NERSC logo National Energy Research Scientific Computing Center
  A DOE Office of Science User Facility
  at Lawrence Berkeley National Laboratory 		Site Map | Help | Search
Login
Home About News & Publications HPC Users Projects
Systems Services Analytics Status & Statistics Help

HPC Users

Get Help

Connecting to NERSC

Passwords
Computer Hostnames
SSH Description
SSH Applications
UNIX
PCs and Macs
Troubleshooting
File Transfers
X-Windows
Terminal Types
Firewalls
Grid Computing at NERSC
SSH Pv2 Required

printable version Printer-Friendly
Version

Navigation column
for this page:

 

Secure Connections from a Unix System using SSH

SSH allows users of Unix workstations to secure their terminal and file transfer connections. This page shows the straightforward ways to make these secure connections.

NERSC users are strongly encouraged to use the version 2.0 SSH protocol. This page discusses version 2 access except for mention of issues pertaining to protocol 1 to protocol 2 transition.

SSH provides the functional equivalent to the rlogin utility, but in a secure fashion. SSH is freely available for Unix-based systems, and should be installed with an accompanying man page. The most simple usage is described here.

Run ssh on your local workstation, specifying the remote destination machine as follows: 

workhorse% ssh -l bopshewah franklin.nersc.gov
bopshewah@franklin.nersc.gov's password: <enter password here>

franklin %

In the above, a user named "bopshewah" connects via a workstation named "workhorse" to the system named "franklin".

Password-less logins and file transfers

You can use SSH to set up a convenient environment for connecting and copying files remotely without being prompted for a password each time. Below we outline the way this is typically done. If this does not work, you may have to ask your system administrator for help.

SSH connections can be authenticated using "passphrase" authentication. The user generates a private/public key pair to be used by SSH for authentication. This can be very convenient once it is set up. For example, the user can store his/her passphrase in memory on a local workstation once at the start of the workday and then connect to other machines from that workstation without being prompted for passwords or passphrases.

To set up passphrase authentication, on your local machine:

  1. Make sure you have SSH installed on your local machine.
  2. Make sure you have a directory named $HOME/.ssh on your local machine
  3. Run the command ssh-keygen -t rsa or ssh-keygen -t dsa. By default, this will create files in $HOME/.ssh named id_rsa or id_dsa and id_rsa.pub or id_dsa.pub. The file id_rsa or id_dsa contains your private key; id_rsa.pub or id_dsa.pub is the corresponding public key. You will be prompted to enter a "passphrase." This is a text string, similar to a password, that you will use for passphrase authentication. Do not make it the same as your password.

Do the following on each remote machine that you want to access.

  1. Make a directory $HOME/.ssh on the remote machine.
  2. Copy the contents of the file on your local machine named $HOME/.ssh/id_rsa.pub or id_dsa.pub into a file on the remote machine named $HOME/.ssh/authorized_keys2. Make sure that you have not introduced any spurious line breaks into the file when you copy it. This single file can hold multiple public keys on separate lines.
  3. Log out of the remote machine. Now when you connect to the remote machine from your local workstation, SSH will prompt you for the passphrase.

You can eliminate the need to type your passphrase every time you connect. This is done by using the ssh-agent and ssh-add utilities. They are part of the standard SSH distribution.

Before you connect you can run a shell under ssh-agent. Then issue the ssh-add command, enter your passphrase once, then use ssh to connect to remote machines. If you have placed your public key the the remote .ssh directory, you will be connected with no prompt for a password or passphrase.

For example, on the local workstation: 

% ssh-agent csh
% ssh-add ~/.ssh/id_rsa
Need passphrase for /home/user/.ssh/id_rsa
Enter passphrase for /home/usr/.ssh/id_rsa my_passphrase
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)

For even more convenience, you can start your X11 window manager to run under ssh-agent. Then all new processes started from within that environment will know about the passphrase stored by ssh-add.

See your system administrator for information on how to accomplish this. The following example is specific to RedHat Linux:

Edit the files in the /etc/X11/gdm/Sessions/ directory. Instead of using exec, make the X session run under ssh-agent. Here's an example /etc/X11/gdm/Sessions/Default file: 

#!/bin/bash 

/usr/bin/ssh-agent /etc/X11/xdm/Xsession

Log out and log back in again. You must do the following once each time you log in and start the X11 windowing system:

Start an xterm or other terminal. Type 

	ssh-add

and type in the passphrase you used when you generated your identity file.

The last step loads your passphrase into memory. Now every time you access a remote machine from your workstation, you will not be prompted for your passphrase nor password.

For example, this command will connect you to franklin (assuming you have a public key stored there) in a new xterm and log you in automatically: 

% xterm -e ssh franklin.nersc.gov
Computing Sciences | Computational Research Division | ESnet
LBNL Home
Page last modified: Thu, 10 Jan 2008 04:46:36 GMT
Page URL: http://www.nersc.gov/nusers/help/access/unixssh.php
Web contact: webmaster@nersc.gov
Computing questions: consult@nersc.gov

Privacy and Security Notice 		DOE Office of Science