BCF Wiki

User Tools

Site Tools

Trace: remoteaccess
system:beginners:remoteaccess

Table of Contents

USING Remote Access to the system with SSH (Secure Shell)

Server: lummerland.computational.bio.uni-giessen.de

To login onto the above server, you need to generate a SSH public/private-key pair and upload the public-key to your user directory on the server. Normal login with username/password is not possible/allowed when using SSH.

Lummerland's public SSH fingerprint

“Lummerland” uses the following SSH fingerprints today (February, 24th 2020): 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

MD5 - Fingerprints

DSA(1024 bits):    c0:85:6e:ab:f3:91:43:c9:20:18:42:a6:89:3b:f3:28
ECDSA(256 bits):   82:68:1a:a7:d1:23:44:ed:13:eb:54:2c:0b:01:bc:f6
ED25519(256 bits): 11:79:08:53:26:9a:0a:13:ec:b0:a3:2b:bd:77:6a:cd
RSA(2048 bits):    3d:ad:1a:df:c7:1c:fb:5b:0f:6f:b2:64:d3:28:f0:a6

SHA256 - Fingerprints

DSA(1024 bits):    WnIY5OGwd1luJ0LGpJzWBAp/Zj6j1v4WItFFknwDXQE
ECDSA(256 bits):   FN+W2tCVeFJrPwx4dtGD14Ugb3hmB/v0y4j/kJJSHMM
ED25519(256 bits): rs+4i0KSrCajTPhs35gIPEdc8NQsk6rzorXDab6yZ+E
RSA(2048 bits):    Te+5WwUhDmTh+D2wBLLeMLUt4eLATafJFrsPqi77MV8
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJeU5hUAAoJEJHzElYXA3Jlv0oIAKOjs9hqR+I3jkmjA495hfqK
7i6831koBahQ4PPyERq8+3l+fNCQkPHmyvHa6usaxpD4Qa2N6+TZP7CMAavlgChY
Dl+F4VUvfFuXax8Bkb7kJkXgs6068snoi4HShZ7p2RcBhgL6dPoD5cIfhTPPe0F0
dIjhW/mVBzosH7begYCH3CdqDlYuSKbxG0iztf2wiANIHVKHgmkZY23+3Ub2jfTA
Z7JVlMQc3X8fiHvGJs2LLYC6K2vYcefMZDXMuA3BUIoym1GAr4627cdBjqW3acWO
p+viiFV4zFDeT7N3ZMzLEsvQSZ21sQjdQQvR1pAQu9kfyzVTfJ/9tWQkt74X7+g=
=moJU
-----END PGP SIGNATURE-----

Those fingerprints can be used to verify the identity of the server you are trying to connect. In case you try to connect to “Lummerland” for the first time, your SSH client should ask for the verification of the server presenting you one of the fingerprints above. In case you observe another fingerprint, this could be an indication for a man-in-the-middle-attack.

The authenticity of the fingerprints is guaranteed by a digital signature using PGP.

Important key management update!!

With a recent change to our setup the SSH keys on our system are managed centrally in our LDAP infrastructure. You can add you own public keys using our self service portal.

Generating and uploading keys

Preliminary Setup

Setting up public key authentication to access a particular remote host is a one-time procedure comprising a few steps which is roughly the same on all operating systems.

Connect with Windows

Download and install putty distribution (putty installer):

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Step 0: Convert an OpenSSH key to PPK

This step is only needed when you've already created a OpenSSH key under Linux or Mac OSX and want to use this key in Putty under Windows.

You have to copy the file “id_rsa” in the directory “~/.ssh” from your Linux/OSX installation to your Windows PC. Then just open the PuTTYgen program (Start > All Programs > PuTTY > PuTTYgen), click on “Load→Load private key” in the menu and open the file “id_rsa”.

