TODO when no more draft {{See also|[[FAQ]]}} {{Portal|Admin}} {{Portal|User}} {{Portal|Service}} {{Portal|Tutorial}}

Overview

SSH is a widely used network protocol to establish a secure communication channel to a remote machine. Its most common use is to get shell access (be able to type command-line commands) on a remote server.

When connecting to a remote machine, the standard way to authenticate is via the remote account's login and password. However, this authentication schema is disabled on Grid'5000 for security reasons (as it is often subject to brute-force attacks). Instead, SSH is used with a key-based authentication mechanism to gain access to the platform, and ssh keys are the recommended authentication method even inside Grid'5000.

It can also be used to transfer files (using SCP, SFTP or RSYNC), connect securely to network services on the remote network (using SSH tunnels or a SSH-based VPN), and even execute graphical applications remotely (using X forwarding).

This documentation is designed to teach you the basics as recommended for use in the Grid'5000 context.

Generating keys for use with Grid'5000

Linux and Mac users

Most Linux distribution and Mac OS variants come with the ssh and ssh-keygen command line utilities. Generating a key-pair is simply a matter of running the ssh-keygen and supplying a passphrase. To access Grid'5000 using ssh, you must use a key-pair that whose private key is passphrase protected.

user-machine:

ssh-keygen -t rsa

If you follow the defaults, you now have a public key stored in the ~/.ssh/id_rsa.pub file. You can use it when requesting an account or to update your profile.

Windows users

• All Windows versions with PuTTYgen

The basic steps for Windows users are well documented in the page Inria maintains for gforge users. You'll only need to remember that the key you generate don't need to be uploaded to InriaGforge, but to the Account management form or the Account request form.

• Since Windows 10, there is new SSH client usage possibilities
  • A native OpenSSH (client and server) could be installed. See OpenSSH installation and first use Microsoft documentation
  • Windows Subsystem for Linux (WSL) is available to use a complete Linux distribution and thus a complete OpenSSH client too. See about WSL Microsoft documentation

So ssh-keygen command is available, and could be used as in Linux and Mac OS.

Basic configuration for Grid'5000

After having looked at the explanations above, you might be wondering how servers can get a copy of your public key if you can not connect to them to put it there. In Grid'5000, the answer depends on the type of server.

Access machine configuration

You have to upload your previously generated public key (/home/login/.ssh/id_rsa.pub) using the Account Management Interface or the Account request form.

Access machines update the repository of trusted keys they use regularly from the user database.

The following command should therefore connect you to Grid'5000 if you have access to a ssh command and that it has access to the private part of the public key you uploaded on the Account management form. If not, please refer to the ssh access from windows paragraph.

outside:

ssh login@access.grid5000.fr

You might be using more than one key, or have given a specific name to the key used for Grid'5000. In this case, you must be particularly careful about access rights given to the key and the directory it is stored in (see .ssh access rights). Please use:

outside:

ssh -i ~/path/to/your/g5k_private_key login@access.grid5000.fr

You should be able to check the list of keys configured from your account with the following command.

access:

cat .ssh/authorized_keys

Site frontend machines

Looking at the general configuration for your account on the access machine, you'll find some additional files:

access:

ls .ssh/

The id_rsa and id_rsa.pub files are a passphrase-less pair of keys that where automatically configured for you when your account was created. The public part of that key was added to the repository of trusted keys for all access machines, as you can see when running

access:

cat nancy/.ssh/authorized_keys

The configuration allows you to connect to site frontends using either the key generated for you (internal key), or the key used to access the access machine (external key). The recommended configuration is to passphrase-protect the external key, but not the internal key.

Reserved machines

When you have reserved machines, you'll be in one of the following 3 cases

• you did not request a classical_ssh or deploy job type : oar will have generated a keypair for your job, that will be used transparently for you if you are using oarsh, a wrapper for ssh.
• you requested a classical_ssh job type: the ssh config on nodes is to use the .ssh directory your homedir as trusted sources of authorized keys, and ssh configuration is dynamically updated to allow you to connect.
• you requested a deploy job type. Nothing has been done to allow you to connect on nodes. When you deploy an environment, the -k option of kadeploy3 will copy the authorized_keys of your home directory on the site to the ssh configuration of the root account of the deployed nodes.

