Differences

This shows you the differences between two versions of the page.

--- system:beginners:remoteaccess [2024/08/21 15:53] – blinke
+++ system:beginners:remoteaccess [2025/04/16 08:13] (current) – Remove old lummerland stuff sbeyvers
@@ Line 1: / Line 1: @@
-===== USING Remote Access =====
+´===== USING Remote Access =====
 Access to BCF systems is available via different methods. Please select the best method depending on your requirement.
@@ Line 11: / Line 11: @@
 SSH ("secure shell") is a standard protocol for remote access. In addition to shell access it is also able to provider tunneling and proxy support.
-=== Jump host ===
+=== Requirements for ssh access ===
-BCF access is available via the central jump host
+You need to meet the following requirements for ssh access:
-**login.computational.bio.uni-giessen.de**
+  * a valid and active BCF account
+  * a registered SSH public key
+  * a running SSH agent on the client
+=== Jump host ===
+BCF access is available via the central jump host **login.computational.bio.uni-giessen.de**
 As jump host this system allows connections from the internet, but is not configured to execute applications. It's sole purpose is relaying connections to internal hosts. Access to files (home directories, volumes) is not possible on the jump host.
@@ Line 22: / Line 29: @@
 The main target for connections via the jump host is the internal host for interactive work, **cli.intra**. This is a dedicated machine for executing simple application, access the compute cluster, run remote backends etc.
-Since this host is shared among all users, resource limits have been configuration per user. Each user lmited to 16 GB RAM. CPU resources are distributed among all user, which each user having a guaranteed share. This prevents single users from occupying all resources and ensures that each user has enough resources available.
+Since this host is shared among all users, resource limits have been configuration per user. Each user limited to 16 GB RAM. CPU resources are distributed among all user, which each user having a guaranteed share. This prevents single users from occupying all resources and ensures that each user has enough resources available.
+=== Network architecture for accessing resources in the bcf system ===
+The diagram explains how to access systems in the intranet from outside the intranet and how to access systems outside the intranet from inside the intranet. The following sections describe how to configure your system for each of the usage scenarios.
+{{ :system:beginners:bcf-ssh-proxy-access.png?direct |}}
 === SSH agent ===
@@ Line 40: / Line 53: @@
 <code>
-Host cli
+Host login login.computational.bio.uni-giessen.de
+  HostName login.computational.bio.uni-giessen.de
+  User <your-username>
+  ForwardAgent yes
+Host cli cli.intra
   HostName cli.intra
-  ProxyJump login.computational.bio.uni-giessen.de
+  User <your-username>
   ForwardAgent yes
+  ProxyJump login
 </code>
 The ''Host'' lines defines the name for the host. This name is used later in the ssh invocation. If you do not want to use the original hostname for convenience, you can also use an arbitrary name.
 ''HostName'' is the name of the target host. If a jump host is used, the given name has to be resolvable on the jump host, not on your local system. E.g. the ''intra'' domain in the example is only valid within the BCF systems. ''ProxyJump'' define the jump host to use. SSH will create a connection to this host, and then connect to the host given by ''HostName'' (if present) or the ''Host'' argument.
-''ForwardAgent'' finally ensures that the local SSH agent can be used on the jump host.
+''ForwardAgent'' finally ensures that the local SSH agent can be used on the jump host. ''User'' defines as which user you want to connect and it must match your bcf username.
@@ Line 79: / Line 99: @@
 Depending on the configuration of your SSH client it may automatically accept host keys. The exact format of the fingerprint depends on the key algorithm used. In the example above the **ED25519** algorithm is used, other variants are **ECDSA** or **RSA**. Newer SSH clients will try to use ED25519.
+== Access ''cli.intra'' via putty on windows ==
-==== Transferring data ====
+Load your ssh key in ''pageant'', the ssh-agent for ''putty''. Once loaded you can connect to ''cli.intra'' with the following configuration in putty:
-The jump host does not provide access to any storage (home directories, volume). It can not be used to transfer data to or from the BCF systems. These transfers can be I/O intensive and interfere with interactive user sessions.
+<code>
+Connection -> Proxy
+ -> Proxy Hostname: login.computational.bio.uni-giessen.de
+ -> Port: 22
+ -> Proxy type: SSH to proxy and use port forwarding
+ -> Username: <username>
-Data transfer is only possible using another dedicated host, **transfer.computational.bio.uni-giessen.de**. User are able to connect to this host via **sftp** or **rsync** only.
