SSH (Secure Shell) extras.

SSH configuration

The OpenSSH client and server are very clever! Pretty much any modern Unix runs the server, to allow users a secure shell login, for example by `ssh user@host', using SSL encryption.

Public-key (automatic) login

Public-key login allows public-private key pairs to be generated and installed in the ~/.ssh/ directory in such a way as to allow automatic login between computers (you don't need to use a password). This is particularly useful between our computers, for allowing automatic login for running distributed batch jobs. All that is needed is the creation of a public/private key pair, on the computer that will be logged in from, then copying of the public key to an `authorized_keys' file on the computer that will be logged in to. All these files live in the user's home directory, by default under the hidden directory called `.ssh'.

It is easy for us as all computers share the home directory: the following two commands will allow login to any of these from any of these!

• To create the public/private key pair: `ssh-keygen -t rsa' (press Enter a few times for the defaults -- don't give any password, else you'll have to use this to access the key, and will lose the main advantage [to us] of automation).
• To say that all computers with access to the private key should be able to log in, `cat .ssh/id_rsa.pub >>.ssh/authorized_keys' will append the data of the public key to the `authorized_keys' file.

The first time you log into a computer by ssh, you'll need to accept its `host key' manually (or to use ssh options to avoid this step). After this, logins between all our computers should be automatic.

X-forwarding (graphical things through ssh)

Graphical windows (X) can be tunnelled automatically, just by giving the options -XY to ssh when logging in, then starting a GUI program on the remote computer. ssh sorts out all that's needed to tunnel the traffic through the encrypted channel. So, for example, `ssh -XY user@host' then run a command such as Of course, you have to have an X-server running on your computer, accessible by the ssh program!. The above is described also on the access page.

Port-forwarding (TCP)

Portforwarding can be used to get access to resources restricted to a local network, e.g. `ssh -L 5901:localhost:5901 user@host' would forward the remote host's first VNC (remote desktop) port to the local host, so that one could connect to the first VNC display on one's own computer and actually be connecting to the remote host, through a secure tunnel, even if packet-filtering (`firewalling') on that host prevented remote access to VNC. In the above example, `localhost' referred to the localhost at the remote end; it could instead have been any computer that the remote computer can access.

Remote command, and data from it

When ssh is called with a command at the end of its list of arguments, it runs this command on the remote computer, then exits. All data that the command emits to standard output is emited to standard output of the ssh client on the local computer. So `ssh user@host cat /proc/cpuinfo >host.cpuinfo' would make a local file containing the CPU information from the remote host, or `ssh user@host tar -cz /usr/local/share >host_usr-local-share.tar.gz' would create a local file containing a gzipped archive of the /usr/local/share directory on the remote host. Programs such as rsync use ssh for the transport between remote computers when doing file synchronisation.

Page started: 2007-11-xx
Last change: 2007-11-12