Use SSH to connect to another site

access:

ssh nancy

The figure below shows how you just connected from your local machine to access, and then to the site frontend in nancy. Site frontends (named fsite.site.grid5000.fr or simply site.grid5000.fr) are the machines you will use to interact with Grid'5000 tools such as OAR and Kadeploy.

Those machines are virtual machines, and must not be used for CPU or I/O intensive tasks (nodes must be reserved and used instead).

More advanced SSH usage

files copy

Grid'5000 users have home directories in every Grid'5000 sites. But each site home directory is accessible in the access machines in a directory named after the site name.

To copy myfile from my workstation to my nancy home:

workstation:

scp myfile jdoe@access.grid5000.fr:nancy

To copy myremotefile from my lyon home to my workstation:

workstation:

scp jdoe@access.grid5000.fr:lyon/myremotefile /tmp

To copy mydir from my workstation to my nancy home:

workstation:

scp -r mydir jdoe@access.grid5000.fr:nancy

rsync files copy/synchronisation

Copying mydir to my rennes home with rsync through SSH:

workstation:

rsync -avz mydir jdoe@access.grid5000.fr:rennes/mydir

tar/ssh files copy

Copying mydir to my rennes home with tar through SSH:

workstation:

tar c mydir | ssh jdoe@access.grid5000.fr tar x -C rennes/mydir

Using port forwarding

A SSH connection allow you to tunnelize other connections. This is achieved using the "-L", "-R" parameters.

Forwarding a local port

You can forward a localport to a host behind a firewall.

In this case, the target remote server must be explicitly given in the ssh command.

Forwarding a remote port

You can forward a remote port back to a host protected by your firewall.

In this case, the target local server must be explicitly given in the ssh command.

Tunnelizing for others

Using the "-g" parameter, you allow connections from other hosts than localhost to use your SSH tunnels. Be warned that anybody within your network may access the tunneled host this way, which may be a security issue.

Using OpenSSH SOCKS proxy

	Note
	This is pretty useful for opening web services in a local web browser for instance !

OpenSSH ssh client also embeds a SOCKS proxy. You may activate it using the "-D " parameter and then configuring your application (Mozilla Firefox for instance) to be proxified through the so created SOCKS proxy.

It is also possible to configure your web browser to use a different proxy depending on the destination to reach. This can be achieved using Foxyproxy (a browser extension) (or using a proxy autoconfiguration script).

In this case, no target remote server needs to be given in the ssh command line. The socks client (e.g. Firefox) can talk to target address.

	Note
	If using SSH tunneling does not suit your needs, for instance because your client application does not support the socks protocol, or because you do not manage to get things working as you like, mind looking at Grid'5000 VPN, which provides another way to reach services in Grid'5000 from the outside.

Mounting remote filesystem

To mount a remote filesystem using sshfs:

workstation:

mkdir ~/remote_dir

workstation:

sshfs -o idmap=user jdoe@lyon.g5k:/home/jdoe/ ~/remote_dir

To unmount the remote filesystem :

workstation:

fusermount -u ~/remote_dir

SSH keys handling

SSH key types

SSH support 3 types of keys:

• rsa1: RSA algorithm, SSH protocol version 1 (default key name: identity), DEPRECATED
• rsa: RSA algorithm, SSH protocol version 2 (default key name: id_rsa)
• dsa: DSA algorithm, SSH protocol version 2 (default key name: id_dsa), DEPRECATED since OpenSSH 7

You are advised to use a rsa key.

SSH key passphrase

An SSH key-pair is a set of 2 files. A rsa key-pair for instance is in your ~/.ssh directory:

• id_rsa: the private key, to be kept on a safe storage, no permissions on the file for anybody except you (i.e. mode 600).
• id_rsa.pub: the public key, to be dispatched on the systems that you want to connect using SSH (within the authorized_keys files)

The general case

In order to protect your private key from being maliciously used to access your systems (if one steals your private key file for instance), you must provide a passphrase. Empty passphrase should only be used for SSH host key generation (normal users should not have to care about this), or for system accounts keys that need automatic (none-interactive) login on remote systems (no passphrase eases scripting ;) ).

For user's usage, you actually wont have to enter your passphrase each time you access to a system using SSH, since you can use a ssh-agent. This agent store it for you indeed, so that you only need to enter your passphrase one - and only one - time.

