About SSH Keys

On IPSL mesocenter , ssh remote login is only allowed with RSA key ( no password )
Access via SSH to head nodes is worldwide open on internet

Generating your key with ssh-keygen on linux or MacOS

  • keep filename by default when generating : just type return for Enter file in which to save the key (40% of problem)
  • always protect your key with a passphrase (do not forget it : 10% problems https://keepassxc.org/)

a private key (identification) could be easily copied from one computer to another

The best thing is to generate the key on one of your laboratory UNIX/Linux server even to use with linux,MacOS or windows laptop after.
like this you have a copy of your private key and you could continue
to connect even if you lost or broke your laptop

terminal command to use to generate the key :

ssh-keygen -b 4096 -t rsa

full sample of key generation

[user@localhost ~]$ ssh-keygen -b 4096 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):  
Enter passphrase (empty for no passphrase): *******************  
Enter same passphrase again: *******************  
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:tpdrIr1dW5uCKr6AvCu/GXdauBvOY4nqENGK+aGWoU0 user@localhost
The key's randomart image is:
+---[RSA 4096]----+
|                 |
| .               |
|. .              |
|.+               |
|=.E     S        |
|.Boo . . . .     |
|+o*.=.o.. o.. .  |
|+ .B+Bo oooo.o o |
|o=*+*+o+o=o ..o  |
+----[SHA256]-----+
[user@localhost ~] cat /home/user/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMW7eR0JPEh/1F4k2LEoBQMHaZ3uRL6uZM3S9LEzwhXKnOwpjP3opsjldCgyc3xSTbrgWCoJLdq4xitTmLF/1Da6a3CX9PHLB3WT0YeJCa2vGbHozqldgDg4k8ZagaYFozK7uMqeZTYdhPN2Q9YE+ptaXFUXMyOaUbfSuMPMyHeAc7MeG7f+ivf4RunQTcnY8fbLM2Gx1voE5KUTph1atRgkOKYmNSWPijn2qmQ6BYeFwttojiuOWH0bCSXy/JywinamyBzt0JK40rAlCa09lP+5jia0N0Sn6nmijZ1o3oaO6nOjYMZ1os3OAbmafX8wfSDarKqWE5kQQmF5abyZ9PvI+MliXVe//bEjIxW00z0s3bM6EWzJ1/MmtI5aNT3DpgXx0pzh9uPMA5tgdl90BvxXNljovxriYqtwcWTfWtEDnQekFOeQI3S/ou0rRZ80n3RwUTs0soxkOo4lSTP2Jh/KYeGqQPuMPOLiW5oHZPXQZ5uu0VWCjFB9kD+NXxoWoOrJ6t6DRzwoEO83V87uUyz3Bzlw9aixxWEr38CW7ZVXqpTnFKj/TdPkny7Ms77cLBb3WbPZTWmJlO9MNNPGFuoHWRR/n199BYSRu46Zvh0k2xivJ52JdJ/ud0DfRY0p4CoAWupNaMw0qRDUzawkY+pKVHTf2oJF7KuTZhabuXmQ== user@localhost 

