SSH: Difference between revisions
(Marked this version for translation) |
(copyedits) |
||
| (53 intermediate revisions by 11 users not shown) | |||
| Line 2: | Line 2: | ||
<translate> | <translate> | ||
<!--T:1--> | <!--T:1--> | ||
Secure Shell (SSH) is a standard | Secure Shell (SSH) is a widely used standard to connect to remote machines securely. The SSH connection is encrypted, including the username and password. SSH is the standard way for you to connect in order to execute commands, submit jobs, check the progress of jobs, and in some cases, transfer files. | ||
<!--T:2--> | <!--T:2--> | ||
Various | Various implementations of the SSH standard exist for most major operating systems. | ||
*On macOS and Linux, the most widely used client is OpenSSH, a command line application installed by default. | |||
*For recent versions of Windows, SSH is available in the PowerShell terminal, in the <code>cmd</code> prompt, or through Windows Subsystem for Linux (WSL). There are also 3rd-party SSH clients that are popular, such as [[Connecting with PuTTY|PuTTY]], [[Connecting with MobaXTerm|MobaXTerm]], [https://winscp.net/eng/download.php WinSCP], and [https://www.bitvise.com/ssh-client-download Bitvise]. | |||
<!--T:7--> | |||
To use any of these implementations of SSH successfully, you need to know the name of the machine to which you want to connect, your username and your password. | |||
<!--T:5--> | |||
The machine name will be something like <code>cedar.alliancecan.ca</code> or <code>niagara.alliancecan.ca</code>. | |||
<!--T:6--> | |||
Your <code>username</code> is your <b>default account</b>, typically something like <code>jsmith</code>, and the password is the same one you use to log in to [https://ccdb.alliancecan.ca/ CCDB]. The <code>username</code> is <b>not</b> your CCI, like <code>abc-123</code>, nor a CCRI like <code>abc-123-01</code>, nor your email address. | |||
<!--T:3--> | <!--T:3--> | ||
On Linux or macOS, you will need to open a terminal, for example /Applications/Utilities/Terminal.app for macOS, and then use the command: | |||
{{Command|ssh -Y | {{Command|ssh -Y username@machine_name}} | ||
The option < | |||
<!--T:15--> | |||
The first time that you connect to a remote machine you'll be asked to store a copy locally of its <i>host key</i>, a unique identifier that allows the SSH client to verify, when connecting next time, that this is the same machine. | |||
The option <code>-Y</code> shown above forwards X11 traffic which allows you to use graphical applications on the remote machine such as certain text editors. Note that to use graphical applications you also need to have an X11 server installed on your workstation. Under Linux, an X11 server will normally already be installed, but users of macOS will typically need to install an external package such as [https://www.xquartz.org XQuartz]. Under Windows, MobaXterm comes with an X11 server, while for PuTTY users, there is [https://sourceforge.net/projects/vcxsrv/ VcXsrv]. | |||
<!--T:8--> | |||
Note that when connecting via SSH to one of our clusters you will be randomly assigned to one of several distinct login nodes used for the cluster to balance the connection load, so you may land on a different login node from one connection to another, e.g., <code>cedar1</code>, <code>cedar5</code>, <code>gra-login4</code> or <code>gra-login2</code>. If you use a program like [https://www.gnu.org/software/screen/ screen] to manage your login sessions, you will need to make sure that you are on the same login node to open an older session by making an SSH connection to the appropriate login node from whichever one you initially landed on. For example, if you were assigned <code>gra-login4</code> when you typed <code>ssh username@graham.alliancecan.ca</code> but you want to be on <code>gra-login2</code>, type <code>ssh gra-login2</code> from <code>gra-login4</code> to get there. | |||
<!--T:4--> | <!--T:4--> | ||
For more on Windows-based SSH clients, see: | |||
*[[Connecting with MobaXTerm]] | *[[Connecting with MobaXTerm]] | ||
*[[Connecting with PuTTY]] | *[[Connecting with PuTTY]] | ||
*[[ | For more on generating key pairs, see: | ||
*[[ | *[[SSH Keys]] | ||
*[[Using | **[[Generating SSH keys in Windows]] | ||
**[[Using SSH keys in Linux]] | |||
For how to use SSH to allow communication between compute nodes and the internet, see: | |||
*[[SSH tunnelling]] | |||
For how to use an SSH configuration file to simplify the login procedure, see: | |||
*[[SSH configuration file]] | |||
= Connection errors = <!--T:9--> | |||
While connecting to one of our clusters, you might get an error message such as: | |||
* no matching cipher found | |||
* no matching MAC found | |||
* unable to negotiate a key exchange method | |||
* couldn't agree a key exchange algorithm | |||
* remote host identification has changed. | |||
<!--T:10--> | |||
The last of these error messages can point to a man-in-the-middle attack, or to an upgrade of security of the cluster you are trying to connect to. | |||
If you get this, verify that the host key fingerprint mentioned in the message matches one of the host key fingerprints published at [[SSH host keys]]. | |||
If it does, it is safe to continue connecting. If the host key fingerprint does not appear on our published list, terminate the connection and [[Technical support|contact support]]. | |||