The Grid'5000 case

It is common usage on HPC cluster to use SSH keys without passphrase, so that connection to nodes can be scripted, and never interrupted by any authentication interactive process. Furthermore, using a ssh-agent is often not a good solution, because it doesn't work well with shell scripts, non-interactive sessions, screen sessions ... because you are always asked to enter your passphrase once.

The advice then is to use a SSH key with passphrase to access the frontal of the cluster. Another automatically generated dedicated key without passphrase is stored on your Grid'5000 home directories for node connections.

SSH Key generation

Please use the command ssh-keygen -t rsa to generate your SSH RSA key, and give a non-empty passphrase. The public key can then be used to encrypt messages that only the private key will be able to decrypt.

  $ ssh-keygen -t rsa
  Generating public/private rsa key pair.
  Enter file in which to save the key (/home/bob/.ssh/id_rsa): 
  Enter passphrase (empty for no passphrase): ********************
  Enter same passphrase again: ********************
  Your identification has been saved in /home/bob/.ssh/id_rsa.
  Your public key has been saved in /home/bob/.ssh/id_rsa.pub.
  The key fingerprint is:
  00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff bob@leponge

SSH Key usage

Once you generated your key, you need to dispatch its public part on every server you may want to access.

This is automatically done in Grid'5000 , see SSH Basic configuration for Grid'5000.

However, here is some general information.

To dispatch your id_rsa.pub public key on the server named myserver (login mylogin):

A command named ssh-copy-id may be provided within the SSH package installed on your system. In such a case, you may simply run:

  $ ssh-copy-id myuser@myserver

NB: this requires your key(s) to be stored in a SSH agent, see below.

Or you can use the following command:

  $ MYSERVER=myuser@myserver
  $ cat ~/.ssh/id_rsa.pub | ssh $MYSERVER 'umask 022 ; mkdir -p .ssh ; touch .ssh/authorized_keys ; cat >> .ssh/authorized_keys'

Using the SSH agent

• Storing keys and passphrases

To tell the ssh-agent to store your key AND remember the passphrase so that you do not have to enter it everytime you connect via SSH to a remote machine, just do a:

  $ ssh-add 
  Enter passphrase for /home/bob/.ssh/id_rsa: ********************
  Identity added: /home/bob/.ssh/id_rsa (/home/bob/.ssh/id_rsa)

You may look at the keys the agent actually stores with the following command:

  $ ssh-add -l
  2048 SHA256:Bx7zKapa1Gz04+LtvxTsQCkvojKjB2iPmx2OLxfkXjl /home/bob/.ssh/id_rsa (RSA)

• forwarding the agent (useful if chaining SSH connections)

If not activated by default, you may need to run the SSH command with the `-A` parameter in order your key storage agent to be forwarded on connected hosts, so that you can chain other SSH command from this host without password or passphrase afterward. (try a `ssh-add -l` on the remote host to check if your key is forwarded). You may also add a "ForwardAgent yes" statement in your .ssh/config file.

Be warned that forwarding the agent (and then the data it stores) on a unsecure remote server may be unsafe.

Setting up a user config file

Setting up aliases or defaults

You may provide a configuration file that define default parameters for your SSH connections inside Grid'5000. This file is ~/.ssh/config in your Grid'5000 account home directories (one per site). In this configuration file, you may for instance specify:

• alias for long hostnames
• username to be used to connect some machines if this is not the one used locally (no more need for either "-l username" or "username@" statement).
• X11 forwarding enabling
• TCP port forwarding

Using SSH with ssh ProxyCommand setup to access hosts inside Grid'5000

You can setup your local (on your laptop or workstation) ~/.ssh/config so that you transparently access any host inside Grid'5000 (behind Grid'5000 firewalls). The idea is that your local ssh client will directly talk with the ssh daemon on the host behind the firewall through a connection to the gateway opened with another ssh connection.

