0f1bf610906f17b3e7aabedcd26a924b30c0a64e
faq-setting-up-key-based-ssh.md
| ... | ... | @@ -1,11 +1,12 @@ |
| 1 | 1 | # Setting up key based ssh |
| 2 | - * ***NOTE***: All SBGrid bound Servers and Workstations on the SBGrid network in the Longwood area require 'pub' key to be ***uploaded*** to our authentication servers. Please follow the steps named "Generate SSH Keys" and "For Systems on the SBGrid network at Longwood" below. |
|
| 3 | 2 | |
| 4 | - Off Quad systems (at MCB, HU, Tufts, Sanofi) please following the steps named "Generate SSH Keys" and "For Off-Quad SBGrid Systems" below. |
|
| 5 | - |
|
| 6 | -### Generating SSH Keys |
|
| 3 | +* ***NOTE***: All SBGrid bound Servers and Workstations on the SBGrid network in the Longwood area require 'pub' key to be ***uploaded*** to our authentication servers. Please follow the steps named "Generate SSH Keys" and "For Systems on the SBGrid network at Longwood" below. |
|
| 7 | 4 | |
| 8 | -***We reccommend using a password for ssh keys*** |
|
| 5 | +Off Quad systems (at MCB, HU, Tufts, Sanofi) please following the steps named "Generate SSH Keys" and "For Off-Quad SBGrid Systems" below. |
|
| 6 | + |
|
| 7 | +## Generating SSH Keys |
|
| 8 | + |
|
| 9 | +***We recommend using a password for ssh keys*** |
|
| 9 | 10 | |
| 10 | 11 | 1. You can generate ssh key-pair for local workstation from a Mac or Linux terminal: `ssh-keygen -t ed25519` or `ssh-keygen -t rsa` |
| 11 | 12 | 2. Press enter to accept the default location. |
| ... | ... | @@ -13,40 +14,111 @@ |
| 13 | 14 | 4. On both linux and Mac systems keys can be loaded with 'ssh-add .ssh/id_rsa'. You can see loaded keys with 'ssh-add -l'. The keys remain loaded until you log out. |
| 14 | 15 | 5. Macintosh systems with keys in default locations should get loaded automatically when connecting to systems |
| 15 | 16 | |
| 17 | +## For Off-Quad SBGrid Systems |
|
| 16 | 18 | |
| 17 | -#### For Off-Quad SBGrid Systems |
|
| 18 | 19 | 1. Copy public key (`~/.ssh/id_rsa.pub`) to remote system: `scp ~/.ssh/id_rsa.pub remotesys:~/` If this is the first connection to the remote system, type `yes` to accept the remote system key. |
| 19 | 20 | 2. Login to remote system, configure remote system to trust public key: |
| 20 | 21 | |
| 21 | - * `ssh remotesys` |
|
| 22 | - * create ~/.ssh if it doesn't exist: `mkdir ~/.ssh` |
|
| 23 | - * `cat ~/id_rsa.pub >> ~/.ssh/authorized_keys` |
|
| 24 | - * `chmod 700 ~/.ssh` |
|
| 25 | - * `chmod 640 ~/.ssh/authorized_keys` |
|
| 26 | - 3. Logout of remote system, and repeat login to check that everything works correctly. If so, `~/id_rsa.pub` can be removed from the remote system. |
|
| 22 | +* `ssh remotesys` |
|
| 23 | + * create ~/.ssh if it doesn't exist: `mkdir ~/.ssh` |
|
| 24 | + * `cat ~/id_rsa.pub >> ~/.ssh/authorized_keys` |
|
| 25 | + * `chmod 700 ~/.ssh` |
|
| 26 | + * `chmod 640 ~/.ssh/authorized_keys` |
|
| 27 | + * Logout of remote system, and repeat login to check that everything works correctly. If so, `~/id_rsa.pub` can be removed from the remote system. |
|
| 28 | + |
|
| 29 | +## For Systems on the SBGrid network in Longwood Medical area |
|
| 27 | 30 | |
| 28 | -### For Systems on the SBGrid network in Longwood Medical area |
|
| 29 | 31 | The 'pub' key ***must*** be uploaded to our authentication servers. These examples assume you copied the pub key to your Linux home directory, you can also copy and paste the entire contents of the .pub file between systems. |
| 30 | 32 | |
| 31 | -You will need to run these commands on **xtal200.harvard.edu**. If you are a Consortium member use shell.sbgrid.org. |
|
| 33 | +* You will need to run these commands on **xtal200.harvard.edu**. If you are a Consortium member use shell.sbgrid.org. |
