faq-setting-up-key-based-ssh.md
... ...
@@ -1,11 +1,12 @@
1 1
# Setting up key based ssh
2
- * ***NOTE***: All SBGrid bound Servers and Workstations on the SBGrid network in the Longwood area require 'pub' key to be ***uploaded*** to our authentication servers. Please follow the steps named "Generate SSH Keys" and "For Systems on the SBGrid network at Longwood" below.
3 2
4
- Off Quad systems (at MCB, HU, Tufts, Sanofi) please following the steps named "Generate SSH Keys" and "For Off-Quad SBGrid Systems" below.
5
-
6
-### Generating SSH Keys
3
+* ***NOTE***: All SBGrid bound Servers and Workstations on the SBGrid network in the Longwood area require 'pub' key to be ***uploaded*** to our authentication servers. Please follow the steps named "Generate SSH Keys" and "For Systems on the SBGrid network at Longwood" below.
7 4
8
-***We reccommend using a password for ssh keys***
5
+Off Quad systems (at MCB, HU, Tufts, Sanofi) please following the steps named "Generate SSH Keys" and "For Off-Quad SBGrid Systems" below.
6
+
7
+## Generating SSH Keys
8
+
9
+***We recommend using a password for ssh keys***
9 10
10 11
1. You can generate ssh key-pair for local workstation from a Mac or Linux terminal: `ssh-keygen -t ed25519` or `ssh-keygen -t rsa`
11 12
2. Press enter to accept the default location.
... ...
@@ -13,40 +14,111 @@
13 14
4. On both linux and Mac systems keys can be loaded with 'ssh-add .ssh/id_rsa'. You can see loaded keys with 'ssh-add -l'. The keys remain loaded until you log out.
14 15
5. Macintosh systems with keys in default locations should get loaded automatically when connecting to systems
15 16
17
+## For Off-Quad SBGrid Systems
16 18
17
-#### For Off-Quad SBGrid Systems
18 19
1. Copy public key (`~/.ssh/id_rsa.pub`) to remote system: `scp ~/.ssh/id_rsa.pub remotesys:~/` If this is the first connection to the remote system, type `yes` to accept the remote system key.
19 20
2. Login to remote system, configure remote system to trust public key:
20 21
21
- * `ssh remotesys`
22
- * create ~/.ssh if it doesn't exist: `mkdir ~/.ssh`
23
- * `cat ~/id_rsa.pub >> ~/.ssh/authorized_keys`
24
- * `chmod 700 ~/.ssh`
25
- * `chmod 640 ~/.ssh/authorized_keys`
26
- 3. Logout of remote system, and repeat login to check that everything works correctly. If so, `~/id_rsa.pub` can be removed from the remote system.
22
+* `ssh remotesys`
23
+ * create ~/.ssh if it doesn't exist: `mkdir ~/.ssh`
24
+ * `cat ~/id_rsa.pub >> ~/.ssh/authorized_keys`
25
+ * `chmod 700 ~/.ssh`
26
+ * `chmod 640 ~/.ssh/authorized_keys`
27
+ * Logout of remote system, and repeat login to check that everything works correctly. If so, `~/id_rsa.pub` can be removed from the remote system.
28
+
29
+## For Systems on the SBGrid network in Longwood Medical area
27 30
28
-### For Systems on the SBGrid network in Longwood Medical area
29 31
The 'pub' key ***must*** be uploaded to our authentication servers. These examples assume you copied the pub key to your Linux home directory, you can also copy and paste the entire contents of the .pub file between systems.
30 32
31
-You will need to run these commands on **xtal200.harvard.edu**. If you are a Consortium member use shell.sbgrid.org.
33
+* You will need to run these commands on **xtal200.harvard.edu**. If you are a Consortium member use shell.sbgrid.org.
