On IPSL mesocenter, ssh remote login is only allowed with SSH Key (password method is disabled).
- ED25519 key is the new preferred key type.
- RSA(4096bits) key could be used but you could have problem with recent client(openssh 8.8+).
- DSA keys are not anymore accepted (ssh-dss ... in authorized_keys)
It's not possible to add unknown keys from central management in your authorized_keys on the mesocenter (automatically removed).
Access via SSH to head nodes is worldwide open on internet.
Key authentication over SSH protocol
SSH key authentication is an alternative security method to using passwords, simpler than it sounds.
- This method relies on generating a pair of files as known as "SSH key pair". Basically, everything encrypted using one of the file/key can be decoded by the other one.
- One file is called "the public key" and can be seen as simple lock.
- Second file is called "the private key" and can be seen as the corresponding lock key.
Once you generated such a key pair on your local machine (e.g. your laptop), we install the public one on the IPSL clusters as a door lock that can be opened by your "private key" only while establishing a SSH connexion.
- Consequently your private key must be on the computer you want to connect from.
- Your private key need to be secret (as any of your passwords). To do so, your private key should be itself protected with a password or a passphrase (encrypted), which only you know or securely stored in a vault (e.g. Keepass).
In the case you forget the password/passphrase or lose your private key, the whole key pair has to be changed in the same way that you loose your home key. Obviously we would like to avoid changing many locks a week, we highly recommend to DUPLICATE your key pair in a safe place:
- Copy on another machine (like another server in your lab, university, etc. which are good choices)
- Private or even public cloud if your key is secured with a password/passphrase (encrypted).
Finally, having several locks per door is not necessary which means multiplying the number of key pair per users.
SSH key generation
Generating your keys on Linux or MacOS
- Keep filename by default when generating the keys: just type return for Enter file in which to save the key, this 30% of the users' problems.
- Always protect your key with a passphrase, and do not forget it: this 10% of the users' problems. Try keepass.
- Really put your ssh public key in good form in the account creation form, this 50% of the users' problems.
A private key (identification) could be easily copied from one computer to another.
The best thing is to generate the key on one of your laboratory UNIX/Linux server, then copy the SSH key pair on Linux, MacOS or Windows personal laptop. Thus, you will have a copy of your SSH key pair and you could continue to connect even if you lost or broke your laptop.
The following terminal generate the key pair:
ssh-keygen -t ed25519
Full example of keys generation
[user@localhost ~]$ ssh-keygen -t ed25519 Generating public/private ED25519 key pair. Enter file in which to save the key (/home/user/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_ed25519 Your public key has been saved in /home/user/.ssh/id_ed25519.pub The key fingerprint is: SHA256:MENnGbrKf3MA+qJqq5h1BSPVhqTDVFscU6bEzdP/Vv8 user@localhost The key's randomart image is: +--[ED25519 256]--+ | .o+=*=*+ | | o o.==B= . | | = +.* . . | | o o.= . .| | .o.S . ..| | ..o . o .| | . +. . . .| |.+ .... o . E| |Boo. ... o | +----[SHA256]-----+ [user@localhost ~]$ cat $HOME/.ssh/id_ed25519.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICg5Od9aRQ5tsgWAhEqcJnHPHy+MCJwRsXhVCEqhPuGD user@localhost
SSH public key example
This example shows you a SSH public key required when creating a mesocentre account:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICg5Od9aRQ5tsgWAhEqcJnHPHy+MCJwRsXhVCEqhPuGD user@localhost
Generating your keys on Windows
If you don't have mobaxterm you could download Mobaxterm, choose the portable edition (this version is just one binary and install nothing on your windows computer).
The following procedure explains how to generate your keys using mobaxterm.
Run mobaxterm application:
- Click on the "tool" menu.
Then select mobakeygen item menu.
Select EdDSA or ed25519 (depending of mobaxterm version).
- Click on generate then move the mouse as asked (this is important).
At the end you obtain this:
- Protect your key with a passphrase.
- Confirm the passphrase.
- Click on save private key.
- Put on the desktop with name "meso_key"
The SSH public key required for the account creation form is all the text in blue in the window, like the sample just under.
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICg5Od9aRQ5tsgWAhEqcJnHPHy+MCJwRsXhVCEqhPuGD eddsa-key-20230101
Do not send your meso_key.ppk file which is the private key
You need now to import your new key in mobaxterm.
Import key in Windows mobaxterm
- Click to Settings.
- Select SSH tab.
- Activate the 4 options :
- "X" SSH keepalive
- "X" Use Internal SSH Agent
- "X" Use External Pageant
- "X" Forward Agent
- Click on the + sign to import your private key (meso_key ).
- It's also possible to import a key generated on linux or MacOS.
You should have something like this after:
- Click on OK.
- Quit mobaxterm then restart mobaxterm.
You're now ready to test the connection to the mesocenter if your account is already open.
Permission denied issue
- Contact your local system administrator and show him this documentation.
- Cut and past the following command in a terminal on the same machine where you generated the key (Linux/MacOS/Windows(MobaXterm):
uname -a;ls -al $HOME/.ssh;ssh-add -l;ssh-add -L;head -2 $HOME/.ssh/id_rsa ;cat $HOME/.ssh/id_*.pub;date; ssh -vvv <your_cluster_login>@<replace_by_cluster_headnode_fullname>
- Send all the output of the command by mail, please do not send screenshot/image, at this address, with 'ssh connexion permission denied for login
on IPSL mesocenter' as subject (replace by your actual login name).
You just have to copy the file
$HOME/.ssh/id_rsa from YOUR COMPUTER with working connection to YOUR OTHER computer in the
$HOME/.ssh/ directory. After the copy, type the following command on YOUR NEW computer:
chmod 600 $HOME/.ssh/id_rsa ssh-agent add $HOME/.ssh/id_rsa
We recommand to use Mobaxterm, the portable edition (this version is just one binary and install nothing on your windows computer).
Depending on your operating system:
- On Linux or Mac: you need to copy the file
$HOME/.ssh/id_rsa(the private key) from the source computer to your windows computer.
- On Windows: you need a copy of your private key (.ppk) from the source Windows computer.
Then read the section importing key in Windows mobaxterm.
SSH client configuration
With SSH you could create the file
$HOME/.ssh/config to simplify some ssh setup, like:
- fix some options.
- fix remote username for one host.
- use host alias.
The following example of
config file, defines two aliases: spirit1 and jean-zay. They make the command line shorter to connect you to these cluster head nodes. Thus,
ssh <login_ipsl_mesocentre>@spirit1.ipsl.fr is replaced by
ssh spirit1. Note that the alias jean-zay reuses the alias spirit1 so as to bounce on the spirit head node before connecting to the jean zay head node (if you have registred spirit1 as your connection machine).
<path_to_ssh_key> with your own setup.
Host * ForwardAgent yes ServerAliveInterval=120 ServerAliveCountMax=90 XAuthLocation /opt/X11/bin/xauth Host spirit1 HostName spirit1.ipsl.fr User <login_ipsl_mesocentre> # replace with your own login ForwardX11 yes IdentityFile <path_to_ssh_key> # replace with your own path, e.g. ~/.ssh/id_rsa Port 22 Host jean-zay HostName jean-zay.idris.fr User <login_jean_zay> # replace with your own login IdentityFile <path_to_ssh_key> # replace with your own path, e.g. ~/.ssh/id_rsa Port 22 ProxyCommand ssh spirit1 -W %h:%p # proxy jumping with spirit1