SSH Samples D-PHYS Workstation to D-PHYS Workstation

We have the following machines for our examples:

  • berlin - our linux workstation running OpenSSH
  • paris - another linux workstation running OpenSSH

Simple login to another machine

beat@berlin:~$ ssh paris
beat@paris's password:

beat@paris:~$

We type ssh and the destination host on a command prompt of berlin and after typing in our password, we could work on paris.

First time login to another machine

beat@berlin:~$ ssh paris
The authenticity of host 'paris (129.132.189.68)' can't be established.
RSA1 key fingerprint is 98:3d:f9:34:bc:64:e2:68:00:3f:35:b2:66:e9:20:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'paris,129.132.189.68' (RSA1)

to the list of known hosts. The first time we login to another machine, ssh asks us if the machine specific key should be added to your known_hosts. Every time you login to this machine, ssh will check, if the hostkey of paris has changed and would warn you if this happens. This ensures, that you are connecting to the right machine and that no one has replaced it.

Tunneling X11

We run now a program which opens an new window:

beat@berlin:~$ ssh -X paris
beat@paris's password: password

beat@paris:~$ xclock

The window appears automatically on you desktop. You won't need to fiddle around with $DISPLAY, xhost or MIT-Cookies - just start your program and everything works well. Even more: the whole communication between paris and berlin is encrypted by ssh!

I hear you say "nice thing - but is this all?". No. ssh is also able to do file transfers. There are two programs to copy files:

scp

We get a file from the remote machine:

beat@berlin:~$ scp paris:/path/to/filea /path/to/fileb

We copy a file to the remote machine:

beat@berlin:~$ scp /path/to/fileb paris:/path/to/filea

The syntax of scp is nearly the same as that of the standard cp. You may use relative or absolute paths and additionally you prepend the source or destination host separated with a colon. You may also use wildcards:

beat@berlin:~$ scp paris:file* .

or copy a directory structure:

beat@berlin:~$ scp -r paris:myfiles/ .

sftp

sftp is an alternative file transfer through ssh. Everyone familiar of using a command line ftp-client will love it.

beat@berlin:~$ sftp paris
sftp> ls
-rwxr-xr-x    1 beat     dep         40848 Jun 27 09:01 filea
-rwxr-xr-x    1 beat     dep         40848 Jun 27 09:01 fileb
drwxr-xr-x    2 beat     dep           512 Jun 27 09:01 myfiles
sftp> get filea
Fetching /home/beat/filea to filea
sftp> put fileb
Uploading fileb to /home/beat/fileb
sftp> rm filea
Removing /home/beat/filea
sftp> quit
beat@berlin:~$

Pipeing data

Users familiar with the concept of UNIX Pipes will love ssh. ssh forwards STDIN, STDOUT and STDERR from and to the target machine. You may use ssh to execute a command on the remote machine and process the output on the local workstation. But see the examples:

beat@berlin:~$ ssh paris ls > filelist

Output of ls is written to the file filelist. Or copy a bunch of files:

beat@berlin:~$ ssh paris "cd /; tar cf - bin" | tar xvf -
bin/
bin/ae
bin/bash
...

Creating SSH keys

When using ssh a lot, it becomes annoying to type your password each time. Luckily ssh offers authentication based on keys. First we need to create our keys to use this feature. Because of the history of ssh, we need to create three keys and add them to our authorized keys. Use the following commands:

beat@berlin:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/beat/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/beat/.ssh/id_rsa.
Your public key has been saved in /home/beat/.ssh/id_rsa.pub.
The key fingerprint is:
74:d1:47:c0:df:33:d6:6d:0c:34:72:3e:2f:f5:b0:66 beat@berlin

Accept the file in which to save the key with enter and type in twice a passphrase which should be longer than a typical password. Below you will see how to avoid typing this passphrase more than once per session. Now let's see what we have created:

beat@berlin:~$ cd ~/.ssh
beat@berlin:~/.ssh$ ls
id_rsa  id_rsa.pub  known_hosts

Every key has two files - a public key and a private key. The private key must be protected (it's like a key to open a door), the public key should be distributed to all machines you like to log in without a password. We add our public-keys to the list of allowed keys:

beat@berlin:~/.ssh$ cat id_rsa.pub > authorized_keys
beat@berlin:~/.ssh$ ln -s authorized_keys authorized_keys2

Because berlin and paris have the same home directory from the file server, you should be now able to login without a password:

beat@berlin:~$ ssh paris
Enter passphrase for RSA key '/home/beat/.ssh/identity':

beat@paris:~$

You are now now longer asked for you password, but for your passphrase to unlock you keys.

Adding your keys to ssh-agent

Our workstations automatically run the ssh-agent which can hold your keys. The agent is running as long as you are logged in and allows logging in on another workstation without typing your passphrase. In case the agent doesn't know your keys yet, you could load them with ssh-add:

beat@berlin:~$ ssh-add
Enter passphrase for /home/beat/.ssh/id_rsa:
Identity added: /home/beat/.ssh/id_rsa (/home/beat/.ssh/id_rsa)

Now you are able to connect to paris without typing password or passphrase:

beat@berlin:~$ ssh paris
beat@paris:~$