First: setup an alias for the global access machine

# Alias for the gateway (not really needed, but convenient)
Host g5k
  User g5k_login
  Hostname access.grid5000.fr
  ForwardAgent no

Your are now able to connect to your Grid'5000 site without being bothered with options such as to specify your Grid'5000 login each time:

ssh g5k
scp my_directory/my_file g5k:site/

Second: setup the glob alias for the access to any hosts inside Grid'5000

(host inside Grid'5000, except the access machine are not reachable from the Internet)

# Automatic connection to hosts within Grid'5000, and not reachable direction on SSH tcp port 22
Host *.g5k
  User g5k_login
  ProxyCommand ssh g5k -W "$(basename %h .g5k):%p"
  ForwardAgent no

The .g5k suffix is an arbitrary suffix you will now specify in your command lines in order to access hosts inside Grid'5000: And now, to log on that gateway, you can use:

Accessing the frontend of my site (grenoble)

ssh grenoble.g5k

Accessing the frontend of another site

ssh rennes.g5k

Accessing a node belonging to one of my job

Note

The next example take as assumption that graphite-3 is opened for an SSH connection, e.g.: you submitted a job with the allow_classic_ssh magic type (oarsub -t allow_classic_ssh ... ) you submitted a deploy job, and deployed your own operating system which allows you to connect using SSH Otherwise, shell access is only granted via oarsh (or ssh as oar and using you job key, see -k option in oarsub(1))

ssh graphite-3.nancy.g5k

Copying files

Any command (scp, rsync, ...) can use the .g5k magic suffix.

scp myfile rennes.g5k:
rsync -avz mydir rennes.g5k:

Global picture

Using SSH with ProxyJump to access hosts inside Grid'5000

Basics

ProxyJump was introduced in ssh version 7.3 to made it easier to do the jump and internal login in one step.

Here is the basic syntax with the -J flag:

ssh -J <access-host> <remote-host>

And a Grid'5000 example to connect to Nancy's frontend:

ssh -J access.grid5000.fr fnancy.nancy.grid5000.fr

Single remote host aliases

Like ProxyCommand, ProxyJump can be used in your local .ssh/config. However, ProxyJump can't use `%h` or `%p` ssh variables nor `basename` command. So a general/wildcard suffix can't be used like previous ProxyCommand configuration to access to any hosts inside Grid'5000.

But you can easily use some single host alias configuration like this Nancy's frontend example:

Host myfrontend
  User g5k_login
  HostName fnancy.nancy
  ProxyJump access.grid5000.fr
  ForwardAgent no

and so directly connect with:

 ssh myfrontend

Tips

bash-completion

The bash-completion package eases the ssh command usage by providing completion for hostnames and more.

  yum install bash-completion

On Debian:

  apt-get install bash-completion

Escape characters

• ~.

Disconnect you, even if your remote command hangs.

• ~C

Open command line. Allows the addition of port forwardings using the -L and -R options.

See `man ssh' for more details

SSH resources

Un*x clients

• OpenSSH

OpenSSH is available in every good linux distro, and every *BSD, and Mac OS X.

Mac OS X tools

• SSHKeychain is a Cocoa application that acts as a frontend to ssh-agent. It uses the Mac OS X Keychain to store the key (so you don't have to remember another password), and it can manage a set of tunnels.
• Cyberduck is a Cocoa FTP and SFTP client.

Windows clients

• OpenSSH is natively available since Windows 10 April 2018 Update.
• OpenSSH/Cygwin

OpenSSH is available with Cygwin. You may then find the same features in your SSH client even if you run Windows. Furthermore, Cygwin also embeds many other GNU Un*x like tools, and even a FREE X server for windows. USE CYGWIN ;). URL: http://www.cygwin.com/

• Putty

Free windowish SSH client: http://www.chiark.greenend.org.uk/~sgtatham/putty/

	Warning
	Using the ProxyCommand ssh g5k -W "$(basename %h .g5k):%p" as mentioned above, requires the basename command to be available along with OpenSSH in your Operating System. To test that, make sure that basename something.g5k .g5k actually returns something (.g5k suffix removed) and that back-quotes commands work.

More

Depending on your client, you will be able to configure ssh to use more fancy options. If you are using Linux, Mac OS X, or another Unix-based system, the FAQ will give you some recipes to tune your configuration. Not all ssh clients (not putty in particular) allow for such flexible options, but most will have equivalents.

• you will be able to store the login name to use, and the key to use to access Grid'5000
• you will be able to connect to any machine inside Grid'5000 in one shot, using ssh machine.g5k. See this page for details. This is also the way to go to transfer large volumes of data to a site.
• you will be able to open TCP tunnels to connect from your machine to services running inside Grid'5000
• you will be able to avoid man-in-the middle warnings, host key checking (in the FAQ#SSH_related_questions)

For more SSH client options, see man ssh.

The official openSSH website is openssh.com

For more informations about OpenSSH/SSH Protocols, see OpenSSH/SSH Protocols page on wikibooks.org