Difference between revisions of "SSH-Keys"
Line 51: | Line 51: | ||
chmod 600 ~/.ssh/authorized_keys | chmod 600 ~/.ssh/authorized_keys | ||
− | + | ====== Quick-'n'-dirty way ====== | |
− | + | Script to log in from a@A to b@B without typing passwords, type this into a@A terminal at location ~/: | |
− | |||
− | + | ssh-keygen -t rsa | |
− | + | ssh b@B mkdir -p .ssh (not necessary if exists) | |
− | + | cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys' | |
− | + | ====== SSH aliases ====== | |
− | + | A very helpful thing is creating aliases for the ssh access. This is done by following lines of code: | |
− | |||
− | Host | + | * Create ssh aliases to just type > machine instead of > username@machine.sternwarte.uni-erlangen.de: |
− | + | * Add this to your .ssh/config file (create if not present) | |
− | + | ||
− | + | Host nickname | |
+ | User username | ||
+ | HostName machine.sternwarte.uni-erlangen.de | ||
+ | (IdentityFile ~/.ssh/id_rsa) | ||
Latest revision as of 08:28, 20 June 2018
SSH - Keys
This is meant to be a step-by-step guide for getting password-less login to work as for example required by the Torque scheduling system.
* Generate your SSH - Key on a machine at the observatory:
ssh-keygen -t dsa (press return at the questions) ssh-keygen -t rsa (press return at the questions)
* Copy public key to authorized_keys:
cd ~/.ssh cat *.pub >> authorized_keys
* On an observatory computer:
cd ~/.ssh scp *.pub machine.you.want.to.login:~/.ssh/
* On all machines external to the observatory you want to log onto (e.g., pulsar):
ssh machine.you.want.to.login mkdir .ssh cd .ssh cat ../*.pub >> authorized_keys
* Alternatively, the following command is equivalent to the manual copying above
ssh-copy-id -i ~/.ssh/*.pub user@machine.you.want.to.login
* NOTE: your private key has to be unreadable for other users. You can check this via
hans@blub:~> ls -al ~/.ssh drwx------ 2 hans remeis 4096 2011-02-17 22:28 . drwxr-xr-x 66 hans remeis 12288 2011-05-19 10:52 .. -rw------- 1 hans remeis 787 2010-10-19 16:47 authorized_keys -rw------- 1 hans remeis 1743 2010-10-18 08:34 id_rsa -rw-r--r-- 1 hans remeis 393 2010-10-18 08:34 id_rsa.pub -rw-r--r-- 1 hans remeis 50952 2011-05-17 17:18 known_hosts
* If the permission are not set correctly, they can be changed by
chmod 700 ~/.ssh chmod 600 ~/.ssh/id_rsa chmod 600 ~/.ssh/authorized_keys
Quick-'n'-dirty way
Script to log in from a@A to b@B without typing passwords, type this into a@A terminal at location ~/:
ssh-keygen -t rsa ssh b@B mkdir -p .ssh (not necessary if exists) cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'
SSH aliases
A very helpful thing is creating aliases for the ssh access. This is done by following lines of code:
* Create ssh aliases to just type > machine instead of > username@machine.sternwarte.uni-erlangen.de: * Add this to your .ssh/config file (create if not present)
Host nickname User username HostName machine.sternwarte.uni-erlangen.de (IdentityFile ~/.ssh/id_rsa)
sshfs
If you work at the observatory via the internet and are tired of scp-ing all your stuff over to your local computer or want to speed up opening things like pdf files by using your local resources, there is a very nice solution: you can mount the folder you work in at the remote computer on your local computer via sshfs (you may need to install that program on your machine first with apt-get install sshfs).
sshfs user@machine.you.want.to.login:/folder/you/want/to/access /path/on/your/local/machine
/path/on/your/local/machine needs to be an existing directory, best an empty one. Be careful, everything you change in this directory will also change on the server.
Unmount again via
fusermount -u /path/on/your/local/machine
VPN via SSH
If you are in a restrictive network that blocks SSH and VPN tunnels, but you need to get to the Remeis cluster or the University network, here is what you can do:
To open an individual SSH session via port 80:
ssh -p80 user@carina.sternwarte.uni-erlangen.de
To set up an SSH-based VPN tunnel:
Note that, as for 'normal' VPN, you will need to have root privileges, i.e., you'll probably only be able to use the VPN tunnel from your personal machine. First make sure that password-less login via SSH keys works (see above) and sshuttle is installed or install it (apt-get install sshuttle). Then open a tunnel with the command
sshuttle -r user@carina.sternwarte.uni-erlangen.de:80 0.0.0.0/0 -vv
You will be prompted to enter your local sudo password. This command only seems to work if your login shell at Remeis is bash. For tcsh, you'll likely see an error message like
P=python2: Command not found. P: Undefined variable c : fatal: server died with error
although python is installed on carina. If you see this error try
sshuttle -r user@carina.sternwarte.uni-erlangen.de:80 0.0.0.0/0 -vv --python=/usr/bin/python
You can avoid typing this command by setting up an (executable) script and call the script instead:
#!/bin/bash if [ `whoami` != root ]; then echo "NOT RUNNING UNDER ROOT" echo "SUDOing now" echo $0 $1 $2 $3 $4 sudo $0 $1 $2 $3 $4 exit fi /usr/sbin/sshuttle -r user@carina.sternwarte.uni-erlangen.de:80 0.0.0.0/0 -vv --python=/usr/bin/python