SSH configuration file: Difference between revisions
Jump to navigation
Jump to search
(Marked this version for translation) |
(Add warning about trusted X11 forwarding) |
||
| (6 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
<languages/> | |||
<translate> | <translate> | ||
<!--T:1--> | <!--T:1--> | ||
| Line 4: | Line 6: | ||
<!--T:2--> | <!--T:2--> | ||
On Linux and macOS you can modify your local SSH configuration file to change the default behaviour of <code>ssh</code> and simplify the login procedure. For example, if you want to | On Linux and macOS, you can modify your local SSH configuration file to change the default behaviour of <code>ssh</code> and simplify the login procedure. For example, if you want to log into <code>narval.computecanada.ca</code> as <code>username</code> using an [[Using SSH keys in Linux|SSH key]], you may need to use the following command: | ||
{{Command|prompt=[name@yourLaptop ~]|ssh -i ~/.ssh/your_private_key username@narval.computecanada.ca}} | {{Command|prompt=[name@yourLaptop ~]|ssh -i ~/.ssh/your_private_key username@narval.computecanada.ca}} | ||
To avoid having to type this command each time you want to connect to Narval, add the following to <code>~/.ssh/config</code> on your local machine: | To avoid having to type this command each time you want to connect to Narval, add the following to <code>~/.ssh/config</code> on your local machine: | ||
| Line 22: | Line 24: | ||
HostName %h.computecanada.ca | HostName %h.computecanada.ca | ||
[...] | [...] | ||
Note that you need to install your public [[SSH Keys | SSH key]] on each cluster separately or use [[SSH Keys#Using CCDB | CCDB]]. | Note that you need to install your public [[SSH Keys | SSH key]] on each cluster separately or use [[SSH Keys#Using CCDB|CCDB]]. | ||
<!--T:4--> | <!--T:4--> | ||
| Line 35: | Line 37: | ||
in the corresponding sections of your configuration file. However, we do not recommend doing so in general, for these reasons: | in the corresponding sections of your configuration file. However, we do not recommend doing so in general, for these reasons: | ||
* Enabling X11 forwarding by default for all of your connections can slow down your sessions, especially if your X11 client on your computer is misconfigured. | * Enabling X11 forwarding by default for all of your connections can slow down your sessions, especially if your X11 client on your computer is misconfigured. | ||
* Similarly, while forwarding your SSH agent is convenient and more secure than typing a password on a remote computer, it | * Enabling trusted X11 forwarding comes with a risk. Should the server to which you are connecting to be compromised, a privileged user (<code>root</code>) could intercept keyboard activity on your local computer. Use trusted X11 forwarding <i>only when you need it</i>. | ||
* Similarly, while forwarding your SSH agent is convenient and more secure than typing a password on a remote computer, it also comes with a risk. Should the server to which you are connecting to be compromised, a privileged user (<code>root</code>) could use your agent and connect to another host without your knowledge. Use agent forwarding <i>only when you need it</i>. We also recommend that, if you use this feature, you should combine it with <code>ssh-askpass</code> so that any use of your SSH agent triggers a prompt on your computer, preventing usage of your agent without your knowledge. | |||
<!--T:5--> | <!--T:5--> | ||
[[Category:Connecting]] | [[Category:Connecting]] | ||
</translate> | </translate> | ||
Latest revision as of 14:41, 16 May 2023
Parent page: SSH
On Linux and macOS, you can modify your local SSH configuration file to change the default behaviour of ssh and simplify the login procedure. For example, if you want to log into narval.computecanada.ca as username using an SSH key, you may need to use the following command:
[name@yourLaptop ~] ssh -i ~/.ssh/your_private_key username@narval.computecanada.ca
To avoid having to type this command each time you want to connect to Narval, add the following to ~/.ssh/config on your local machine:
Host narval User username HostName narval.computecanada.ca IdentityFile ~/.ssh/your_private_key
You can now log into Narval by typing
[name@yourLaptop ~] ssh narval
This also changes the behaviour of sftp, scp, and rsync and you can now transfer files by typing for example
[name@yourLaptop ~] scp local_file narval:work/
If you frequently log into different clusters, modify the above Host block as follows instead of adding individual entries for each cluster separately:
Host narval beluga graham cedar [...] HostName %h.computecanada.ca [...]
Note that you need to install your public SSH key on each cluster separately or use CCDB.
Note that other options of the ssh commands have corresponding parameters that you can put in your ~/.ssh/config file on your machine. In particular, the command line options
-X(X11 forwarding)-Y(trusted X11 forwarding)-A(agent forwarding)
can be set through your configuration file by adding lines with
ForwardX11 yesForwardX11Trusted yesForwardAgent yes
in the corresponding sections of your configuration file. However, we do not recommend doing so in general, for these reasons:
- Enabling X11 forwarding by default for all of your connections can slow down your sessions, especially if your X11 client on your computer is misconfigured.
- Enabling trusted X11 forwarding comes with a risk. Should the server to which you are connecting to be compromised, a privileged user (
root) could intercept keyboard activity on your local computer. Use trusted X11 forwarding only when you need it. - Similarly, while forwarding your SSH agent is convenient and more secure than typing a password on a remote computer, it also comes with a risk. Should the server to which you are connecting to be compromised, a privileged user (
root) could use your agent and connect to another host without your knowledge. Use agent forwarding only when you need it. We also recommend that, if you use this feature, you should combine it withssh-askpassso that any use of your SSH agent triggers a prompt on your computer, preventing usage of your agent without your knowledge.