SSH Samples D-PHYS Workstation to D-PHYS Workstation
We have the following machines for our examples:
- berlin - our linux workstation running OpenSSH
- paris - another linux workstation running OpenSSH
Simple login to another machine
beat@berlin:~$ ssh paris beat@paris's password: beat@paris:~$
We type ssh and the destination host on a command prompt of berlin and after typing in our password, we could work on paris.
First time login to another machine
beat@berlin:~$ ssh paris The authenticity of host 'paris (126.96.36.199)' can't be established. RSA1 key fingerprint is 98:3d:f9:34:bc:64:e2:68:00:3f:35:b2:66:e9:20:ee. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'paris,188.8.131.52' (RSA1)
to the list of known hosts. The first time we login to another machine, ssh asks us if the machine specific key should be added to your known_hosts. Every time you login to this machine, ssh will check, if the hostkey of paris has changed and would warn you if this happens. This ensures, that you are connecting to the right machine and that no one has replaced it.
We run now a program which opens an new window:
beat@berlin:~$ ssh -X paris beat@paris's password: password beat@paris:~$ xclock
The window appears automatically on you desktop. You won't need to fiddle around with
$DISPLAY, xhost or MIT-Cookies - just start your program and everything works well. Even more: the whole communication between paris and berlin is encrypted by ssh!
I hear you say "nice thing - but is this all?". No. ssh is also able to do file transfers. There are two programs to copy files:
We get a file from the remote machine:
beat@berlin:~$ scp paris:/path/to/filea /path/to/fileb
We copy a file to the remote machine:
beat@berlin:~$ scp /path/to/fileb paris:/path/to/filea
The syntax of scp is nearly the same as that of the standard cp. You may use relative or absolute paths and additionally you prepend the source or destination host separated with a colon. You may also use wildcards:
beat@berlin:~$ scp paris:file* .
or copy a directory structure:
beat@berlin:~$ scp -r paris:myfiles/ .
sftp is an alternative file transfer through ssh. Everyone familiar of using a command line ftp-client will love it.
beat@berlin:~$ sftp paris sftp> ls -rwxr-xr-x 1 beat dep 40848 Jun 27 09:01 filea -rwxr-xr-x 1 beat dep 40848 Jun 27 09:01 fileb drwxr-xr-x 2 beat dep 512 Jun 27 09:01 myfiles sftp> get filea Fetching /home/beat/filea to filea sftp> put fileb Uploading fileb to /home/beat/fileb sftp> rm filea Removing /home/beat/filea sftp> quit beat@berlin:~$
Users familiar with the concept of UNIX Pipes will love ssh. ssh forwards STDIN, STDOUT and STDERR from and to the target machine. You may use ssh to execute a command on the remote machine and process the output on the local workstation. But see the examples:
beat@berlin:~$ ssh paris ls > filelist
Output of ls is written to the file filelist. Or copy a bunch of files:
beat@berlin:~$ ssh paris "cd /; tar cf - bin" | tar xvf - bin/ bin/ae bin/bash ...
Creating SSH keys
When using ssh a lot, it becomes annoying to type your password each time. Luckily ssh offers authentication based on keys. First we need to create our keys to use this feature. Because of the history of ssh, we need to create three keys and add them to our authorized keys. Use the following commands:
beat@berlin:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/beat/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/beat/.ssh/id_rsa. Your public key has been saved in /home/beat/.ssh/id_rsa.pub. The key fingerprint is: 74:d1:47:c0:df:33:d6:6d:0c:34:72:3e:2f:f5:b0:66 beat@berlin
Accept the file in which to save the key with enter and type in twice a passphrase which should be longer than a typical password. Below you will see how to avoid typing this passphrase more than once per session. Now let's see what we have created:
beat@berlin:~$ cd ~/.ssh beat@berlin:~/.ssh$ ls id_rsa id_rsa.pub known_hosts
Every key has two files - a public key and a private key. The private key must be protected (it's like a key to open a door), the public key should be distributed to all machines you like to log in without a password. We add our public-keys to the list of allowed keys:
beat@berlin:~/.ssh$ cat id_rsa.pub > authorized_keys beat@berlin:~/.ssh$ ln -s authorized_keys authorized_keys2
Because berlin and paris have the same home directory from the file server, you should be now able to login without a password:
beat@berlin:~$ ssh paris Enter passphrase for RSA key '/home/beat/.ssh/identity': beat@paris:~$
You are now now longer asked for you password, but for your passphrase to unlock you keys.
Adding your keys to ssh-agent
Our workstations automatically run the ssh-agent which can hold your keys. The agent is running as long as you are logged in and allows logging in on another workstation without typing your passphrase. In case the agent doesn't know your keys yet, you could load them with ssh-add:
beat@berlin:~$ ssh-add Enter passphrase for /home/beat/.ssh/id_rsa: Identity added: /home/beat/.ssh/id_rsa (/home/beat/.ssh/id_rsa)
Now you are able to connect to paris without typing password or passphrase:
beat@berlin:~$ ssh paris beat@paris:~$