+Connection -> Data
+ -> Auto-login username: <username>
-TODO: add example
+Session ->
+ -> Hostname: cli.intra
+ -> Port: 22
+# If you want to use agent-forwarding:
+Connection -> SSH -> Auth
+ -> Allow agent forwarding: activate
+</code>
-==== Deprecated: access via lummerland.computational.bio.uni-giessen.de ====
+==== Transferring data ====
-The setup composed of jump host for interactive sessions and the dedicated transfer host replaces the former ssh access host, **lummerland.computational.bio.uni-giessen.de**. This host will be removed in the near future. Please change your configuration accordingly.
+The jump host does not provide access to any storage (home directories, volume). It can not be used to transfer data to or from the BCF systems. These transfers can be I/O intensive and interfere with interactive user sessions.
+Data transfer is only possible using another dedicated host, **transfer.computational.bio.uni-giessen.de**. User are able to connect to this host via **sftp** or **rsync** only.
-===== Generating and uploading keys =====
+=== Transfer files with scp ===
-With a recent change to our setup the SSH keys on our system are managed centrally in our LDAP infrastructure. You can add you own public keys using our [[https://www.computational.bio.uni-giessen.de/userverify/selfservice| self service portal]].
+Add the following configuration to your ssh-config file.
+<code>
+Host transfer-bcf
+  HostName transfer.computational.bio.uni-giessen.de
+  User <your-username>
+</code>
-==== Preliminary Setup ====
+Now you should be able to transfer files from and to the bcf-system (your ssh key must be available in the ssh-agent).
-Setting up public key authentication to access a particular remote host is a one-time procedure comprising a few steps which is roughly the same on all operating systems.
+<code>
+# Upload a file
+> scp test transfer-bcf:/vol/sge-tmp/
+test                                                                              100%    0     0.0KB/s   00:00
-==== Connect with Windows ====
+# Download a file
+> scp transfer-bcf:/vol/sge-tmp/test test2
+## No output
+</code>
-Download and install putty distribution (putty installer):
+This should work with any openssh client release starting with version 9.0. Older releases might not work at all or might require using the undocumented option ''-s''. We recommend upgrading the client or using the other methods described below.
-http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
+=== Transfer files with rsync ===
-=== Step 0: Convert an OpenSSH key to PPK ===
+Use the same configuration as in the ''scp''-example above.You should be able to transfer files with rsync.
-This step is only needed when you've already created a OpenSSH key under Linux or Mac OSX and want to use this key in Putty under Windows.
+<code>
+# Upload a file
+> rsync -v test transfer-bcf:/vol/sge-tmp/
+test
-You have to copy the file "id_rsa" in the directory "~/.ssh" from your Linux/OSX installation to your Windows PC. Then just open the PuTTYgen program (Start > All Programs > PuTTY > PuTTYgen), click on "Load->Load private key" in the menu and open the file "id_rsa".
+sent 81 bytes  received 42 bytes  246.00 bytes/sec
+total size is 0  speedup is 0.00
-The program will ask you for the password of the private key. After correctly entering it, you click on "Save private key" to store the SSH-key in the PPK-format. After this you can forward to Step 2 (When you are a first time user) or Step 3 (When you can already login on Linux/OSX on "lummerland")
+# Download a file
+> rsync -v transfer-cb:/vol/sge-tmp/test .
+test
-=== Step 1: Generating the public/private-key pair ===
+sent 38 bytes  received 89 bytes  84.67 bytes/sec
+total size is 0  speedup is 0.00
+</code>
-Generate a public/private key pair on your local desktop. From the Start menu, run Start > All Programs > PuTTY > PuTTYgen as illustrated in <imgref initial_putty>. On Windows 8 and above search PuTTYgen with the search field.
+=== Transfer files with sftp ===
-<imgcaption initial_putty|Initial PuTTYgen window.>{{:public:puttygen1.png?nolink|Initial PuTTYgen window.}}</imgcaption>
+Use the same configuration as in the ''scp''-example above.You should be able to transfer files with sftp.
-Click the Generate button. You will be prompted to move the mouse over the blank area to generate some randomness. Do so. Shortly thereafter, the program will generate the key and display the result (see <imgref after_keys>).
+<code>
+> sftp transfer-bcf:/vol/sge-tmp
+Connected to transfer-bcf.
