User Tools

Site Tools


ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
ssh [2020/10/22 12:12] jansenssh [2024/03/14 09:28] (current) jansen
Line 4: Line 4:
 Most of the desktop machine at the STRW can be accessed through the ssh protocol. So when you know your machine name, use that (including the strw.leidenuniv.nl domain) to access that machine directly. Most of the desktop machine at the STRW can be accessed through the ssh protocol. So when you know your machine name, use that (including the strw.leidenuniv.nl domain) to access that machine directly.
  
-If you do not have a personal machine you can use the ''%%ssh.strw.leidenuniv.nl%%'' virtual machine to log into our systems and continue from there with an ssh to any of the science servers or cluster machines.+If you do not have a personal machine you can use the ''%%ssh.strw.leidenuniv.nl%%'' virtual machine to log into our systems and continue from there with an ssh to any of the science servers or cluster machines. \\ 
 +Note that the %%ssh.strw.leidenuniv.nl%% machine is just a gateway; it is not meant for any type of data processing, desktop environments etc. 
 + 
 +See our [[ssh:tipsandtricks|Tips and Tricks]] session for 'direct access' to your server.
  
 === Special access === === Special access ===
-Some places we visit (e.g. China or Iran) or some hotels abroad limit the internet access to web browsing only. Because you want more in such cases the ssh server of the Sterrewacht now also serves the ssh protocol on web ports 80 and 443. So you can now get access to the Sterrewacht computer systems from those limiting environments using+Some places we visit (e.g. China or Iran) or some hotels abroad limit the internet access to web browsing only. Because you want more in such casesthe ssh server of the Sterrewacht now also serves the ssh protocol on web ports 80 and 443. So you can now get access to the Sterrewacht computer systems from those limiting environments using
  
   ssh ssh.strw.leidenuniv.nl -p 80 -l <your STRW accountname>   ssh ssh.strw.leidenuniv.nl -p 80 -l <your STRW accountname>
Line 34: Line 37:
 ====== SSH keys ====== ====== SSH keys ======
 ====Create a key pair==== ====Create a key pair====
-To create a simple key pair, with the default encryption, open up a console, and enter the following command:+To create an ssh key pair, with the proper encryption, open up a console on your local machine, and enter the following command:
  
-  $ ssh-keygen -t rsa +  $ ssh-keygen -t ed25519
-Generating public/private rsa key pair. +
-Enter file in which to save the key (/home/testuser1/.ssh/id_rsa):  +
-Enter passphrase (empty for no passphrase):  +
-Enter same passphrase again:  +
-Your identification has been saved in /home/testuser1/.ssh/id_rsa. +
-Your public key has been saved in /home/testuser1/.ssh/id_rsa.pub. +
-The key fingerprint is: +
-SHA256:lGwwYIBUEvWqjQFSq09qZA/gwE9rnRWTRmKjcg81FIU testuser1@ssh +
-The key's randomart image is: +
-+---[RSA 2048]----+ +
-|.=*++XB=.        | +
-|o..o=E+*o.       | +
-|=o.= ...=        | +
-|*.= * oo         | +
-|.*.= +  S        | +
-|o+O              | +
-|.+.o             | +
-|.                | +
-|                 | +
-+----[SHA256]-----++
  
-When asked for a "passphrase", we won'enter one. Just press enter twice.+This results in the following output: 
 +   Generating public/private ed25519 key pair. 
 +   Enter file in which to save the key (/home/testuser1/.ssh/id_ed25519):  
 +   Enter passphrase (empty for no passphrase):  
 +   Enter same passphrase again:  
 +   Your identification has been saved in /home/testuser1/.ssh/id_ed25519. 
 +   Your public key has been saved in /home/testuser1/.ssh/id_ed25519.pub. 
 +   The key fingerprint is: 
 +   SHA256:gPD6FBuSJTpfkWCrpBPo7XoRqIEV+43g2sX2b6It2YI testuser1@ssh 
 +   The key's randomart image is: 
 +   +--[ED25519 256]--+ 
 +     .o*#*=.       | 
 +    o..*+^o        | 
 +   | . .++E.*        | 
 +   |.   .@.= .       | 
 +   | .  ..X S        | 
 +    . ...= o       | 
 +     . .  o        | 
 +                   | 
 +                   | 
 +   +----[SHA256]-----+ 
 + 
 +When asked for a "passphrase", you should enter (a complex) one or optionally leave it blankNote that without a passphrase your key pair will be free to use by anyone that has illegally gained access to your keysMacOS and Linux also have a feature where keys are unlocked using your login password. The passphrase should be known to you only. **Keep your private key and passphrase as secret as you would keep your password! 
 +**
  
 The ssh-keygen program will now generate both your public and your private key. Your keys are stored in the .ssh/ directory in your home directory. The ssh-keygen program will now generate both your public and your private key. Your keys are stored in the .ssh/ directory in your home directory.
  