|
| 32 | 34 | |
| 33 | - ipa user-mod $USER --sshpubkey="ssh-ed25519 AAAABBBBBBCCCCCZZZZZZZ qqq@mbp.local" |
|
| 35 | +```bash |
|
| 36 | + ipa user-mod $USER --sshpubkey="ssh-ed25519 AAAABBBBBBCCCCCZZZZZZZ qqq@mbp.local" |
|
| 37 | +``` |
|
| 34 | 38 | |
| 35 | 39 | OR |
| 36 | 40 | |
| 37 | - ipa user-mod $USER --sshpubkey="$(cat ~/.ssh/id_rsa.pub)" |
|
| 41 | +```bash |
|
| 42 | + ipa user-mod $USER --sshpubkey="$(cat ~/.ssh/id_rsa.pub)" |
|
| 43 | +``` |
|
| 38 | 44 | |
| 39 | -For multiple keys |
|
| 45 | +For multiple keys (all must be added again with one command when adding new keys) |
|
| 46 | + |
|
| 47 | +```bash |
|
| 48 | + ipa user-mod $USER --sshpubkey="$(cat ~/.ssh/id_rsa.pub)" --sshpubkey="$(cat ~/.ssh/id_ed25519.pub)"\ |
|
| 49 | + --sshpubkey="$(cat ~/.ssh/othersystem_id_rsa.pub)" |
|
| 50 | +``` |
|
| 40 | 51 | |
| 41 | - ipa user-mod $USER --sshpubkey="$(cat ~/.ssh/id_rsa.pub)" --sshpubkey="$(cat ~/.ssh/id_ed25519.pub)"\ |
|
| 42 | - --sshpubkey="$(cat ~/.ssh/othersystem_id_rsa.pub)" |
|
| 43 | - |
|
| 44 | 52 | If you are using csh/tcsh shell |
| 45 | 53 | |
| 46 | - ipa user-mod $USER --sshpubkey="`cat ~/.ssh/id_rsa.pub`" |
|
| 47 | - |
|
| 54 | +```bash |
|
| 55 | + ipa user-mod $USER --sshpubkey="`cat ~/.ssh/id_rsa.pub`" |
|
| 56 | +``` |
|
| 57 | + |
|
| 48 | 58 | If you get a 'Kerberos Credential' error you will need to enter the following command, type your password and try again. |
| 49 | 59 | |
| 50 | - kinit $USER |
|
| 51 | - |
|
| 60 | +```bash |
|
| 61 | + kinit $USER |
|
| 62 | +``` |
|
| 63 | + |
|
| 52 | 64 | *Note*: The 'ipa' command is not available on most workstations, connect to xtal200.harvard.edu and perform the commands there. |
| 65 | + |
|
| 66 | +### Additional tips |
|
| 67 | + |
|
| 68 | +**Using Jump host to connect directly to your lab systems** |
|
| 69 | + |
|
| 70 | +```bash |
|
| 71 | +ssh -J happyuser@xtal200.harvard.edu happyuser@ivory.in.hwlab |
|
| 72 | +``` |
|
| 73 | + |
|
| 74 | +**pass ssh key through to other hosts** |
|
| 75 | + |
|
| 76 | +* Create a .ssh/config file with your favorite editor |
|
| 77 | + |
|
| 78 | +```bash |
|
| 79 | +Host * |
|
| 80 | + ForwardAgent yes |
|
| 81 | +``` |
|
| 82 | + |
|
| 83 | +Adjust permissions |
|
| 84 | + |
|
| 85 | +```bash |
|
| 86 | +chmod 600 ~/.ssh/config |
|
| 87 | +``` |
|
| 88 | + |
|
| 89 | +Copy to network account |
|
| 90 | + |
|
| 91 | +```bash |
|
| 92 | +scp ~/.ssh/config happyuser@xtal200.harvard.edu:~/.ssh/config |
|
| 93 | +``` |
|
| 94 | + |
|
| 95 | +**Example ~/.ssh/.config file** |
|
| 96 | + |
|
| 97 | +```bash |
|
| 98 | +Host * |
|
| 99 | + ServerAliveInterval 30 |
|
| 100 | + ServerAliveCountMax 2 |
|
| 101 | + StrictHostKeyChecking=accept-new |
|
| 102 | + ForwardAgent yes |
|
| 103 | +Host othercluster.hms.harvard.edu |
|
| 104 | + User jj123 |
|
| 105 | + Hostname othercluster.hms.harvard.edu |
|
| 106 | + PreferredAuthentications publickey |
|
| 107 | + IdentityFile ~/.ssh/othercluster-hms-rsa |
|
| 108 | + VisualHostKey=yes |
|
| 109 | +# Jumphost Example |
|
| 110 | +## First jump directly reachable |
|
| 111 | +Host xtal200 |
|
| 112 | + HostName xtal200.harvard.edu |
|
| 113 | + User xtaluser1 |
|
| 114 | +## Second jump. Only reachable via first jump |
|
| 115 | +Host tklinux1 #ssh tklinux1 to connect |
|
| 116 | + HostName toms-linux-system.med.harvard.edu |
|
| 117 | + User xtaluser1 |
|
| 118 | + ProxyJump xtal200 |
|
| 119 | +### third jump |
|
| 120 | +Host mcluster1 #ssh mcluster1 to connect |
|
| 121 | + HostName mcluster1.gpucluster.crystal.harvard.edu |
|
| 122 | + User xtaluser1 |
|
| 123 | + ProxyJump tklinux1 |
|
| 124 | +``` |