Using ssh: Difference between revisions

From DEV UW-Math Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Using ssh to Access Math Department Resources==
= Using SSH to Access Math Department Resources=


The University of Wisconsin-Madison Department of Mathematics maintains two login servers for ssh connections from outside the department.
The University of Wisconsin-Madison Department of Mathematics maintains a login server for SSH connections from outside the department. It is named '''login.math.wisc.edu''' (referred to as '''login.x''' below for brevity).


# login0.math.wisc.edu: To connect to this server, you must have an IP address that corresponds to a wisc.edu host address. You can use the campus wireless or a VPN client to get a wisc.edu IP address. Other names for this server are bing.math.wisc.edu and login.math.wisc.edu. Any of these names should work.
== Connecting ==
# login1.math.wisc.edu. To connect to this server, you must use an ssh key. For instructions on using an ssh key, see below. Another name for this server is abel.math.wisc.edu.
To connect from a university network or from outside the university with a VPN:
* Server name: '''login.math.wisc.edu'''
* Port: '''22'''
* Authentication method: '''password''' or '''SSH key'''
* To connect this way, you must have an IP address that corresponds to a wisc.edu host address. You can use the campus wireless[https://it.wisc.edu/services/wireless-uwnet/ | UWNet], [https://it.wisc.edu/services/wireless-eduroam/ | Eduroam], or [https://it.wisc.edu/services/wiscvpn/ | WiscVPN].  
* Example SSH command to connect: <pre>ssh login.math.wisc.edu</pre>


To access Math Department resources via ssh, you must first use an ssh client to connect to either login0 or login1. You can then ssh to the system of your choice within the department.
== Connecting to other servers ==
 
To access Math Department resources via SSH, you must first use an SSH client to connect to login.x. You can then SSH to the system of your choice within the department.


For example, suppose you wished to run a sage program on one of the research servers. For simplicity sake, the research servers have aliases (nicknames) magma0, magma1, ..., magma19, with the more powerful machines having the lowest numbers.
For example, suppose you wished to run a sage program on one of the research servers. For simplicity sake, the research servers have aliases (nicknames) magma0, magma1, ..., magma19, with the more powerful machines having the lowest numbers.


To start your sage program, you might use an ssh client on your laptop to connect to login0.math.wisc.edu then run ssh again on login0 to connect to magma0. Please do not run research programs on login0 or login1. While these machines may have all the tools necessary to test programs, they are not powerful enough to handle more than the most trivial of tasks. If you run a program that uses a lot of resources on login0 or login1, you may prevent users (including yourself) from accessing these machines.
To start your sage program, you might use an SSH client on your laptop to connect to login.math then run SSH again on login.x to connect to magma0. Please do not run research programs on login.x! While this machine may have all the tools necessary to test programs, it is  not powerful enough to handle more than the most trivial of tasks. If you run a program that uses a lot of resources on login.x, you may prevent users (including yourself) from accessing these machines or significantly reduce it's responsiveness.
 
==Generating and using an SSH Key==
''Using SSH public key authentication to connect to a remote system is a robust, more secure alternative to logging in with an account password or passphrase. SSH public key authentication relies on asymmetric cryptographic algorithms that generate a pair of separate keys (a key pair), one "private" and the other "public". You keep the private key a secret and store it on the computer you use to connect to the remote system. Conceivably, you can share the public key with anyone without compromising the private key; you store it on the remote system in a .ssh/authorized_keys directory.''<ref>https://kb.iu.edu/d/aews</ref>
 
 
The IT staff recommends that you generate an SSH key to  use when moving from one machine to another within the department network. Using an SSH key is both easier and more secure than retyping your password when you are moving from one Math Department machine to another.  
 
To set up an SSH key on the Linux Workstations, do the following:
 
# Log onto any Linux workstation or research server in the department. You can use SSH as explained above to connect to login.x  for this purpose.
# If you are logged in to a desktop GUI, open a terminal window.
# At the prompt, type <code>ssh-keygen</code>. Accept the default values. You need not enter a passphrase, but it is more secure if you do. You can just press enter at the prompt to not use a passphrase.
# Add the key you just generated to your authorized_keys file. Type, <code>cat ~/.ssh/id_rsa.pub  >> ~/.ssh/authorized_keys</code>
# To test, type, <code>ssh magma0</code>. You should be connected to magma0 without having to retype your password unless you chose to use a passphrase. Then you would be prompted for that password instead of your user account password.
On other computers how this is done depends on the SSH software in use. On Windows, Mac, and Linux OpenSSH is the most common option and will be described here.
 
