Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
public:ssh-usage [2009-10-05 15:46] – Arno Schoenmakers | public:ssh-usage [2018-07-18 11:46] (current) – [Simple VPN using dynamic port forwarding] Reinoud Bokhorst | ||
---|---|---|---|
Line 3: | Line 3: | ||
We use the Secure Shell (ssh) on CEP to connect to different systems. This page explains how this can be used without having to supply a password each time you want to connect to a system. The image below tries to explain the process: | We use the Secure Shell (ssh) on CEP to connect to different systems. This page explains how this can be used without having to supply a password each time you want to connect to a system. The image below tries to explain the process: | ||
- | With normal ssh you always have to give a password. If you use a private and public key, you can access systems where your public key is in $HOME/ | + | With normal ssh you always have to give a password. If you use a private and public key, you can access systems where your public key is in '' |
{{: | {{: | ||
Line 12: | Line 12: | ||
==== Linux or OS X ==== | ==== Linux or OS X ==== | ||
- | The first thing you need to do is generate an authorisation key using the DSA algorithm, which means you need to do the following once. | + | The first thing you need to do is generate an authorisation key using the RSA algorithm |
You need to have a somewhat recent version of OpenSSL on your system for this to work: | You need to have a somewhat recent version of OpenSSL on your system for this to work: | ||
- | ssh-keygen -tdsa | + | ssh-keygen -t rsa |
- | cp .ssh/id_dsa.pub .ssh/ | + | cp .ssh/id_rsa.pub .ssh/ |
- | Use cat or some editor if authorized keys already exists and can't be simply copied. Copy your '' | + | Use cat or some editor |
==== Windows ==== | ==== Windows ==== | ||
Line 26: | Line 26: | ||
Select from the '' | Select from the '' | ||
- | * Select in the '' | + | * Select in the '' |
* Press the '' | * Press the '' | ||
* Now you'll have to move your mouse over the grey area below the progress bar. | * Now you'll have to move your mouse over the grey area below the progress bar. | ||
* Once done, you'll get a screen like the one shown below. | * Once done, you'll get a screen like the one shown below. | ||
* Enter a passphrase (and confirm). | * Enter a passphrase (and confirm). | ||
- | * Now you can save the public and private | + | * Now you can copy and paste (with the mouse!) |
{{: | {{: | ||
Line 38: | Line 37: | ||
===== Using an SSH-Agent ===== | ===== Using an SSH-Agent ===== | ||
- | An ssh-agent is a small program that when you start work is used to unlock the passphrase protected private key you generated above. The ssh-agent will from that point on automatically supply the right answers to any ssh session, if you use '' | + | An ssh-agent is a small program that when you start work is used to unlock the //passphrase protected private key// you generated above. The ssh-agent will from that point on automatically supply the right answers to any ssh session, if you use '' |
Detailed information on how to setup ssh agent forwarding can be found [[http:// | Detailed information on how to setup ssh agent forwarding can be found [[http:// | ||
Line 73: | Line 72: | ||
[[ssh-usage-linux|More advanced ways to use ssh-agent on Linux]]. | [[ssh-usage-linux|More advanced ways to use ssh-agent on Linux]]. | ||
+ | |||
+ | === Starting ssh-agent at beginning of X session === | ||
+ | When using a Linux workstation, | ||
+ | < | ||
+ | eval `ssh-agent -s` | ||
+ | if test -S " | ||
+ | ssh-add < /dev/null | ||
+ | fi | ||
+ | </ | ||
+ | This will start the SSH agent directly after logging into your X session. It will then ask you to enter the passphrase. After that, you will be logged in as usual. | ||
+ | |||
+ | **Note:** If you don't have an '' | ||
==== OS X ==== | ==== OS X ==== | ||
- | Install | + | Recent versions of OS X (10.5 " |
+ | |||
+ | On older versions of OS X, install | ||
{{public: | {{public: | ||
+ | If you have this set up, then you can easily make bookmarks/ | ||
+ | {{ : | ||
==== Windows ==== | ==== Windows ==== | ||
Line 85: | Line 100: | ||
Windows users that have downloaded the '' | Windows users that have downloaded the '' | ||
- | To use it, select '' | + | To use it, select '' |
+ | |||
+ | Double-click the icon to open the console. Then use the '' | ||
Once you have done this, '' | Once you have done this, '' | ||
Line 92: | Line 109: | ||
{{: | {{: | ||
+ | |||
+ | ===== SSH Port forwarding / tunneling ===== | ||
+ | |||
+ | With port forwarding it is possible to, e.g., copy data with '' | ||
+ | |||
+ | The solution is available and it uses port forwarding, or ssh tunneling. | ||
+ | |||
+ | First, set up the connection. Say, you want to set up a tunnel to '' | ||
+ | > ssh -L 10000: | ||
+ | </ | ||
+ | In this example, we use the local port 10000, but this could be any portnumber above 1024, as long as it is not used/ | ||
+ | |||
+ | You are probably asked to provide a password; this is the password for the '' | ||
+ | |||
+ | To use the tunnel with '' | ||
+ | > scp -P 10000 < | ||
+ | </ | ||
+ | |||
+ | You will be asked for a password. A way to prevent this is to combine these commands with ssh-agent forwarding; see above. | ||
+ | |||
+ | And to copy files from the remote host to your local host:< | ||