+Changing to: /vol/sge-tmp
+sftp> put test
+Uploading test to /vol/sge-tmp/test
+test                                                                                                                                                                                                                                                  100%    0     0.0KB/s   00:00
+sftp> get test
+Fetching /vol/sge-tmp/test to test
+sftp> exit
+</code>
-<imgcaption after_keys|After keys have been generated.>{{:public:puttygen2.png?nolink|After keys have been generated.}}</imgcaption>
+=== Transfer files with other tools ===
-Enter a passphrase in the "Key passphrase" and "Confirm passphrase" boxes. Your JLU password makes a good choice since you have probably already committed it to memory and it has withstood password cracking tests. However, the PuTTY documentation recommends an actual phrase of 10 to 30 characters with word breaks, mixed case, numbers, and non-alphanumeric characters, for example, "DoN't (expect snow)^july."
+Transfering data is not restricted to the command line tools presented above. You can use any tool that supports the sftp-protocol or the rsync protocol. For detail on how to setup these tools refer to the documentation of these tools.
-:!:**Under no circumstances should you leave these fields blank!**
+==== Using git over ssh ====
-Select all of the text in the box labeled "Public key for pasting into OpenSSH authorized_keys file" (near the top of the window) by dragging the cursor. Right-click over the selection and choose Copy and paste it into a text editor e.g. "Notepad" and save the file as "authorized_keys" . Finally, click the "Save private key" button to save the private key to a file (<imgref saving_private_key>).
+SSH connections to the internet are also possible via the central jump host. In order to tell git to use the jump host, you may edit your **ssh config file** or you may set the **core.sshCommand** variable.
-<imgcaption saving_private_key|Saving the private key in file JLU.ppk.>{{:public:puttygen3.png?nolink|Saving the private key in file JLU.ppk.}}</imgcaption>
-**The private key must be kept secret.** Accordingly, the contents of the file are encrypted using the passphrase, and you should pick a file location that is accessible only to you.
+=== Setting the core.sshCommand variable ===
-=== Step 2: Copying the public key to the BCF infrastructure ===
+It might be the easier and more flexible way to add the jump host to your git config, as you can override this setting per repository, if you like.
-You can upload your new **public** key to the BCF user management using the [[https://www.computational.bio.uni-giessen.de/userverify/selfservice| self service portal]]. You can paste the public key directly as shown by putty.
-**The private key is not installed on any remote host and stays on your normal PC!**
-{{anchor:windowsputtysetup}}
-=== Step 3: Logging in with SSH ===
-Start PUTTY on your own PC to verify that public key authentication works. Basic public key authentication is enabled for a particular session in the Connection > SSH > Auth window. You must create a specific session profile (<imgref add_session>) before configuring the Auth window (<imgref auth_window>). Type in "lummerland.computational.bio.uni-giessen.de" in text field "Host Name (or IP address)". Type in "lummerland" in the text field "Saved sessions" and click on "save"
-Select "Data" on the left list (<imgref add_user_to_session_profile>) and type in your username in the text field "user name".
-Select "Connection -> SSH ->Auth" on the left list (<imgref auth_window>). Browse to select "JLU.ppk" in the "Private key file for authentication" text box. Be sure to go back to the Session window and click Save to update the profile. The session will use public key authentication as demonstrated in Figure 9.
-<imgcaption add_session|Create the appropriate session profile.>{{:public:session.png?nolink|Create the appropriate session profile.}}</imgcaption>
-<imgcaption add_user_to_session_profile|Add user name to session profile.>{{:public:username.png?nolink|Add user name to session profile.}}</imgcaption>
-<imgcaption auth_window|Connection... SSH... Auth window>{{:public:auth.png?nolink|Connection -> SSH -> Auth window.}}</imgcaption>
-After this you can log into your account with SSH by double clicking on your session profile in the PUTTY client.
-{{anchor:windowspagentsetup}}
-=== Step 4: Adding auto-login with Pageant ===
-At first glance, basic public key authentication offers no advantages since a passphrase is always required. However, single signon can be achieved by setting up the PuTTY authentication agent, Pageant (pronounced page-ant).
-Starting "Pageant" (Start > All Programs > PuTTY > Pageant) puts an icon in the system tray. Right-click on the icon and choose "Add Key" as illustrated in <imgref add_key_to_pagent>.
-<imgcaption add_key_to_pagent|Add a key to Pageant.>{{:public:pageant1.png?nolink|Add a key to Pageant.}}</imgcaption>
-When the "Select Private Key File" file dialog appears, find "JLU.ppk". You will be prompted for the passphrase so that Pageant can store the unencrypted private key in memory to use in authentication. Remove "JLU.ppk" from the "Private key file for authentication" text box in the Connections > SSH > Auth window for the session profile in Putty. All subsequent logins and file transfers will by authenticated by Pageant.