-The file ''id_rsa'' contains your private key. YOU SHOULD GUARD THIS KEY WITH YOUR LIFE! This key is used to gain access on systems which have your private key listed in their authorized keys file. cannot stress this enough, dont have your keys drifting around. Also, make sure your private key always is chmod 600, so other users on the system won't have access to it.+The file ''id_ed25519'' contains your private key. YOU SHOULD GUARD THIS KEY WITH YOUR LIFE! This key is used to gain access on systems which have your private key listed in their authorized keys file. We cannot stress this enough, do not have your keys drifting around. Also, make sure your private key always is chmod 600, so other users on the system won't have access to it.
  
-The file ''id_rsa.pub'' contains your public key, which can be added to other system's authorized keys files.+The file ''id_ed25519.pub'' contains your public key, which can be added to other system's authorized keys files.
  
 ====Simplified version in case of a shared home disk==== ====Simplified version in case of a shared home disk====
-This is how you authorize the key for use within a local network with shared home disk. See below for the general case of accessing a remote system.+This is how you authorize the key for use within a local network with shared home disk (so this is how to set up a key so you can log in using ssh without password between computers at the institute) 
 +See below for the general case of accessing a remote system.
  
 Simply add the public part of the key to your .ssh/authorized_keys file, and make sure that that file is not accessible for others: Simply add the public part of the key to your .ssh/authorized_keys file, and make sure that that file is not accessible for others:
-  cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys+  cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys
   chmod 600 ~/.ssh/authorized_keys   chmod 600 ~/.ssh/authorized_keys
  
  
-====Copy public key to server1. modern and easy, if it works====+====Copy public key to server==== 
 +===1. modern and easy, if it works===
 Nowadays, ssh comes with a utility to send a public key to a remote machine (requiring you to log in using your password once, or requiring a previous key to be already in place). This will take care adding the key to the authorized_keys on the remote system. To do this, simply use: Nowadays, ssh comes with a utility to send a public key to a remote machine (requiring you to log in using your password once, or requiring a previous key to be already in place). This will take care adding the key to the authorized_keys on the remote system. To do this, simply use:
-  ssh-copy-id -i id_rsa.pub user@remotehost+  ssh-copy-id -i id_ed25519.pub user@remotehost
 Actually, if you only have one key pair, you can leave out the -i and the name of the key to be copied, so this will do: Actually, if you only have one key pair, you can leave out the -i and the name of the key to be copied, so this will do:
   ssh-copy-id user@remotehost   ssh-copy-id user@remotehost
  
-====Copy public key to server. 2. the old way ====+=== 2. the old way ====
 To be able to log in to remote systems using your pair of keys, you will first have to add your public key on the remote server to the authorized_keys file in the .ssh/ directory in your home directory on the remote machine. To be able to log in to remote systems using your pair of keys, you will first have to add your public key on the remote server to the authorized_keys file in the .ssh/ directory in your home directory on the remote machine.
  
-In our example we will assume you don't have any keys in the authorized_keys files on the remote server. (Hint: If you do not have a remote shell, you can always use your own useraccount on your local machine as a remote shell (ssh localhost))+In our example we will assume you don't have any keys in the authorized_keys files on the remote server. 
  
 First we will upload the public keys to the remote server: First we will upload the public keys to the remote server:
   $ cd .ssh/   $ cd .ssh/
-  $ scp id_rsa.pub xxxx@zzzz:./id_rsa.pub +  $ scp id_ed25519.pub user@remotehost:./id_ed25519.pub 
-  id_rsa.pub    100% |*****************************************************|   526       00:00+  id_ed25519.pub    100% |*****************************************************|   526       00:00
  
 This will place your keys in your home directory on the remote server. After that we will login on the remote server using ssh the conventional way... with a password. This will place your keys in your home directory on the remote server. After that we will login on the remote server using ssh the conventional way... with a password.
Line 99: Line 107:
   $ touch authorized_keys   $ touch authorized_keys
   $ chmod 600 authorized_keys   $ chmod 600 authorized_keys
-  $ cat ../id_rsa.pub >> authorized_keys +  $ cat ../id_ed25519.pub >> authorized_keys 
-  $ rm ../id_rsa.pub+  $ rm ../id_ed25519.pub 
 + 
 +From now on you can login from client to server without having to specify a password (just a passphrase). 
 + 
 +=== Using the keyring and ssh agent === 
 +Linx and MacOS offer a service to unlock your ssh keys (and other secrets) using your login password. This simplifies the use of passphrases on your keys, and you will only be prompted for the passphrase once when logging in (or not at all, if the session re-uses the login password).  
 + 
 +=== Configuration file === 
 +Configuration for ssh can be stored at the client side (ie: on your laptop) in ''$HOME/.ssh/config''. This is a text file that can contain general options (in use on every ssh connection, unless you override them), and settings for specific hosts. A simple example: 
 +   
 +    Compression             yes 
 +     
 +    Host *.strw.leidenuniv.nl 
 +         user mystrwusername
  
-From now on you can login from client yyyy to server zzzz without having to specify a password.+For more details, see the ''man ssh_config'' manual page.
  
ssh.1603368729.txt.gz · Last modified: 2020/10/22 12:12 by jansen