+ | > scp -P 10000 localhost:< | ||
+ | </ | ||
+ | |||
+ | After you have finished, you can close the session that defined the tunnel. | ||
+ | |||
+ | === Automating the port forwarding hassle === | ||
+ | Sounds pretty difficult and scary, all this port forwarding stuff. It's very likely that you had to read and re-read these instructions until you finally got things working. So, you might wonder, whether things could be simplified. Ideally, you would like to be able to simply type: | ||
+ | < | ||
+ | scp < | ||
+ | </ | ||
+ | as if you were doing an ordinary secure copy. | ||
+ | |||
+ | Also, you would probably like to be able to '' | ||
+ | < | ||
+ | ssh lfe001 | ||
+ | </ | ||
+ | |||
+ | == Can this be done? == | ||
+ | //Yes, this can be done!// And it's very easy to setup. For example, assume you want to have access to the hosts '' | ||
+ | < | ||
+ | Host kis001 lfe001 RS???C | ||
+ | ProxyCommand ssh portal.lofar.eu netcat -w2 %h %p | ||
+ | </ | ||
+ | |||
+ | The real workhorse here is '' | ||
+ | |||
+ | **NOTE**: Copying large datasets produces a significant load on the portal, which is already overstretched; | ||
+ | |||
+ | Read more about the [[http:// | ||
+ | ==== Setup tunneling with PuTTY and winscp ==== | ||
+ | |||
+ | '' | ||
+ | |||
+ | In the main screen, provide '' | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Now save this session before pressing '' | ||
+ | |||
+ | To copy data to and from your Windows system, use the '' | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== How to fix ssh timeout problems ==== | ||
+ | |||
+ | If you use ssh a lot, you may have noticed that your ssh session times out and you’re logged out every once in a while. Annoying isn’t it? | ||
+ | Read from remote host xxxxxx: Connection reset by peer | ||
+ | | ||
+ | |||
+ | There’s a quick fix for that. Actually, there are 2 ways to fix it. You only need to do one of them so choose whichever one is easiest for you. You’ll need root access, so for most people it’s probably safer to do the client fix rather than the server fix. | ||
+ | == server side == | ||
+ | |||
+ | On the server, login as root and edit / | ||
+ | < | ||
+ | According to man sshd_config, | ||
+ | == client side == | ||
+ | |||
+ | The other way, and easier and safer way is for your desktop machine to send those keep alive messages. As root on your desktop (or client) machine, edit / | ||
+ | < | ||
+ | That will send send a message to the server every 60 seconds, keeping the connection open. I prefer this way because I login to several machines every day, and I don’t have root access to all of them. | ||
+ | |||
+ | |||
+ | ==== lofarsys@localhost ==== | ||
+ | |||
+ | When you need to become lofarsys on the current host, you can use the following trick to overcome host key conflics: | ||
+ | alias lof=' | ||
+ | |||
+ | \\ | ||
+ | |||
+ | |||
+ | |||
+ | ===== Simple VPN using dynamic port forwarding ===== | ||
+ | |||
+ | Instead of forwarding a single port you can also use dynamic port forwarding. This will turn your SSH client into a local [[https:// | ||
+ | |||
+ | The most useful application is to use a SOCKS proxy to access LOFAR web services that are behind the firewall (when you are not connected to the LAN). Two steps are needed: | ||
+ | - Create a SOCKS proxy to the LOFAR portal | ||
+ | - Configure your browser (or OS) to use the proxy | ||
+ | Below a description on how to do that. | ||
+ | |||
+ | ==== Create SOCKS proxy ==== | ||
+ | |||
+ | __With SSH__ | ||
+ | |||
+ | The SOCKS proxy is created by enabling the dynamic port forwarding feature when connecting to the LOFAR portal: | ||
+ | |||
+ | < | ||
+ | ssh -D 1080 < | ||
+ | </ | ||
+ | |||
+ | Port 1080 is the default SOCKS port but you can also choose another non-privileged one (e.g. 9999). Some client programs however may expect that port 1080 is used. | ||
+ | |||
+ | Additionally you may add the ' | ||
+ | |||
+ | __With PuTTY__ | ||
+ | |||
+ | Create a new session in the Putty configuration dialog to portal.lofar.eu on port 22 as you would normally do (e.g. adding your ssh key for authentication). | ||
+ | |||
+ | Then go to Connections-> | ||
+ | |||
+ | {{: | ||
+ | \\ | ||
+ | |||
+ | Go back to the Session and save this configuration under an existing or new session. | ||
+ | |||
+ | |||
+ | |||
+ | ==== Configuring your web browser ==== | ||
+ | |||
+ | A web browser must be configured to use the SOCKS tunnel as a proxy server. Generally this is done by going to the web browser settings and looking for something like ' | ||
+ | |||
+ | __Firefox__ | ||
+ | |||
+ | - Go to Preferences | ||
+ | - Look for an item called ' | ||
+ | - Click on Settings, choose " | ||
+ | - Now try to access an internal web service, you should be able to use the internal domain name of the service (xxx.control.lofar). | ||
+ | |||
+ | \\ | ||
+ | |||
+ | __Chrome__ | ||
+ | |||
+ | Newer versions of chrome use the system-wide network configuration for its proxy settings. This is an alternative to only configuring the web browser to use the proxy. However, if you want to limit the proxy only for web browsing you can start Chrome adding the flag --proxy-server, | ||
+ | |||
+ | < | ||
+ | google-chrome-stable --proxy-server=" | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ |