8:88:84:2e home_id@<font color="green">homebase</font>.local
  42:c3:72:fb:4c:be:c6:80:81:bc:8b:73:d8:88:84:2e home_id@<font color="green">yourcomputer</font>.local


=== Using an ssh-agent ===
=== Using an ssh-agent ===
Line 132: Line 140:


Requirements:
Requirements:
* you have a public/private ssh key pair on your machine (called '''<font color="green">homebase</font>''' in this example).
* you have a public/private ssh key pair on your machine (called '''<font color="green">yourcomputer</font>''' in this example).
* the public file on '''<font color="green">homebase</font>''' is named <code>~/.ssh/id_rsa.pub</code> or  <code>~/.ssh/id_dsa.pub</code> (either one will work).
* the public file on '''<font color="green">yourcomputer</font>''' is named <code>~/.ssh/id_rsa.pub</code> or  <code>~/.ssh/id_dsa.pub</code> (either one will work).
* the ssh host alias <code><font color="red">mega</font></code> has been set up on '''<font color="green">homebase</font>''' in <code>~/.ssh/config</code> and defines tunnels using <code>LocalForward</code> declarations.
* the ssh host alias <code><font color="red">mega</font></code> has been set up on '''<font color="green">yourcomputer</font>''' in <code>~/.ssh/config</code> and defines tunnels using <code>LocalForward</code> declarations.
* the tunnel connection for '''<font color="red">mega</font>''' is open, i.e., on '''<font color="green">homebase</font>''', <code>ssh mega</code> runs in another terminal.
* the tunnel connection for '''<font color="red">mega</font>''' is open, i.e., on '''<font color="green">yourcomputer</font>''', <code>ssh mega</code> runs in another terminal.
* the ssh alias <code>clogin</code> has been set up as described above.
* the ssh alias <code>clogin</code> has been set up as described above.
* an interactive session <code>ssh clogin</code> succeeds.
* an interactive session <code>ssh clogin</code> succeeds.


<br clear="all" />
<br clear="all" />
Then, to transfer your public key from '''<font color="green">homebase</font>''' to the Carbon login nodes, type:
Then, to transfer your public key from '''<font color="green">yourcomputer</font>''' to the Carbon login nodes, type:
   <font color="green">homebase</font>$ <strong>cat ~/.ssh/id_rsa.pub | ssh clogin "umask 033; mkdir -p .ssh; cat >> .ssh/authorized_keys"</strong>
   <font color="green">yourcomputer</font>$ <strong>cat ~/.ssh/id_rsa.pub | ssh clogin "umask 033; mkdir -p .ssh; cat >> .ssh/authorized_keys"</strong>
This command will append the contents of your ssh public key on '''<font color="green">homebase</font>''' to an <code>authorized_keys</code> file on Carbon.  The command above is more reliable than cut&paste across interactive terminal sessions.  If you created a dsa-type key, or chose your own name for the key pair, you'll have to cat the appropriate file instead.  Remember to use the ''public'' part of the key, i.e. the file <code>id_foo.pub</code>.
This command will append the contents of your ssh public key on '''<font color="green">yourcomputer</font>''' to an <code>authorized_keys</code> file on Carbon.  The command above is more reliable than cut&paste across interactive terminal sessions.  If you created a dsa-type key, or chose your own name for the key pair, you'll have to cat the appropriate file instead.  Remember to use the ''public'' part of the key, i.e. the file <code>id_foo.pub</code>.