# Open a terminal
# Run <code>ssh-keygen</code>. Accept the default values for all prompts.
# A public key has been generated. Locate it. On all platforms OpenSSH places keys in the <code>.ssh</code> folder in your home directory.
# View the public key, it is a text file:
## Linux/Mac from a terminal: <code>cat ~/.ssh/id_rsa.pub</code>
## Windows from Powershell: notepad <code>$HOME\.ssh\id_rsa.pub</code>
# Copy the text from the public key file to the clipboard.
# SSH to login.x.
# Run <code>cat >> ~/.ssh/authorized_keys</code>
# Paste the public key from the clipboard into the terminal.
# Press <code>CTRL-C</code>
# Test SSH'ing from your computer to login.x again to verify that it worked.
 
Note: The login server login.math requires the use of SSH keys to connect from outside university networks. You can use this same SSH key for that purpose. Instructions for doing so are different for each ssh client and are therefore beyond the scope of this document. Consult your client's documentation (or do an internet search) or ask a member of the IT staff for assistance.
 
 
== SSH FAQ ==
=== WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! ===
==== Problem ====
 
When connecting to a server you see this message
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the ECDSA key sent by the remote host is
    SHA256:1U70vTc+CTgtUhqWKJ5tIs03SDJOsLtBRp3OQxgCoWQ.
 
==== Solution ====
If you had connected to the server recently without problem please contact IT ASAP and we'll take a look. If it has been a long time(6+ months) since you last connected it is possible that the server's "SSH fingerprint" has changed. In this case you can either contact IT(preferred) or run this command:
 
    ssh-keygen -R NAME_OF_SERVER_YOU_WERE_CONNECTING_TO
 
Then try connecting again.  It will ask you about the "authenticity of host". Just enter "yes". You should now be connected.
 
If the problem happens again soon after it was fixed once please contact IT ASAP as this can indicate a possible security issue.
 
 
== Connecting: Advanced Topics ==
These topics assume you are using an OpenSSH client(Linux, Mac OS, or [https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse|Windows])
 
Your SSH settings folder is the '''.ssh''' folder in your home directory.
 
===Using login.x as a Jump Host===
 
One can configure the OpenSSH client to automatically use login.x as a "jump host" to connect to other servers. Once you have SSH keys configured you can connect to any research server with a single command. For example, to connect to magma2 using login.x as a jump host:
<pre>
$ ssh -J login magma2
you@edmonton:~$
</pre>


A different set of instructions is also available here:  [https://docs.google.com/a/wisc.edu/viewer?a=v&pid=sites&srcid=d2lzYy5lZHV8bWF0aC1pbnRyYW5ldHxneDo1NDg5ZmE4MzZhMzVkNThk]
First generate an SSH key pair as decribed in "Generating an SSH Key" above.


===Generating an ssh Key===
Next, edit the config file in your '''.ssh''' folder on your workstation/laptop and add the following, replacing YOUR_USER_NAME with your account name on the servers:
<pre>
Host login
    HostName login.math.wisc.edu
    User YOUR_USER_NAME
    ForwardAgent yes


The IT staff recommends that you generate an ssh key to  use when moving from one machine to another within the department network. Using an ssh key is both easier and more secure than retyping your password when you are moving from one Math Department machine to another. To use an ssh key, do the following.
Host magma2
    HostName magma.math.wisc.edu
    User YOUR_USER_NAME
</pre>


# Log onto any Linux workstation or research server in the department. You can use ssh as explained above to connect to login0 or login1 for this purpose.
You can add more "Host" entries for other servers that you use.
# At the prompt, type "ssh-keygen". Accept the default values. You need not enter a passphrase, so just press enter.
# Add the key you just generated to your authorized_keys file. Type, "cat ~/.ssh/id_rsa.pub  >> ~/.ssh/authorized_keys"
# To test, type, "ssh magma0". You should be connected to magma0 without having to retype your password.


Note: The login server login1.math.wisc.edu requires the use of ssh keys to connect. You can use this same ssh key for that purpose. Instructions for doing so are different for each ssh client and are therefore beyond the scope of this document. Consult your client's documentation (or google) or ask a member of the IT staff for assistance.
Then test as shown above.

Latest revision as of 19:16, 23 August 2022

Using SSH to Access Math Department Resources

The University of Wisconsin-Madison Department of Mathematics maintains a login server for SSH connections from outside the department. It is named login.math.wisc.edu (referred to as login.x below for brevity).

Connecting

To connect from a university network or from outside the university with a VPN:

  • Server name: login.math.wisc.edu
  • Port: 22
  • Authentication method: password or SSH key
  • To connect this way, you must have an IP address that corresponds to a wisc.edu host address. You can use the campus wireless| UWNet, | Eduroam, or | WiscVPN.
  • Example SSH command to connect:
    ssh login.math.wisc.edu

Connecting to other servers

To access Math Department resources via SSH, you must first use an SSH client to connect to login.x. You can then SSH to the system of your choice within the department.