The program will ask you for the password of the private key. After correctly entering it, you click on “Save private key” to store the SSH-key in the PPK-format. After this you can forward to Step 2 (When you are a first time user) or Step 3 (When you can already login on Linux/OSX on “lummerland”)

Step 1: Generating the public/private-key pair

Generate a public/private key pair on your local desktop. From the Start menu, run Start > All Programs > PuTTY > PuTTYgen as illustrated in <imgref initial_putty>. On Windows 8 and above search PuTTYgen with the search field.

<imgcaption initial_putty|Initial PuTTYgen window.>Initial PuTTYgen window.</imgcaption>

Click the Generate button. You will be prompted to move the mouse over the blank area to generate some randomness. Do so. Shortly thereafter, the program will generate the key and display the result (see <imgref after_keys>).

<imgcaption after_keys|After keys have been generated.>After keys have been generated.</imgcaption>

Enter a passphrase in the “Key passphrase” and “Confirm passphrase” boxes. Your JLU password makes a good choice since you have probably already committed it to memory and it has withstood password cracking tests. However, the PuTTY documentation recommends an actual phrase of 10 to 30 characters with word breaks, mixed case, numbers, and non-alphanumeric characters, for example, “DoN't (expect snow)^july.”

:!:Under no circumstances should you leave these fields blank!

Select all of the text in the box labeled “Public key for pasting into OpenSSH authorized_keys file” (near the top of the window) by dragging the cursor. Right-click over the selection and choose Copy and paste it into a text editor e.g. “Notepad” and save the file as “authorized_keys” . Finally, click the “Save private key” button to save the private key to a file (<imgref saving_private_key>).

<imgcaption saving_private_key|Saving the private key in file JLU.ppk.>Saving the private key in file JLU.ppk.</imgcaption>

The private key must be kept secret. Accordingly, the contents of the file are encrypted using the passphrase, and you should pick a file location that is accessible only to you.

Step 2: Copying the public key to the BCF infrastructure

You can upload your new public key to the BCF user management using the self service portal. You can paste the public key directly as shown by putty.

The private key is not installed on any remote host and stays on your normal PC!

windowsputtysetup

Step 3: Logging in with SSH

Start PUTTY on your own PC to verify that public key authentication works. Basic public key authentication is enabled for a particular session in the Connection > SSH > Auth window. You must create a specific session profile (<imgref add_session>) before configuring the Auth window (<imgref auth_window>). Type in “lummerland.computational.bio.uni-giessen.de” in text field “Host Name (or IP address)”. Type in “lummerland” in the text field “Saved sessions” and click on “save”

Select “Data” on the left list (<imgref add_user_to_session_profile>) and type in your username in the text field “user name”.

Select “Connection → SSH →Auth” on the left list (<imgref auth_window>). Browse to select “JLU.ppk” in the “Private key file for authentication” text box. Be sure to go back to the Session window and click Save to update the profile. The session will use public key authentication as demonstrated in Figure 9.

<imgcaption add_session|Create the appropriate session profile.>Create the appropriate session profile.</imgcaption>

<imgcaption add_user_to_session_profile|Add user name to session profile.>Add user name to session profile.</imgcaption>

<imgcaption auth_window|Connection… SSH… Auth window>Connection -> SSH -> Auth window.</imgcaption>

After this you can log into your account with SSH by double clicking on your session profile in the PUTTY client.

windowspagentsetup

Step 4: Adding auto-login with Pageant

At first glance, basic public key authentication offers no advantages since a passphrase is always required. However, single signon can be achieved by setting up the PuTTY authentication agent, Pageant (pronounced page-ant).

Starting “Pageant” (Start > All Programs > PuTTY > Pageant) puts an icon in the system tray. Right-click on the icon and choose “Add Key” as illustrated in <imgref add_key_to_pagent>.