=== Troubleshooting ===
=== Troubleshooting ===
Line 155: Line 163:
  <font color="blue">login5</font>$ '''chmod <font color="red">go-rwx</font> ~/.ssh ~/.ssh/authorized_keys'''
  <font color="blue">login5</font>$ '''chmod <font color="red">go-rwx</font> ~/.ssh ~/.ssh/authorized_keys'''
; Corruption of <code>authorized_keys</code> file: The file should contain public keys in OpenSSH format, ''one per line'', without additional line breaks.  One way to check is:
; Corruption of <code>authorized_keys</code> file: The file should contain public keys in OpenSSH format, ''one per line'', without additional line breaks.  One way to check is:
  <font color="green">homebase</font>$ <strong>cut -c1-50 ~/.ssh/authorized_keys</strong>
  <font color="green">yourcomputer</font>$ <strong>cut -c1-50 ~/.ssh/authorized_keys</strong>
  ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEjdsfjJSAHkjh88y
  ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEjdsfjJSAHkjh88y
  ssh-dss AAAAB3NzaC1kc3MAAACBAkkjsadfJFg7EFjDJhWEjk
  ssh-dss AAAAB3NzaC1kc3MAAACBAkkjsadfJFg7EFjDJhWEjk
Line 162: Line 170:
; Verify that an ssh-agent is running:
; Verify that an ssh-agent is running:
To verify that an ssh-agent is running and visible to your shell, check for the presence of the environment variable <code>SSH_AUTH_SOCK</code>.  To list the keys it has loaded, use <code>ssh-add -l</code> (lowercase "L").  Typical output is as follows:
To verify that an ssh-agent is running and visible to your shell, check for the presence of the environment variable <code>SSH_AUTH_SOCK</code>.  To list the keys it has loaded, use <code>ssh-add -l</code> (lowercase "L").  Typical output is as follows:
  <font color="green">homebase</font>$ '''echo $SSH_AUTH_SOCK'''
  <font color="green">yourcomputer</font>$ '''echo $SSH_AUTH_SOCK'''
  /tmp/ssh-HCvZKt5478/agent.5478
  /tmp/ssh-HCvZKt5478/agent.5478
  <font color="green">homebase</font>$ '''ssh-add -l'''
  <font color="green">yourcomputer</font>$ '''ssh-add -l'''
  1024 b9:65:98:c0:7c:25:da:b6:86:48:98:6b:2a:5a:9d:21 /Users/home_id/.ssh/id_rsa (RSA)
  1024 b9:65:98:c0:7c:25:da:b6:86:48:98:6b:2a:5a:9d:21 /Users/home_id/.ssh/id_rsa (RSA)


[[Category:HPC|Network]]
[[Category:HPC|Network]]

Revision as of 04:37, February 16, 2012

The following sections document how to establish ssh tunneling on a Linux or MacOS X machine running OpenSSH. Numerous Windows solutions are available to provide the same functionality, but details vary considerably.

Manual setup

HPC 2012-02-06 screenshot sketch ssh tunneling windows.png

On your computer, run the following commands:

0. (Windows only) Start your X11 server if you have one.

1. Open a terminal window (such as Mac Terminal, Cygwin, PuTTY, or xterm).

2. Type: 

ssh -v -N -L 33301:clogin:22  username@mega.cnm.anl.gov

3. Minimize that window - no further commands need be typed there.

4. Open another terminal window.

5. Type: 

ssh -Y -p 33301 username@localhost
  • Replace username by the name of your Argonne account name.
  • Steps 4 and 5 can be repeated as often as desired.

Using an ssh config file

To simplify making connections from your computer, create or use an ssh configuration file there.

Config file contents

On your computer:

  • Close any Carbon windows opened previously.
  • Create or modify the file ~/.ssh/config and add the following lines, replacing username with your Argonne account name.
NoHostAuthenticationForLocalhost yes

Host mega
	Hostname mega.cnm.anl.gov
	User              username
	LocalForward      33301  clogin:22
	LocalForward      33380  carbon:80

Host clogin
	Hostname localhost
	User              username
	Port              33301
	ForwardX11        yes
	ForwardX11Trusted yes
  • Remove write permissions to the config file, its parent directory, and your home for anyone but you:
chmod go-rwx ~/.ssh ~/.ssh/config
chmod go-w ~
  • Advanced users: See the ssh_config man page for syntax and options of the config file.

Connecting with a config file

With the config file in place, the commands in section #Manual setup above simplify to:

1. Once:
ssh -v -N mega
2. As often as needed:
ssh clogin

Test remote graphics using X11

  • In a terminal connected to a Carbon login node, run the command:
echo $DISPLAY
You should get something like:
localhost:17.0
HPC 2011-06-23 xload example.png
The numeric part will vary.
  • Start a simple X11 program:
xload
You should see a small window pop up on your screen.
  • Close the window using its close button or press Ctrl-C in the terminal window.
HPC 2011-06-23 gnuplot example.png
  • You can now use graphical applications on Carbon, for instance:
gnuplot
This will start the gnuplot interpreter in a terminal.
  • Create a sample plot:
plot sin(x)
  • To exit the program:
exit

File transfer

  • There are many ways to transfer files through an ssh tunnel. However, you must always initiate the connection from the remote machine (your home computer), and either push files to Carbon or pull files from Carbon.
  • With the above tunnel setup you cannot initiate a file transfer from Carbon or mega.
  • Do not use mega as an intermediate. Files stored there wil be deleted.

Example commands on your machine

Copy a file to Carbon (push from outside)

scp -p foo clogin:remote/path/

Copy a whole directory to Carbon

Short of using tar or zip: 

scp -rp local/path/ clogin:remote/path/

This method does not preserve symbolic links.

Copy a file from Carbon (pull from outside)

scp -p clogin:remote/path/foo  local/path/
scp -p clogin:remote/path/foo  .

Note the trailing "." in the last example to copy to your current directory.

