SSH

From Hyades
Jump to: navigation, search

Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers. The protocol specification distinguishes between two major versions that are referred to as SSH-1 and SSH-2. Many vulnerabilities has been discovered in SSH-1. The SSH servers on Hyades run SSH-2 only.

There are many SSH clients available. We recommend OpenSSH for UNIX-like systems (including Linux & Mac OS X), and PuTTY for Windows.

OpenSSH

OpenSSH server and client are commonly present on modern UNIX-like systems, including Linux & Mac OS X.

Public Key Authentication

In addition to password authentication, we can also use public key authentication to log on to Hyades. You may have already generated SSH keys to authenticate onto other systems; but we recommend you generate a new pair of private-public keys just for Hyades.

For education purpose, let's assume both your username on your local computer and that on Hyades are YourUsername — please adjust it accordingly. On both your local computer and Hyades (the master node), first make sure the directory ~/.ssh exists and the permission is correct:

$ ls -ld ~/.ssh
drwx------  20 user  staff  680 May  5 13:37 /Users/YourUsername/.ssh/

If not, run

mkdir ~/.ssh
chmod 700 ~/.ssh

or

mkdir -m 700 ~/.ssh

Then on your local computer, go to ~/.ssh and generate the private-public key pair:

cd ~/.ssh
ssh-keygen -t rsa -b 2048 -f hyades

It will ask for a passphrase. For enhanced security, please provide a passphrase. Afterwards, two files will be generated in ~/.ssh: hyades (private key) and hyades.pub (public key). Upload the public key to Hyades:

cat ~/.ssh/hyades.pub | ssh YourUsername@hyades.ucsc.edu 'cat >> ~/.ssh/authorized_keys'

Alternatively, if ssh-copy-id is available on your local computer, you can upload the key with:

ssh-copy-id -i ~/.ssh/hyades.pub YourUsername@hyades.ucsc.edu

On Hyades, make sure the permission of ~/.ssh/authorized_keys is correct:

$ ls -l ~/.ssh/authorized_keys 
-rw------- 1 YourUsername YourUsername 824 Oct 30  2013 /home/YourUsername/.ssh/authorized_keys

If not, run

chmod 600 ~/.ssh/authorized_keys
Note3.png
SELinux
If SELinux is set to enforcing on the Linux server (not on Hyades), one may need to run:
restorecon -R -v ~/.ssh

Now you can use your private key to log on to Hyades:

ssh -i ~/.ssh/hyades -l YourUsername hyades.ucsc.edu

To save a few keystrokes, you can add the following stanza to your ~/.ssh/config on your local computer:

Host h
  HostName hyades.ucsc.edu
  User YourUsername
  IdentityFile ~/.ssh/hyades
  ForwardAgent no

Then to log onto Hyades, you can simply run:

ssh h

X Forwarding

To run an X client application remotely, you need to run an X Window System Server on your local computer and to enable X forwarding over SSH.

X server is readily available on UNIX-like systems. Most Linux distributions provide the X.Org Server. Although X is no longer included with Mac OS X, X server and client libraries for OS X are available from the XQuartz project.

To enable X forwarding, set the option -X of the OpenSSH client:

ssh -X YourUsername@hyades.ucsc.edu

or add the following line to your ~/.ssh/config:

ForwardX11 yes

X forwarding is subjected to X11 SECURITY extension restrictions by default. But GUI applications may draw badly. In that case, try enabling trusted X11 forwarding, which is not subjected to the X11 SECURITY extension controls, with the option -Y of ssh:

ssh -Y YourUsername@hyades.ucsc.edu

or add the following line to your ~/.ssh/config:

ForwardX11Trusted yes

PuTTY

PuTTY is a free and open-source terminal emulator, serial console and network file transfer application, and was originally written for Microsoft Windows. You can download the Windows application from PuTTY Download Page. Unlike most free and open-source software, PuTTY documentation are extensive and a pleasure to read. You can peruse them at PuTTY Documentation Page.

PuTTY consists of several components:

  • PuTTY: the Telnet and SSH client itself
  • PSCP: an SCP client, i.e. command-line secure file copy
  • PSFTP: an SFTP client, i.e. general file transfer sessions much like FTP
  • Plink: a command-line interface to the PuTTY back ends
  • Pageant: an SSH authentication agent for PuTTY, PSCP and Plink
  • PuTTYgen: an RSA and DSA key generation utility
  • pterm: a standalone terminal emulator

Public Key Authentication

To configure public key authentication with PuTTY, please refer to instructions in the following 2 chapters of the PuTTY documentation:

X Forwarding

To run an X client application remotely, you need to run an X Window System Server on your local computer and to enable X forwarding over SSH. A good X Server for Microsoft Windows is Xming. To enable X forwarding with PuTTY, follow the instructions in the section Using X11 forwarding in SSH of the PuTTY documentation.

Types of SSH keys

OpenSSH 6.5 and later support 4 types of keys for public key authentication: DSA, RSA, ECDSA & Ed25519.

DSA

The security of DSA (Digital Signature Algorithm) is based on discrete logarithm problem. Significant advances have been made in solving the problem, so the security of DSA may be broken in the near future. Although equal-size DSA and RSA keys offer about same level of security, ssh-keygen restricts the size of DSA keys to exactly 1024 bits in order to be compliant with NIST's FIPS 186-2 standard:

$ ssh-keygen -t dsa -b 2048
DSA keys must be 1024 bits

1024-bit DSA keys are simply insufficient, so one should avoid DSA keys.

RSA

The security of RSA is based on the fact that factorization of large integers is known to be difficult. You should use a RSA key that is at least 2048 bits long:

$ ssh-keygen -t rsa -b 2048

ECDSA

ECDSA (Elliptic Curve Digital Signature Algorithm) uses elliptic curve cryptography. It was introduced as the preferred algorithm for authentication in OpenSSH 5.7. Note although the bundled OpenSSH in Mac OS X 10.9 is version 6.2p2, ECDSA implementation is disabled due to potential patent issues.

You can use the -b flag to select from one of three elliptic curve sizes: 256, 384 or 521 bits — attempting to use bit lengths other than these three values for ECDSA keys will fail. For example, to generate a pair of 521-bit ECDSA keys, run:

$ ssh-keygen -t ecdsa -b 521

Note here 521 is not a typographic error. 2521-1 is a Mersenne prime.

Although ECDSA is billed as providing smaller key sizes and faster operations for equivalent estimated security than DSA, there is reason to be suspicious of the NIST curves used to generate ECDSA keys. It might be advisable to avoid ECDSA and to use Ed25519 or RSA instead.

Ed25519

Ed25519 is an Edwards-curve Digital Signature Algorithm (EdDSA) scheme that offers high performance and better security than ECDSA and DSA. Support for Ed25519 keys was introduced in OpenSSH 6.5.

To generate a pair of Ed25519 keys, run (there is no need to set the key size, as all Ed25519 keys are 256 bits):

$ ssh-keygen -t ed25519

If your OpenSSH supports it, you are advised to use Ed25519 keys.