SSH: Difference between revisions
No edit summary |
No edit summary |
||
Line 40: | Line 40: | ||
For how to use SSH to allow communication between compute nodes and the internet, see: | For how to use SSH to allow communication between compute nodes and the internet, see: | ||
*[[SSH tunnelling]] | *[[SSH tunnelling]] | ||
For how to use an SSH configuration file to simplify the login procedure, see: | |||
*[[SSH configuration file]] | |||
= Connection errors = <!--T:9--> | = Connection errors = <!--T:9--> |
Revision as of 16:36, 15 May 2023
Secure Shell (SSH) is a widely used standard to connect to remote machines in a secure way. The entire SSH connection is encrypted - especially the login credentials (username and password). SSH is the normal way for our users to connect in order to execute commands, submit jobs, follow the progress of these jobs and in some cases, transfer files.
Various implementations of the SSH standard exist for most major operating systems.
- On macOS and Linux, the most widely used client is OpenSSH, a command line application installed by default on these platforms.
- For recent versions of Windows, SSH is available in the PowerShell terminal, in the
cmd
prompt, or through Windows Subsystem for Linux (WSL). There are also some 3rd-party SSH clients that are popular, such as PuTTY, MobaXTerm, WinSCP, and Bitvise.
To use any of these implementations of SSH successfully, you need to know (1) the name of the machine to which you want to connect, (2) your username and (3) your password.
The machine name will be something like cedar.computecanada.ca
or niagara.computecanada.ca
.
Your username
is your default account, typically something like jsmith
, and the password is the same one you use to log in to the CCDB, ccdb.computecanada.ca. The username
is not your CCI, like abc-123
, nor a CCRI like abc-123-01
, nor your email address.
When using Linux or macOS, you will need to open a terminal, for example /Applications/Utilities/Terminal.app for Apple hardware, and then use the command shown below:
[name@server ~]$ ssh -Y username@machine_name
The first time that you connect to a remote machine you'll be asked to store a copy locally of its "host key," a unique identifier that allows the SSH client to verify, when connecting next time, that this is the same machine.
The option -Y
shown above forwards X11 traffic which allows you to use graphical applications on the remote machine such as certain text editors. Note that to use graphical applications you also need to have an X11 server installed on your workstation. Under Linux an X11 server will normally already be installed, but users of macOS will typically need to install an external package such as such XQuartz. Under windows, MobaXterm comes with an X11 server, while for PuTTY users, there is VcXsrv.
Note that when connecting via SSH to one of our clusters you will be randomly assigned to one of several distinct login nodes used for the cluster to balance the connection load, so that you may well land on a different login node from one connection to another, e.g., cedar1
, cedar5
, gra-login4
or gra-login2
. If you use a program like screen to manage your login sessions, you will need to make sure that you are on the same login node to open an older session, by making an SSH connection to the appropriate login node from whichever one you initially landed on. If for example you were assigned gra-login4
when you typed ssh username@graham.computecanada.ca
but you want to be on gra-login2
, simply type ssh gra-login2
from gra-login4
to get there.
For more on Windows-based SSH clients, see:
For more on generating key pairs, see:
For how to use SSH to allow communication between compute nodes and the internet, see:
For how to use an SSH configuration file to simplify the login procedure, see:
Connection errors[edit]
While connecting to one of our clusters, you might get an error message similar to those listed below:
- no matching cipher found
- no matching MAC found
- unable to negotiate a key exchange method
- couldn't agree a key exchange algorithm
- remote host identification has changed.
The last of these error messages can point to a man-in-the-middle attack, or to an upgrade of security of the cluster you are trying to connect to. If you get this, verify that the host key fingerprint mentioned in the message matches one of the host key fingerprints published at SSH host keys. If it does, it is safe to continue connecting. If the host key fingerprint does not appear on our published list, terminate the connection and contact support.
One such upgrade occurred on the Niagara cluster on May 31, 2019. See this page for the one-time action required from users after the security upgrade. Further upgrades of this type were made on all clusters in September/October 2019; see SSH security improvements for more information.
If you see any of the other error messages, you will have to upgrade your OS and/or SSH client that supports strong ciphers, key exchange protocols and MAC (message authentication code) algorithms.
Here are known versions that will fail and will have to be upgraded:
- OpenSSH on CentOS/RHEL 5
- PuTTY v0.64 and earlier on Windows