<!--T:14--> | |||
One such upgrade occurred on the Niagara cluster on May 31, 2019. See [https://docs.scinet.utoronto.ca/index.php/SSH_Changes_in_May_2019 this page] for the one-time action required from users after the security upgrade. Further upgrades of this type were made on all clusters in September/October 2019; see [[SSH security improvements]] for more information. | |||
<!--T:13--> | |||
If you see any of the other error messages, you will have to upgrade your OS and/or SSH client that supports strong ciphers, key exchange protocols and MAC (message authentication code) algorithms. | |||
<!--T:11--> | |||
Here are known versions that will fail and will have to be upgraded: | |||
* OpenSSH on CentOS/RHEL 5 | |||
* [[Connecting with PuTTY | PuTTY]] v0.64 and earlier on Windows | |||
<!--T:12--> | |||
[[Category:Connecting]] | |||
</translate> | </translate> | ||
Latest revision as of 13:52, 29 November 2023
Secure Shell (SSH) is a widely used standard to connect to remote machines securely. The SSH connection is encrypted, including the username and password. SSH is the standard way for you to connect in order to execute commands, submit jobs, check the progress of jobs, and in some cases, transfer files.
Various implementations of the SSH standard exist for most major operating systems.
- On macOS and Linux, the most widely used client is OpenSSH, a command line application installed by default.
- For recent versions of Windows, SSH is available in the PowerShell terminal, in the
cmdprompt, or through Windows Subsystem for Linux (WSL). There are also 3rd-party SSH clients that are popular, such as PuTTY, MobaXTerm, WinSCP, and Bitvise.
To use any of these implementations of SSH successfully, you need to know the name of the machine to which you want to connect, your username and your password.
The machine name will be something like cedar.alliancecan.ca or niagara.alliancecan.ca.
Your username is your default account, typically something like jsmith, and the password is the same one you use to log in to CCDB. The username is not your CCI, like abc-123, nor a CCRI like abc-123-01, nor your email address.
On Linux or macOS, you will need to open a terminal, for example /Applications/Utilities/Terminal.app for macOS, and then use the command:
[name@server ~]$ ssh -Y username@machine_name
The first time that you connect to a remote machine you'll be asked to store a copy locally of its host key, a unique identifier that allows the SSH client to verify, when connecting next time, that this is the same machine.
The option -Y shown above forwards X11 traffic which allows you to use graphical applications on the remote machine such as certain text editors. Note that to use graphical applications you also need to have an X11 server installed on your workstation. Under Linux, an X11 server will normally already be installed, but users of macOS will typically need to install an external package such as XQuartz. Under Windows, MobaXterm comes with an X11 server, while for PuTTY users, there is VcXsrv.
Note that when connecting via SSH to one of our clusters you will be randomly assigned to one of several distinct login nodes used for the cluster to balance the connection load, so you may land on a different login node from one connection to another, e.g., cedar1, cedar5, gra-login4 or gra-login2. If you use a program like screen to manage your login sessions, you will need to make sure that you are on the same login node to open an older session by making an SSH connection to the appropriate login node from whichever one you initially landed on. For example, if you were assigned gra-login4 when you typed ssh username@graham.alliancecan.ca but you want to be on gra-login2, type ssh gra-login2 from gra-login4 to get there.
For more on Windows-based SSH clients, see:
For more on generating key pairs, see:
For how to use SSH to allow communication between compute nodes and the internet, see:
For how to use an SSH configuration file to simplify the login procedure, see:
Connection errors[edit]
While connecting to one of our clusters, you might get an error message such as:
- no matching cipher found
- no matching MAC found
- unable to negotiate a key exchange method
- couldn't agree a key exchange algorithm
- remote host identification has changed.
The last of these error messages can point to a man-in-the-middle attack, or to an upgrade of security of the cluster you are trying to connect to. If you get this, verify that the host key fingerprint mentioned in the message matches one of the host key fingerprints published at SSH host keys. If it does, it is safe to continue connecting. If the host key fingerprint does not appear on our published list, terminate the connection and contact support.
One such upgrade occurred on the Niagara cluster on May 31, 2019. See this page for the one-time action required from users after the security upgrade. Further upgrades of this type were made on all clusters in September/October 2019; see SSH security improvements for more information.
If you see any of the other error messages, you will have to upgrade your OS and/or SSH client that supports strong ciphers, key exchange protocols and MAC (message authentication code) algorithms.
Here are known versions that will fail and will have to be upgraded:
- OpenSSH on CentOS/RHEL 5
- PuTTY v0.64 and earlier on Windows