32 34
33
- ipa user-mod $USER --sshpubkey="ssh-ed25519 AAAABBBBBBCCCCCZZZZZZZ qqq@mbp.local"
35
+```bash
36
+ ipa user-mod $USER --sshpubkey="ssh-ed25519 AAAABBBBBBCCCCCZZZZZZZ qqq@mbp.local"
37
+```
34 38
35 39
OR
36 40
37
- ipa user-mod $USER --sshpubkey="$(cat ~/.ssh/id_rsa.pub)"
41
+```bash
42
+ ipa user-mod $USER --sshpubkey="$(cat ~/.ssh/id_rsa.pub)"
43
+```
38 44
39
-For multiple keys
45
+For multiple keys (all must be added again with one command when adding new keys)
46
+
47
+```bash
48
+ ipa user-mod $USER --sshpubkey="$(cat ~/.ssh/id_rsa.pub)" --sshpubkey="$(cat ~/.ssh/id_ed25519.pub)"\
49
+ --sshpubkey="$(cat ~/.ssh/othersystem_id_rsa.pub)"
50
+```
40 51
41
- ipa user-mod $USER --sshpubkey="$(cat ~/.ssh/id_rsa.pub)" --sshpubkey="$(cat ~/.ssh/id_ed25519.pub)"\
42
- --sshpubkey="$(cat ~/.ssh/othersystem_id_rsa.pub)"
43
-
44 52
If you are using csh/tcsh shell
45 53
46
- ipa user-mod $USER --sshpubkey="`cat ~/.ssh/id_rsa.pub`"
47
-
54
+```bash
55
+ ipa user-mod $USER --sshpubkey="`cat ~/.ssh/id_rsa.pub`"
56
+```
57
+
48 58
If you get a 'Kerberos Credential' error you will need to enter the following command, type your password and try again.
49 59
50
- kinit $USER
51
-
60
+```bash
61
+ kinit $USER
62
+```
63
+
52 64
*Note*: The 'ipa' command is not available on most workstations, connect to xtal200.harvard.edu and perform the commands there.
65
+
66
+### Additional tips
67
+
68
+**Using Jump host to connect directly to your lab systems**
69
+
70
+```bash
71
+ssh -J happyuser@xtal200.harvard.edu happyuser@ivory.in.hwlab
72
+```
73
+
74
+**pass ssh key through to other hosts**
75
+
76
+* Create a .ssh/config file with your favorite editor
77
+
78
+```bash
79
+Host *
80
+ ForwardAgent yes
81
+```
82
+
83
+Adjust permissions
84
+
85
+```bash
86
+chmod 600 ~/.ssh/config
87
+```
88
+
89
+Copy to network account
90
+
91
+```bash
92
+scp ~/.ssh/config happyuser@xtal200.harvard.edu:~/.ssh/config
93
+```
94
+
95
+**Example ~/.ssh/.config file**
96
+
97
+```bash
98
+Host *
99
+ ServerAliveInterval 30
100
+ ServerAliveCountMax 2
101
+ StrictHostKeyChecking=accept-new
102
+ ForwardAgent yes
103
+Host othercluster.hms.harvard.edu
104
+ User jj123
105
+ Hostname othercluster.hms.harvard.edu
106
+ PreferredAuthentications publickey
107
+ IdentityFile ~/.ssh/othercluster-hms-rsa
108
+ VisualHostKey=yes
109
+# Jumphost Example
110
+## First jump directly reachable
111
+Host xtal200
112
+ HostName xtal200.harvard.edu
113
+ User xtaluser1
114
+## Second jump. Only reachable via first jump
115
+Host tklinux1 #ssh tklinux1 to connect
116
+ HostName toms-linux-system.med.harvard.edu
117
+ User xtaluser1
118
+ ProxyJump xtal200
119
+### third jump
120
+Host mcluster1 #ssh mcluster1 to connect
121
+ HostName mcluster1.gpucluster.crystal.harvard.edu
122
+ User xtaluser1
123
+ ProxyJump tklinux1
124
+```