Reverse tunneling

The file copy operations above must all be initiated on the outside host. It is possible to set up tunnels to be able to initiate file operations on the inside. However, this is more complex and will be left as an exercise for advanced users. It involves setting up:

  1. agent forwarding
  2. a .ssh/config file on Carbon, and
  3. specifying -R command line options or RemoteForward config file directives when accessing clogin at the second stage.

Bonus – Intranet web access

Open the following links in a browser on your external workstation: 

https://localhost:33343/cnm/HPC
http://localhost:33380/

Advanced: Speeding up logins using ssh keys

Create a key

Create an ssh key pair key if you do not already have one : 

yourcomputer:/Users/home_id$ ssh-keygen -t rsa

The output will look like: 

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/home_id/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):              <-- Choose and enter a password.
Enter same passphrase again: 

Your identification has been saved in /Users/home_id/.ssh/id_rsa.
Your public key has been saved in /Users/home_id/.ssh/id_rsa.pub.
The key fingerprint is:
42:c3:72:fb:4c:be:c6:80:81:bc:8b:73:d8:88:84:2e home_id@yourcomputer.local

Using an ssh-agent

On modern systems, the mere presence of private keys with their default names triggers handling through ssh-agent and brings up a passphrase dialog at the start of the desktop session or when a key is first requested for an outgoing connection. This is the case on MacOS X Leopard, where key management is largely automated through its general keychain concept; on Tiger, use SSHKeychain.app.

On older systems, you need to (a) set up the session to run under ssh agent and (b) request the passphrase upon login. Circumstances vary widely. Ask Google or your local admin for help. See also the page Getting started with SSH.

Place your public key on Carbon

Password dialog on connecting to clogin once keys are in place.

To productively use your ssh key pair, you need to transfer the public half to Carbon.

Requirements:

  • you have a public/private ssh key pair on your machine (called yourcomputer in this example).
  • the public file on yourcomputer is named ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub (either one will work).
  • the ssh host alias mega has been set up on yourcomputer in ~/.ssh/config and defines tunnels using LocalForward declarations.
  • the tunnel connection for mega is open, i.e., on yourcomputer, ssh mega runs in another terminal.
  • the ssh alias clogin has been set up as described above.
  • an interactive session ssh clogin succeeds.


Then, to transfer your public key from yourcomputer to the Carbon login nodes, type: 

 yourcomputer$ cat ~/.ssh/id_rsa.pub | ssh clogin "umask 033; mkdir -p .ssh; cat >> .ssh/authorized_keys"

This command will append the contents of your ssh public key on yourcomputer to an authorized_keys file on Carbon. The command above is more reliable than cut&paste across interactive terminal sessions. If you created a dsa-type key, or chose your own name for the key pair, you'll have to cat the appropriate file instead. Remember to use the public part of the key, i.e. the file id_foo.pub.

Troubleshooting

If public keys do not work, use your password to gain access, then check the following:

Permissions
The directories and the authorized_keys file must, at the least, not be writable by anyone except yourself; other permissions are recommended to be restrictive as well:
login5$ ls -ld ~ ~/.ssh ~/.ssh/authorized_keys
drwxr-xr-x 28 argonne_id users 4096 Feb 22 13:52 /home/argonne_id
drwx------  4 argonne_id argonne_id 4096 Feb 18 21:25 /home/argonne_id/.ssh
-rw-------  1 argonne_id argonne_id  829 Oct  9 10:55 /home/argonne_id/.ssh/authorized_keys
To change:
login5$ chmod go-w ~
login5$ chmod go-rwx ~/.ssh ~/.ssh/authorized_keys
Corruption of authorized_keys file
The file should contain public keys in OpenSSH format, one per line, without additional line breaks. One way to check is:
yourcomputer$ cut -c1-50 ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEjdsfjJSAHkjh88y
ssh-dss AAAAB3NzaC1kc3MAAACBAkkjsadfJFg7EFjDJhWEjk

The output should look similar to the sample above. Use your favorite text editor to join erroneously broken lines. Note that there should not be anything like BEGIN RSA PRIVATE KEY, which would obviously indicate a private, rather than public key.

Verify that an ssh-agent is running

To verify that an ssh-agent is running and visible to your shell, check for the presence of the environment variable SSH_AUTH_SOCK. To list the keys it has loaded, use ssh-add -l (lowercase "L"). Typical output is as follows: 

yourcomputer$ echo $SSH_AUTH_SOCK
/tmp/ssh-HCvZKt5478/agent.5478
yourcomputer$ ssh-add -l
1024 b9:65:98:c0:7c:25:da:b6:86:48:98:6b:2a:5a:9d:21 /Users/home_id/.ssh/id_rsa (RSA)
Retrieved from "https://wiki.anl.gov/wiki_cnm/index.php?title=HPC/Network_Access/SSH_Tunnel_Setup_and_Use&oldid=3592"