-==== Connect with Linux/Mac OS X ====
-=== Plan ahead ===
-If you have already used SSH on your machine, chances are that a default key already exists. If you generate a new key without specifying a different identity, the default key will be overwritten. As a result all accounts using this key will become inaccessible for you.
-**WE THUS RECOMMEND NOT TO USE THE DEFAULT IDENTITY, BUT USE SEPARATE KEYS FOR INDIVIDUAL ACCOUNTS!**
-This tutorial uses ''bcf'' as identity name, but you are free to use any other name.
-=== Generate a new SSH key ===
-Open a terminal and use the ''ssh-keygen'' application to generate a new key.
-Example:
-<code>ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_bcf</code>
-with:
-  * ''-t rsa'' defines the type of the key, RSA in this case
-  * ''-b 4096'' size of the key in bits. 4096 should be enough in most cases
-  * ''-f ~/.ssh/id_rsa_bcf'' prefix for files to store private and public keys
-This example command will create two files: ''~/.ssh/id_rsa_bcf'' containing the private key, and ''~/.ssh/id_rsa_bcf.pub'' with the public key file. As mentioned before, we recommend not to use the default name for the key files, especially not if you want to update keys.
-You'll be asked to enter a passphrase. See Step 1 in the Windows section of this wiki for generating a good password.
-After you enter a passphrase, you'll be given the fingerprint, or id, of your SSH key. It will look something like this:
-<code>Your identification has been saved in /Users/you/.ssh/id_rsa_bcf.
-# Your public key has been saved in /Users/you/.ssh/id_rsa_bcf.pub.
-# The key fingerprint is:
-# 01:0f:f4:3b:ca:85:d6:17:a1:7d:f0:68:9d:f0:a2:db</code>
-Newer SSH releases may use a different format for the fingerprint, e.g.
-<code>The key fingerprint is:
-SHA256:cymD0d5KZTUrgoD0+CYzdtzU1YpjvWHyRXJqZ4GUIZg ....</code>
-In this case you can display the older MD5 based fingerprint using the ''ssh-keygen -l -E md5 -f <private key file>'' command:
 <code>
-$ ssh-keygen -l -E md5 -f <...>
+git config --global core.sshCommand 'ssh -J login.computational.bio.uni-giessen.de'
-MD5:8c:1b:43:07:57:1f:4d:dc:cc:6c:24:ff:50:10:1d:37 <....>
 </code>
-It might be a good idea to temporary note down the fingerprint, since it will be used in the next step for verification.
+=== Editing the ssh config file ===
-=== Copy the public key to your JLU account ===
+Per default the ssh config file is located at **~/.ssh/config**. You may add a record for each repository hub you like to reach out, e.g. **github.com**, **gitlab.com**, **bitbucket.com** and so on. You may also use wildcards in the Host string.
-You can uplod your new key to the BCF user management using the [[https://www.computational.bio.uni-giessen.de/userverify/selfservice| self service portal]]. The files containing the public key in the example above is ''~/.ssh/id_rsa_bcf.pub''. The portal will send you an email containing the key fingerprint of the uploaded key, so please compare it to the fingerprint from the previous step.
+A basic configuration could look like:
-You are **not able** to use tools like ssh-copy-id on the BCF systems!
-=== Login with SSH ===
-Open a terminal and type in the following command:
-<code>ssh -i ~/.ssh/id_rsa_bcf username@lummerland.computational.bio.uni-giessen.de</code>
-On all modern Linux distributions and Mac OS X a small window will appear which will ask you for your password used at the generation of the private key. You can now allow the keyring manager of Linux/OSX to store this password in the user keyring of your operating system. After this you don't need to enter the password another time.
-**Remember:**
-Every person who has access to your account on your PC can login with SSH to your JLU account.
-=== Setup fast login ===
-To speed up login into your account you can use the ssh configuration file ''~/.ssh/config''. It allows you to predefine host name, user name and key for a target:
 <code>
-Host lummerland
+Host github.com gitlab.com bitbucket.com
-  HostName lummerland.computational.bio.uni-giessen.de
+  ProxyJump login.computational.bio.uni-giessen.de
-  User username
-  IdentityFile ~/.ssh/id_rsa_bcf
 </code>
-You have to change "username" to your BCF login name and use the right file containing the generated private key.
+Beware that the ssh configuration file is used by openssh for all ssh connections and not only when using git!
-Now you can login with the following command:
-<code>ssh lummerland</code>
-==== Security Considerations ====
-The link is not working any longer, but kept if becoming available again.
-<del>http://www.ualberta.ca/AICT/RESEARCH/LinuxClusters/pka-putty.html#sc</del>