SSH
Secure Shell (SSH) is a widely used standard to connect to remote machines securely. The SSH connection is encrypted, including the username and password. SSH is the standard way for you to connect in order to execute commands, submit jobs, check the progress of jobs, and in some cases, transfer files.
Various implementations of the SSH standard exist for most major operating systems.
- On macOS and Linux, the most widely used client is OpenSSH, a command line application installed by default.
- For recent versions of Windows, SSH is available in the PowerShell terminal, in the
cmd
prompt, or through Windows Subsystem for Linux (WSL). There are also 3rd-party SSH clients that are popular, such as PuTTY, MobaXTerm, WinSCP, and Bitvise.
To use any of these implementations of SSH successfully, you need to know the name of the machine to which you want to connect, your username and your password.
The machine name will be something like cedar.alliancecan.ca
or niagara.alliancecan.ca
.
Your username
is your default account, typically something like jsmith
, and the password is the same one you use to log in to CCDB. The username
is not your CCI, like abc-123
, nor a CCRI like abc-123-01
, nor your email address.
On Linux or macOS, you will need to open a terminal, for example /Applications/Utilities/Terminal.app for macOS, and then use the command:
[name@server ~]$ ssh -Y username@machine_name
The first time that you connect to a remote machine you'll be asked to store a copy locally of its host key, a unique identifier that allows the SSH client to verify, when connecting next time, that this is the same machine.
The option -Y
shown above forwards X11 traffic which allows you to use graphical applications on the remote machine such as certain text editors. Note that to use graphical applications you also need to have an X11 server installed on your workstation. Under Linux, an X11 server will normally already be installed, but users of macOS will typically need to install an external package such as XQuartz. Under Windows, MobaXterm comes with an X11 server, while for PuTTY users, there is VcXsrv.
Note that when connecting via SSH to one of our clusters you will be randomly assigned to one of several distinct login nodes used for the cluster to balance the connection load, so you may land on a different login node from one connection to another, e.g., cedar1
, cedar5
, gra-login4
or gra-login2
. If you use a program like screen to manage your login sessions, you will need to make sure that you are on the same login node to open an older session by making an SSH connection to the appropriate login node from whichever one you initially landed on. For example, if you were assigned gra-login4
when you typed ssh username@graham.alliancecan.ca
but you want to be on gra-login2
, type ssh gra-login2
from gra-login4
to get there.
For more on Windows-based SSH clients, see:
For more on generating key pairs, see:
For how to use SSH to allow communication between compute nodes and the internet, see:
For how to use an SSH configuration file to simplify the login procedure, see:
Connection errors[edit]
While connecting to one of our clusters, you might get an error message such as:
- no matching cipher found
- no matching MAC found
- unable to negotiate a key exchange method
- couldn't agree a key exchange algorithm
- remote host identification has changed.
The last of these error messages can point to a man-in-the-middle attack, or to an upgrade of security of the cluster you are trying to connect to. If you get this, verify that the host key fingerprint mentioned in the message matches one of the host key fingerprints published at SSH host keys. If it does, it is safe to continue connecting. If the host key fingerprint does not appear on our published list, terminate the connection and contact support.
One such upgrade occurred on the Niagara cluster on May 31, 2019. See this page for the one-time action required from users after the security upgrade. Further upgrades of this type were made on all clusters in September/October 2019; see SSH security improvements for more information.
If you see any of the other error messages, you will have to upgrade your OS and/or SSH client that supports strong ciphers, key exchange protocols and MAC (message authentication code) algorithms.
Here are known versions that will fail and will have to be upgraded:
- OpenSSH on CentOS/RHEL 5
- PuTTY v0.64 and earlier on Windows