SSH-Keys

From Remeis-Wiki
Jump to navigation Jump to search


SSH - Keys

This is meant to be a step-by-step guide for getting password-less login to work as for example required by the Torque scheduling system. 

 * Generate your SSH - Key on a machine at the observatory:

 ssh-keygen -t dsa
 (press return at the questions)
 ssh-keygen -t rsa
 (press return at the questions)

 * Copy public key to authorized_keys:

 cd ~/.ssh
 cat *.pub >> authorized_keys

 * On an observatory computer:

 cd ~/.ssh
 scp *.pub machine.you.want.to.login:~/.ssh/

 * On all machines external to the observatory you want to log onto (e.g., pulsar):

 ssh machine.you.want.to.login
 mkdir .ssh
 cd .ssh
 cat ../*.pub >> authorized_keys

 * Alternatively, the following command is equivalent to the manual copying above

 ssh-copy-id -i ~/.ssh/*.pub user@machine.you.want.to.login

 * NOTE: your private key has to be unreadable for other users. You can check this via

 hans@blub:~> ls -al ~/.ssh
 drwx------  2 hans remeis  4096 2011-02-17 22:28 .
 drwxr-xr-x 66 hans remeis 12288 2011-05-19 10:52 ..
 -rw-------  1 hans remeis   787 2010-10-19 16:47 authorized_keys
 -rw-------  1 hans remeis  1743 2010-10-18 08:34 id_rsa
 -rw-r--r--  1 hans remeis   393 2010-10-18 08:34 id_rsa.pub
 -rw-r--r--  1 hans remeis 50952 2011-05-17 17:18 known_hosts

 * If the permission are not set correctly, they can be changed by

 chmod 700 ~/.ssh
 chmod 600 ~/.ssh/id_rsa
 chmod 600 ~/.ssh/authorized_keys
Quick-'n'-dirty way

Script to log in from a@A to b@B without typing passwords, type this into a@A terminal at location ~/: 

 ssh-keygen -t rsa
 ssh b@B mkdir -p .ssh    (not necessary if exists)
 cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'
SSH aliases

A very helpful thing is creating aliases for the ssh access. This is done by following lines of code: 

 * Create ssh aliases to just type  > machine instead of > username@machine.sternwarte.uni-erlangen.de:
 * Add this to your .ssh/config file (create if not present)

 Host nickname
      User username
      HostName machine.sternwarte.uni-erlangen.de
      (IdentityFile ~/.ssh/id_rsa)


sshfs

If you work at the observatory via the internet and are tired of scp-ing all your stuff over to your local computer or want to speed up opening things like pdf files by using your local resources, there is a very nice solution: you can mount the folder you work in at the remote computer on your local computer via sshfs (you may need to install that program on your machine first with apt-get install sshfs). 

 sshfs user@machine.you.want.to.login:/folder/you/want/to/access /path/on/your/local/machine

/path/on/your/local/machine needs to be an existing directory, best an empty one. Be careful, everything you change in this directory will also change on the server.

Unmount again via 

 fusermount -u /path/on/your/local/machine
VPN via SSH

If you are in a restrictive network that blocks SSH and VPN tunnels, but you need to get to the Remeis cluster or the University network, here is what you can do:

To open an individual SSH session via port 80:

 ssh -p80 user@carina.sternwarte.uni-erlangen.de

To set up an SSH-based VPN tunnel:

Note that, as for 'normal' VPN, you will need to have root privileges, i.e., you'll probably only be able to use the VPN tunnel from your personal machine. First make sure that password-less login via SSH keys works (see above) and sshuttle is installed or install it (apt-get install sshuttle). Then open a tunnel with the command 

 sshuttle -r user@carina.sternwarte.uni-erlangen.de:80 0.0.0.0/0 -vv

You will be prompted to enter your local sudo password. This command only seems to work if your login shell at Remeis is bash. For tcsh, you'll likely see an error message like 

 P=python2: Command not found.
 P: Undefined variable
 c : fatal: server died with error

although python is installed on carina. If you see this error try 

 sshuttle -r user@carina.sternwarte.uni-erlangen.de:80 0.0.0.0/0 -vv --python=/usr/bin/python


You can avoid typing this command by setting up an (executable) script and call the script instead: 

 #!/bin/bash
 
 if [ `whoami` != root ]; then
     echo "NOT RUNNING UNDER ROOT"
     echo "SUDOing now"
     echo $0 $1 $2 $3 $4
     sudo $0 $1 $2 $3 $4
     exit
 fi
 
 /usr/sbin/sshuttle -r user@carina.sternwarte.uni-erlangen.de:80 0.0.0.0/0 -vv --python=/usr/bin/python
Retrieved from "https://www.sternwarte.uni-erlangen.de/wiki/index.php?title=SSH-Keys&oldid=1577"