<imgcaption add_key_to_pagent|Add a key to Pageant.>Add a key to Pageant.</imgcaption>

When the “Select Private Key File” file dialog appears, find “JLU.ppk”. You will be prompted for the passphrase so that Pageant can store the unencrypted private key in memory to use in authentication. Remove “JLU.ppk” from the “Private key file for authentication” text box in the Connections > SSH > Auth window for the session profile in Putty. All subsequent logins and file transfers will by authenticated by Pageant.

Connect with Linux/Mac OS X

Plan ahead

If you have already used SSH on your machine, chances are that a default key already exists. If you generate a new key without specifying a different identity, the default key will be overwritten. As a result all accounts using this key will become inaccessible for you.

WE THUS RECOMMEND NOT TO USE THE DEFAULT IDENTITY, BUT USE SEPARATE KEYS FOR INDIVIDUAL ACCOUNTS!

This tutorial uses bcf as identity name, but you are free to use any other name.

Generate a new SSH key

Open a terminal and use the ssh-keygen application to generate a new key.

Example: 

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_bcf

with:

  • -t rsa defines the type of the key, RSA in this case
  • -b 4096 size of the key in bits. 4096 should be enough in most cases
  • -f ~/.ssh/id_rsa_bcf prefix for files to store private and public keys

This example command will create two files: ~/.ssh/id_rsa_bcf containing the private key, and ~/.ssh/id_rsa_bcf.pub with the public key file. As mentioned before, we recommend not to use the default name for the key files, especially not if you want to update keys.

You'll be asked to enter a passphrase. See Step 1 in the Windows section of this wiki for generating a good password.

After you enter a passphrase, you'll be given the fingerprint, or id, of your SSH key. It will look something like this: 

Your identification has been saved in /Users/you/.ssh/id_rsa_bcf.
# Your public key has been saved in /Users/you/.ssh/id_rsa_bcf.pub.
# The key fingerprint is:
# 01:0f:f4:3b:ca:85:d6:17:a1:7d:f0:68:9d:f0:a2:db

Newer SSH releases may use a different format for the fingerprint, e.g. 

The key fingerprint is:
SHA256:cymD0d5KZTUrgoD0+CYzdtzU1YpjvWHyRXJqZ4GUIZg ....

In this case you can display the older MD5 based fingerprint using the ssh-keygen -l -E md5 -f <private key file> command: 

$ ssh-keygen -l -E md5 -f <...>
2048 MD5:8c:1b:43:07:57:1f:4d:dc:cc:6c:24:ff:50:10:1d:37 <....>

It might be a good idea to temporary note down the fingerprint, since it will be used in the next step for verification.

Copy the public key to your JLU account

You can uplod your new key to the BCF user management using the self service portal. The files containing the public key in the example above is ~/.ssh/id_rsa_bcf.pub. The portal will send you an email containing the key fingerprint of the uploaded key, so please compare it to the fingerprint from the previous step.

You are not able to use tools like ssh-copy-id on the BCF systems!

Login with SSH

Open a terminal and type in the following command: 

ssh -i ~/.ssh/id_rsa_bcf username@lummerland.computational.bio.uni-giessen.de

On all modern Linux distributions and Mac OS X a small window will appear which will ask you for your password used at the generation of the private key. You can now allow the keyring manager of Linux/OSX to store this password in the user keyring of your operating system. After this you don't need to enter the password another time.

Remember:

Every person who has access to your account on your PC can login with SSH to your JLU account.

Setup fast login

To speed up login into your account you can use the ssh configuration file ~/.ssh/config. It allows you to predefine host name, user name and key for a target: 

Host lummerland
  HostName lummerland.computational.bio.uni-giessen.de
  User username
  IdentityFile ~/.ssh/id_rsa_bcf

You have to change “username” to your BCF login name and use the right file containing the generated private key.

Now you can login with the following command: 

ssh lummerland

Security Considerations

The link is not working any longer, but kept if becoming available again.

http://www.ualberta.ca/AICT/RESEARCH/LinuxClusters/pka-putty.html#sc

system/beginners/remoteaccess.txt · Last modified: 2020/03/16 11:39 by ffoerste