The ssh public key needed in the form is only this

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMW7eR0JPEh/1F4k2LEoBQMHaZ3uRL6uZM3S9LEzwhXKnOwpjP3opsjldCgyc3xSTbrgWCoJLdq4xitTmLF/1Da6a3CX9PHLB3WT0YeJCa2vGbHozqldgDg4k8ZagaYFozK7uMqeZTYdhPN2Q9YE+ptaXFUXMyOaUbfSuMPMyHeAc7MeG7f+ivf4RunQTcnY8fbLM2Gx1voE5KUTph1atRgkOKYmNSWPijn2qmQ6BYeFwttojiuOWH0bCSXy/JywinamyBzt0JK40rAlCa09lP+5jia0N0Sn6nmijZ1o3oaO6nOjYMZ1os3OAbmafX8wfSDarKqWE5kQQmF5abyZ9PvI+MliXVe//bEjIxW00z0s3bM6EWzJ1/MmtI5aNT3DpgXx0pzh9uPMA5tgdl90BvxXNljovxriYqtwcWTfWtEDnQekFOeQI3S/ou0rRZ80n3RwUTs0soxkOo4lSTP2Jh/KYeGqQPuMPOLiW5oHZPXQZ5uu0VWCjFB9kD+NXxoWoOrJ6t6DRzwoEO83V87uUyz3Bzlw9aixxWEr38CW7ZVXqpTnFKj/TdPkny7Ms77cLBb3WbPZTWmJlO9MNNPGFuoHWRR/n199BYSRu46Zvh0k2xivJ52JdJ/ud0DfRY0p4CoAWupNaMw0qRDUzawkY+pKVHTf2oJF7KuTZhabuXmQ== user@localhost 

SSH Connection to ipsl mesocenter has never work , what to do ?

  1. See with your local system administrator and show him this documentation
  2. cut and past the following command in a terminal on the same machine you generate the key (Linux/MacOS)
    uname -a;ls -al $HOME/.ssh;ssh-add -l;ssh-add -L;head -2 $HOME/.ssh/id_rsa;cat $HOME/.ssh/id_rsa.pub;date;
    ssh -vvv replace_by_your_login@ciclad.ipsl.jussieu.fr
  3. send all the text written to the terminal by mail (please no screen copy image):
    to mailto:meso-support@ipsl.fr
    with subject : ssh first connexion problem for login 'your login on IPSL mesocenter'

I want to access from another computer

Linux/MacOS

you just have to copy the file $HOME/.ssh/id_rsa from the already working computer
to the new computer in $HOME/.ssh/id_rsa
after the copy, type following command on the new computer

chmod 600 $HOME/.ssh/id_rsa

Windows

you need to copy the file $HOME/.ssh/id_rsa but you can also import a putty key (.ppk extension) from the already working computer to your windows computer
we recommand to use Mobaxterm : https://mobaxterm.mobatek.net/download-home-edition.html

To import you ssh private key, start mobaxterm

  • click to Settings
  • select SSH tab
  • Activate the 3 options :
    • "X" Use Internal SSH Agent
    • "X" Use External Pageant
    • "X" Forward Agent
  • click on the + sign to import your id_rsa file
  • quit mobaxterm then restart mobaxterm

mobaxterm could also generate ssh keys

  • click to tool
  • then select mobakeygen menu

if you really prefer to use putty : https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

  • launch puttygen application
  • click on conversion tab
  • import key
  • load your id_rsa file
  • save your key on putty format
  • quit puttygen application
  • click on your key in putty format (this launch pageant application and ask your passphrase )
  • start putty application
  • in configuration menu, click on SSH then Auth
  • activate options :
    • X Attempt authentication using Pageant
    • X Allow Agent Forward
  • If you need graphic you have to also install Xming application
  • activate option in SSH X11 section : X Enable Forward X11
  • For graphic to work Xming must be lauched before putty

Using config file on Linux or MacOS

With ssh you could create the file $HOME/.ssh/config to simplify some ssh setup

  • fixing some options
  • fixing remote username for one host
  • using host alias

sample :

[user@localhost ~]$ cat $HOME/.ssh/config 
# to know more about config file
# man ssh_config     
#
ForwardX11 yes
# equivalent to -X on command line 
ForwardAgent yes
# equivalent to -A on command line
ServerAliveInterval 90s
# for dying ssh connections
ForwardX11Timeout 168h
# X11 stop working after sometime like 20 minutes on some MacOS version
#
# climserv is just an alias but could be use like this
# ssh climserv is equivalent to do ssh foobar@camelot.ipsl.polytechnique.fr
Host climserv
 User foobar
 Hostname camelot.ipsl.polytechnique.fr
[user@localhost ~]