Difference between revisions of "UsingSSH"
Line 246: | Line 246: | ||
[[Image:Port-forwarding.jpg|700px|thumbnail|center|Port forwarding with SSH]] | [[Image:Port-forwarding.jpg|700px|thumbnail|center|Port forwarding with SSH]] | ||
− | We would like to connect to blanc, but it is behind a firewall. One approach is to connect to each in turn, using '''nile''' as a 'stepping stone'. Another approach is to setup port-forwarding on nile, so that you can connect, seemingly directly, to '''blanc'''. Here's how: | + | We would like to connect to blanc, but it is behind a firewall. One approach is to connect to each in turn, using '''nile''' as a '''stepping stone'''. Another approach is to setup port-forwarding on '''nile''', so that you can connect, seemingly directly, to '''blanc'''. Here's how: |
==Two Connections Required== | ==Two Connections Required== |
Revision as of 14:20, 11 September 2009
Using SSH to connect to machines and to move data
Introduction
Using Key-Pairs
Creating the Keys
First, let's create a key-pair. Start by typing:
ssh-keygen
You will see a message like:
Generating public/private rsa key pair. Enter file in which to save the key (/home/gethin/.ssh/id_rsa):
The default filename suggested is fine, so accept it by hitting return.
Next you are prompted for a passphrase:
Enter passphrase (empty for no passphrase):
Think of a strong, yet memorable one and enter it. (One tip is to think of a phrase, saying, song lyric etc. For example "One small step for man, one giant leap for mankind." Then take the first letters from each word, perhaps substituting digits for letters, to create the passphrase, "Oss4mogl4m.") You will be prompted for your passphrase twice:
Enter same passphrase again:
When the key-pair creation is completed, you will get some lines of text as confirmation, such as:
Your identification has been saved in /home/gethin/.ssh/id_rsa. Your public key has been saved in /home/gethin/.ssh/id_rsa.pub. The key fingerprint is: 37:7a:b3:81:e2:0e:fa:5e:b2:df:84:a5:fb:f9:e6:f7
If you look inside the directory ~/.ssh you will see two files:
- id_rsa is your private key
- id_rsa.pub is your public key
Distributing Your Public Key
Now that you have your key-pair, you can copy your public key to any machine that you would like to connect to from the machine that you are currently logged into. When the keys are setup correctly, you will be able to connect without typing your password. Hurrah for the convenience!
The first step is to ensure that the permissions on your files are correct. The following commands will take care of this:
cd ~/.ssh chmod 600 * cd ~ chmod 700 .ssh
Now, let's copy your public key to the remote host of interest. In this case, I want to be able to login to a machine called brian, from one called dylan:
scp ~/.ssh/id_rsa.pub brian:~/.ssh/from-host.pub
(I'm assuming here that your username matches on the two machines. If not, you can prepend your username to the destination string, i.e. <username>@brian:~/.ssh/from-dylan.pub.)
Now, login to the remote host in the normal way:
ssh brian
where you will be prompted for your password, as per usual:
gethin@brian's password:
The following commands will:
- ensure that your file permissions are correct on the remote host
- add your public key to the list of authorized keys
- exit from the remote host
chmod 700 ~/.ssh cd ~/.ssh chmod 600 * cat from-host.pub >> authorized_keys exit
Now, when you connect to your remote host:
ssh brian
you will be prompted for your passphrase rather than your password:
Enter passphrase for key '/home/gethin/.ssh/id_rsa':
Some progress! you may say, and at first blush you are (almost) right, but hang on a moment and we will see how we can connect to remote hosts with keys set up this way, only having to type your passphrase once.
Since you're currently logged in to your remote host, we may as well do a little tidying:
rm ~.ssh/from-host.pub exit
Using ssh-agent
Enter ssh-agent and the potential for passwordless logins.
A quick way to try this out is to type:
ssh-agent bash
This will start a bash shell as the child of the ssh-agent process. (You may like to substitute bash with your shell of choice.)
Now type:
ssh-add
and you will be prompted for your passphrase:
Enter passphrase for /home/gethin/.ssh/id_rsa:
if you type correctly, you will get a confirmation:
Identity added: /home/gethin/.ssh/id_rsa (/home/gethin/.ssh/id_rsa)
and now when you connect to your remote host, you won't need to enter a thing! You can exit and connect again. Still no need for a password. You can start an xterm and connect from there. No password required. As you can see, all child processes can use the cached passphrase added to your agent.
Cleaning Away Old Keys
To remove any existing keys from your environment:
- login to the machine that holds your private key (dylan in the examples above) and remove the files .ssh/id_rsa and .ssh/id_rsa.pub.
- Next login to the destination host for your key pair, i.e. the machine which you copied your public key onto. (brian in the examples).
- open the file .ssh/authorized_keys (it's a text file) and delete the line corresponding to the machine that you would be connecting from, e.g.
ssh-rsa AAAAB3NzaC1yc......== gethin@dylan
- Now you're in a position to create some new keys.
Port Forwarding
We would like to connect to blanc, but it is behind a firewall. One approach is to connect to each in turn, using nile as a stepping stone. Another approach is to setup port-forwarding on nile, so that you can connect, seemingly directly, to blanc. Here's how:
Two Connections Required
Step 1
ssh -Llocalhost:2222:blanc:22 username@nile.ggy.bris.ac.uk
Step 2
To open an ssh session on blanc:
ssh -p 2222 username@localhost
To copy a file via scp:
scp -P 2222 username@localhost:/path/to/file .
Note a lower case p in the ssh command, but an uppercase P for the scp.