Difference between revisions of "Comp:ssh"

From Theochem
Jump to navigationJump to search
Line 104: Line 104:
  
 
Here <tt>nc</tt> is the ''netcat'' command that is doing the forwarding and 22 is the ssh port number.
 
Here <tt>nc</tt> is the ''netcat'' command that is doing the forwarding and 22 is the ssh port number.
 +
 +
You can now give command from your local computer directly to cn10:
 +
 +
== Use ssh to give remote commands ==
 +
With ssh you can give commands on the server, e.g.,
 +
 +
  ssh lilo7.science.ru.nl hostname
 +
 +
Slurm commands (to run batch jobs) must be given from a cluster node, and do not run on, e.g., lilo7. If you have configure ssh as described above, you can check the queue status from your local computer with
 +
 +
  ssh cn10 squeue

Revision as of 10:03, 27 January 2021

With the Linux ssh command you can logon to another server. You can configure ssh such that you do not have to enter your password every time again.

First make sure ssh is working

From you local linux computer login to the remote server, e.g., lilo7.science.ru.nl

 ssh username@lilo7.science.ru.nl

where you will have to replace username with your own username. If your username on the remote server is the same as on you local computer you can drop it:

 ssh lilo7.science.ru.nl

You will be asked to enter your password. The first time you give this command you will be asked to trust that you are connecting to right server. Later you will get a warning if lilo7.science.ru.nl is not the same server anymore - e.g., when your connection is being hacked or, more likely, when a mistake was made during a software upgrade on lilo7.

Login without password

First generate keys on your local computer:

 ssh-keygen

Accept all the defaults by giving enter (up to three times).

Now copy the local key to the remote server, e.g., to lilo7.science.ru.nl

 ssh-copy-id username@lilo7.science.ru.nl

You will have to enter your password, but the next time you logon with ssh you will not be asked for your password again.

Warning: if someone can break into your local computer, they will now also have access to lilo7.science.ru.nl

A more secure solution is to protect you private key with a passphrase:

Using a passphrase and an ssh-agent for security and ease

Your keys are kept in the .ssh directory in the files, e.g,

 % ls -l ~/.ssh
 -rw------- 1 gerritg gerritg  1766 May 19  2020 id_rsa
 -rw-r----- 1 gerritg gerritg   395 May 19  2020 id_rsa.pub

The public key id_rsa.pub is added to the authorized_keys file in the .ssh directory on the remote server. Above we used the ssh-copy-id command to do that. Before we protect the keys, first remove the keys we just made. On the local computer:

 cd ~/.ssh
 rm id_rsa id_rsa.pub

and on the remote server (e.g. lilo7):

 cd ~/.ssh
 rm authorized_keys

If you have more than one key in authorized_keys use an editor to remove keys.

Now, on your local computer re-generate the keys

 ssh-keygen

Accept the default file .ssh/id_rsa with Enter, and then enter a passphrase.

Now copy your public key again to lilo7 with the ssh-copy-id command, and try ssh to lilo7. Instead of your password, you will now have to enter your passphrase. Even if you passphrase is the same as your password, this is more secure, because your passphrase will never leave you computer. However, you will now have to re-enter your passphrase every time you logon.

The next step is to use an ssh-agent to remember your passphrase until you logout, so you don't have to enter it too often.

Using and ssh-agent

Start the agent, and give it your passphrase

 eval `ssh-agent`
 ssh-add

Now see if it works:

 ssh lilo7.science.ru.nl

The agent remembers your passphrase until you logout. To save some typing, you can define a function in your .bashrc

 function agent () {
   eval `ssh-agent`
   ssh-add
 }

so you will only have to enter agent to start the ssh-agent.

You can save a few more key-strokes by using the ssh configuration file:

Configuring ssh

When ssh starts it reads the configuration file ~/.ssh/config

Add these lines to this file:

 Host lilo7
    Hostname lilo7.science.ru.nl

If your username is different on lilo7 you can also add a line, right after Hostname, with

    User username_on_lilo7

From your local computer, you cannot directly login to a clusternode, e.g., cn10.science.ru.nl, you first have to go to a login server (lilo7 or lilo6 etc), and from there you can ssh to other servers on the network.

You can configure <ssh> to do this for you. On your local computer, add this to your ~/.ssh/config file:

 Host cn10
    ProxyCommand ssh -q lilo7 nc -q0 cn10.science.ru.nl 22

This assumes you have define lilo7 in the config file as well. You should now be able to directly ssh to cn10 from your local computer:

 ssh cn10

Here nc is the netcat command that is doing the forwarding and 22 is the ssh port number.

You can now give command from your local computer directly to cn10:

Use ssh to give remote commands

With ssh you can give commands on the server, e.g.,

 ssh lilo7.science.ru.nl hostname

Slurm commands (to run batch jobs) must be given from a cluster node, and do not run on, e.g., lilo7. If you have configure ssh as described above, you can check the queue status from your local computer with

 ssh cn10 squeue