HPC/Network Access/SSH Tunnel Setup and Use: Difference between revisions

The following sections document how to establish ssh tunneling on a Linux or MacOS X machine running OpenSSH. Numerous Windows solutions are available to provide the same functionality, but details vary considerably.

Manual setup

On your own computer, run the following commands:

0. (Windows only) Start your X11 server if you have one.

1. Open a terminal window (such as Mac Terminal, Cygwin, PuTTY, or xterm).

2. Type:

ssh -v -N -L 33301:clogin:22  username@mega.cnm.anl.gov

3. Minimize that window - no further commands need be typed there.

4. Open another terminal window.

5. Type:

ssh -Y -p 33301 username@localhost

• Replace username by the name of your Argonne account name.
• Steps 4 and 5 can be repeated as often as desired.

Using an ssh config file

To simplify making connections, use an ssh configuration file.

Config file contents

On your own computer, create or modify the file ~/.ssh/config and add the following lines:

NoHostAuthenticationForLocalhost yes

Host mega
	Hostname mega.cnm.anl.gov
	User              username
	LocalForward      33301  clogin:22
	LocalForward      33380  carbon:80

Host clogin
	Hostname localhost
	User              username
	Port              33301
	ForwardX11        yes
	ForwardX11Trusted yes

See "man ssh_config" for detailed documentation.

Make sure to remove for anyone but you write permissions to the config file, its parent directory, and your home:

chmod go-rwx ~/.ssh ~/.ssh/config
chmod go-w ~

Connecting with a config file

With the config file in place, the commands above simplify to:

1. Once:

ssh -v -N mega

2. As often as needed:

ssh clogin

Remote graphics

At the Carbon prompt:

login5% echo $DISPLAY

You should get something like:

localhost:17.0

The numeric part will vary. Now test a simple X11 program:

xload

You should see a small window pop up on your screen. Push the window's close button or press Ctrl-C in the command line to terminate xload.

You can now use graphical applications on Carbon, for instance:

login5% gnuplot
…
gnuplot> plot sin(x)
gnuplot> exit

File transfer

• There are many ways to transfer files through an ssh tunnel. However, you must always initiate the connection from the remote machine (your home computer), and either push files to Carbon or pull files from Carbon.
• With the above tunnel setup you cannot initiate a file transfer from Carbon or mega.
• Do not use mega as an intermediate. Files stored there wil be deleted.

Copy a file to Carbon (push from outside)

scp -p foo clogin:remote/path/

Copy a whole directory to Carbon

Short of using tar or zip:

scp -rp local/path/ clogin:remote/path/

This method does not preserve symbolic links.

Copy a file from Carbon (pull from outside)

scp -p clogin:remote/path/foo  local/path/
scp -p clogin:remote/path/foo  .

Note the trailing "." in the last example to copy to your current directory.

Reverse tunneling

The file copy operations above must all be initiated on the outside host. It is possible to set up tunnels to be able to initiate file operations on the inside. However, this is more complex and will be left as an exercise for advanced users. It involves setting up:

1. agent forwarding
2. a .ssh/config file on Carbon, and
3. specifying -R command line options or RemoteForward config file directives when accessing clogin at the second stage.

Bonus – Intranet web access

Open the following links in a browser on your external workstation:

https://localhost:33343/cnm/HPC
http://localhost:33380/

Advanced: Speeding up logins using ssh keys

If you do not already have an ssh private/public key pair, create one:

homebase:/Users/home_id$ ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/home_id/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/home_id/.ssh/id_rsa.
Your public key has been saved in /Users/home_id/.ssh/id_rsa.pub.
The key fingerprint is:
42:c3:72:fb:4c:be:c6:80:81:bc:8b:73:d8:88:84:2e home_id@homebase.local

On modern systems, the mere presence of private keys with their default names triggers handling through ssh-agent and brings up a passphrase dialog at the start of the desktop session or when a key is first requested for an outgoing connection. This is the case on MacOS X Leopard, where key management is largely automated through its general keychain concept; on Tiger, use SSHKeychain.app.

To verify that an ssh-agent is running and visible to your shell, check for the presence of the environment variable SSH_AUTH_SOCK. To list the keys it has loaded, use ssh-add -l (lowercase "L"). Typical output is as follows:

On Linux or MacOS X Leopard and Lion

 homebase:/Users/home_id$ echo $SSH_AUTH_SOCK
 /tmp/ssh-HCvZKt5478/agent.5478
 homebase:/Users/home_id$ ssh-add -l
 1024 b9:65:98:c0:7c:25:da:b6:86:48:98:6b:2a:5a:9d:21 /Users/home_id/.ssh/id_rsa (RSA)
 

On older systems, you need to (a) set up the session to run under ssh agent and (b) request the passphrase upon login. Circumstances vary widely. Ask Google or your local admin for help. See also the page Getting started with SSH.

Place your public key on Carbon

To productively use your ssh key pair, you need to transfer the public half to Carbon.

Requirements:

• you have a public/private ssh key pair on your machine (called homebase in this example).
• the public file on homebase is named ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub (either one will work).
• the ssh host alias mega has been set up on homebase in ~/.ssh/config and defines tunnels using LocalForward declarations.
• the tunnel connection for mega is open, i.e., on homebase, ssh mega runs in another terminal.
• the ssh alias clogin has been set up as described above.
• an interactive session ssh clogin succeeds.

Then, to transfer your public key from homebase to the Carbon login nodes, type:

 homebase$ cat ~/.ssh/id_rsa.pub | ssh clogin "umask 033; mkdir -p .ssh; cat >> .ssh/authorized_keys"

This command will append the contents of your ssh public key on homebase to an authorized_keys file on Carbon. The command above is more reliable than cut&paste across interactive terminal sessions. If you created a dsa-type key, or chose your own name for the key pair, you'll have to cat the appropriate file instead. Remember to use the public part of the key, i.e. the file id_foo.pub.

Troubleshooting

If public keys do not work, use your password to gain access, then check the following:

Permissions

The directories and the authorized_keys file must, at the least, not be writable by anyone except yourself; other permissions are recommended to be restrictive as well:

 /home/argonne_id$ ls -ld ~ ~/.ssh ~/.ssh/authorized_keys
 drwxr-xr-x 28 argonne_id users 4096 Feb 22 13:52 /home/argonne_id
 drwx------  4 argonne_id argonne_id 4096 Feb 18 21:25 /home/argonne_id/.ssh
 -rw-------  1 argonne_id argonne_id  829 Oct  9 10:55 /home/argonne_id/.ssh/authorized_keys

To change:

 /home/argonne_id$ chmod go-w ~
 /home/argonne_id$ chmod go-rwx ~/.ssh ~/.ssh/authorized_keys

Corruption of authorized_keys file

The file should contain public keys in OpenSSH format, one per line, without additional line breaks. One way to check is:

 /home/argonne_id $ cut -c1-50 ~/.ssh/authorized_keys
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEjdsfjJSAHkjh88y
 ssh-dss AAAAB3NzaC1kc3MAAACBAkkjsadfJFg7EFjDJhWEjk

The output should look similar to the sample above. Use your favorite text editor to join erroneously broken lines. Note that there should not be anything like BEGIN RSA PRIVATE KEY, which would obviously indicate a private, rather than public key.