270 likes | 344 Views
Learn how SSH works, solve common problems, and utilize keypairs for secure remote login and automation jobs. Discover SSH forwarding benefits and utilize NX for graphical display management.
E N D
SSH • SSH is “Secure SHell” • Secure, compressed, widely supported, fast • Allows both users to get jobs done, and also allows system administrators to sleep at night • Clients for every platform
What SSH can do • Allows you to remotely log into systems and run commands • Forward traffic over the SSH link (tunnel) • Copy files • Run commands without logging in
Problems already • Always have to type my username in • Always have to type in full hostname • Always have to type in my password
Problems already • Default behaviour • Tries to connect to remote server using the username of your current logged in user • This can be problematic, especially for Macs • Uses the domain name of your local machine (so can’t ssh ui from everywhere in world)
Problem solved You can override default behaviour by using a config file in your home directory • location is ~/.ssh/config
Problem solved • Username
Problem solved • Username Helps because Physics blocks/bans your IP address if you try connecting incorrectly more than 5 times • common cause of this is wrong username
Problem solved 2. Full hostname
Problem solved 3. Password
Problem solved 5. • Create private/public key pair (ssh-keygen) • Upload public key to remote server (ssh-copy-id) • Unlock private key (ssh-add) • SSH using keypair • Perfect for automated jobs and scripts! • Won’t work with lxplus • Make sure you password protect your SSH private key • Keep private key secure!
Other config options • Wildcards and regex is allowed • e.g. Host * and Host *.ph.unimelb.edu.au will both work • Note that it reads the file from top down, and stops at the first entry that matches
Background of network in Physics • ui.atlas.unimelb.edu.au -> Tier 3 log in node • restricted to hosts on AARNet network (uni’s) • baker.ph.unimelb.edu.au -> School of Physics SSH gateway • accessible anywhere • All other hosts • firewalled (inaccessible) • May think that this restricts you....
SSH forwarding • When you ssh, it opens a persistent connection with SSH server • We can use this connection to make other traffic travel “through” it • e.g. VNC, NX, SSH, web, files • SSH will secure this traffic too! (basis for things like TOR and VPN)
SSH forwarding ssh –L localport:otherhost:otherhostport username@server
SSH forwarding • Connections to local port 2222 get redirected over SSH to remote ssh server, which then redirects to port 22 on ui.atlas.unimelb.edu.au • perfect for SSH’ing “directly” to UI, or for copying files from “non-Uni” places
SSH forwarding • Original connection must be still open! (i.e. can’t close window or disconnect) • Can do funky stuff, like be a “catch all” forwarder, for things like web (investigate the –D option in ssh and SOCKS proxy)
NX • X is the graphical display manager in Linux • It is bulky, and insecure over network • Can forward this display using NX (NoMachine) • Heavily compresses data, making it easier to display overseas/at home
NX • For Melbourne, baker[1-6] have NX servers • From home, port forward to port 22 on baker[1-6] through baker.ph.unimelb.edu.au • Use NX client (http://www.nomachine.com/) to connect to forwarded port