For example, suppose you wished to run a sage program on one of the research servers. For simplicity sake, the research servers have aliases (nicknames) magma0, magma1, ..., magma19, with the more powerful machines having the lowest numbers.

To start your sage program, you might use an SSH client on your laptop to connect to login.math then run SSH again on login.x to connect to magma0. Please do not run research programs on login.x! While this machine may have all the tools necessary to test programs, it is not powerful enough to handle more than the most trivial of tasks. If you run a program that uses a lot of resources on login.x, you may prevent users (including yourself) from accessing these machines or significantly reduce it's responsiveness.

Generating and using an SSH Key

Using SSH public key authentication to connect to a remote system is a robust, more secure alternative to logging in with an account password or passphrase. SSH public key authentication relies on asymmetric cryptographic algorithms that generate a pair of separate keys (a key pair), one "private" and the other "public". You keep the private key a secret and store it on the computer you use to connect to the remote system. Conceivably, you can share the public key with anyone without compromising the private key; you store it on the remote system in a .ssh/authorized_keys directory.[1]


The IT staff recommends that you generate an SSH key to use when moving from one machine to another within the department network. Using an SSH key is both easier and more secure than retyping your password when you are moving from one Math Department machine to another.

To set up an SSH key on the Linux Workstations, do the following:

  1. Log onto any Linux workstation or research server in the department. You can use SSH as explained above to connect to login.x for this purpose.
  2. If you are logged in to a desktop GUI, open a terminal window.
  3. At the prompt, type ssh-keygen. Accept the default values. You need not enter a passphrase, but it is more secure if you do. You can just press enter at the prompt to not use a passphrase.
  4. Add the key you just generated to your authorized_keys file. Type, cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
  5. To test, type, ssh magma0. You should be connected to magma0 without having to retype your password unless you chose to use a passphrase. Then you would be prompted for that password instead of your user account password.

On other computers how this is done depends on the SSH software in use. On Windows, Mac, and Linux OpenSSH is the most common option and will be described here.

  1. Open a terminal
  2. Run ssh-keygen. Accept the default values for all prompts.
  3. A public key has been generated. Locate it. On all platforms OpenSSH places keys in the .ssh folder in your home directory.
  4. View the public key, it is a text file:
    1. Linux/Mac from a terminal: cat ~/.ssh/id_rsa.pub
    2. Windows from Powershell: notepad $HOME\.ssh\id_rsa.pub
  5. Copy the text from the public key file to the clipboard.
  6. SSH to login.x.
  7. Run cat >> ~/.ssh/authorized_keys
  8. Paste the public key from the clipboard into the terminal.
  9. Press CTRL-C
  10. Test SSH'ing from your computer to login.x again to verify that it worked.

Note: The login server login.math requires the use of SSH keys to connect from outside university networks. You can use this same SSH key for that purpose. Instructions for doing so are different for each ssh client and are therefore beyond the scope of this document. Consult your client's documentation (or do an internet search) or ask a member of the IT staff for assistance.


SSH FAQ

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

Problem

When connecting to a server you see this message

   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
   @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
   IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
   Someone could be eavesdropping on you right now (man-in-the-middle attack)!
   It is also possible that a host key has just been changed.
   The fingerprint for the ECDSA key sent by the remote host is
   SHA256:1U70vTc+CTgtUhqWKJ5tIs03SDJOsLtBRp3OQxgCoWQ.

Solution

If you had connected to the server recently without problem please contact IT ASAP and we'll take a look. If it has been a long time(6+ months) since you last connected it is possible that the server's "SSH fingerprint" has changed. In this case you can either contact IT(preferred) or run this command:

   ssh-keygen -R NAME_OF_SERVER_YOU_WERE_CONNECTING_TO

Then try connecting again. It will ask you about the "authenticity of host". Just enter "yes". You should now be connected.

If the problem happens again soon after it was fixed once please contact IT ASAP as this can indicate a possible security issue.


Connecting: Advanced Topics

These topics assume you are using an OpenSSH client(Linux, Mac OS, or [1])

Your SSH settings folder is the .ssh folder in your home directory.

Using login.x as a Jump Host

One can configure the OpenSSH client to automatically use login.x as a "jump host" to connect to other servers. Once you have SSH keys configured you can connect to any research server with a single command. For example, to connect to magma2 using login.x as a jump host:

$ ssh -J login magma2
you@edmonton:~$ 

First generate an SSH key pair as decribed in "Generating an SSH Key" above.

Next, edit the config file in your .ssh folder on your workstation/laptop and add the following, replacing YOUR_USER_NAME with your account name on the servers:

Host login
    HostName login.math.wisc.edu
    User YOUR_USER_NAME
    ForwardAgent yes

Host magma2
    HostName magma.math.wisc.edu
    User YOUR_USER_NAME

You can add more "Host" entries for other servers that you use.

Then test as shown above.