SSH (FOR EECS Staff/PhDs Only)

harry Services

ATTENTION: PLEASE MAKE SURE YOUR PRIVATE KEYS ARE ENCRYPTED

follow this link to find for information to secure your keys, if you haven’t done so already, otherwise please read on, this guide will show you how to do that.
—————————————————————

Access to EECS Compute Servers is achieved with SSH-key authentication (known as passwordless authentication). Password-based access is not allowed, for security purposes, on the EECS compute servers.

Only the login-servers allow access using both the EECS password and SSH-key authentication.

 

SSH Keys

You will need to generate your SSH-key pair:

  • A Private key, which will be located in your personal device and will be used for SSH connections.
  • A Public key, which will be located on the remote server, in the ~/.ssh/authorized_keys file. The public keys included in that file will be checked against the private key you are using to connect to the server.

From any Managed Desktop you can ssh into computer servers directly, given that you have setup your SSH keys according to the instructions as detailed bellow.

From self-managed devices or from outside the University, you have to log into the login-server and then ‘hop’ onto the compute servers. It is important to forward your SSH key in this case, so make sure that your SSH agent is forwarding from your personal device.

In the following step, you will generate the private-public key pair and copy the public key to the remote server. Select your OS from the tabs to show the guide:

Windows

Two of the tools you can use in Windows are:

PuTTY:

For Windows users, PuTTYgen is a ssh key generator application.

SSH Key generation

1. Open PuTTYgen application if you’ve installed it already (or) download it from here.

2. Launch the PuTTYgen application.

3. Review key generation parameters. Our recommendation is SSH-2 RSA keys at 2048 bit encryption (see below). Fill in the details and press ‘Generate’.

puttygen1

4. You will now be presented with a screen like below. Move your mouse cursor in the blank area below the task progression bar to generate some randomness.

puttygen2

5. Your screen will look like below when the keys are generated:

puttygen3

6. Save the Public key, give a relevant name for your key in the ‘Key comment‘ text box, like your username for example. You can save the public key in a safe location in your computer.

7. Save your Private key. Before saving the private key, you SHOULD provide a ‘Key passphrase’ for added security.
Save the private key in the same location as your public key. Choose the filename for the private key but the ‘.ppk‘ extension should be retained as it is.

puttygen5

Do not close PuTTYgen. Not yet!

Copy SSH Public Key to remote server

1. Select and copy the public key from the text field (see below) and paste the contents into Notepad (or any text editor). Save the file with an appropriate filename (e.g., publickey.txt) in a location you’d easily remember.

puttygen6

2. Launch PuTTY

3. In the ‘Category‘ side bar in PuTTY client, navigate to ‘Connection -> Auth’, and then, browse for the private key (.ppk) you saved previously. Press ‘Open‘. The text field will now be populated with the path to your private key.

puttygen8

4. Then, navigate to ‘Category -> Session -> Host Name‘ and enter name of the remote server you’d like to connect to:

puttygen7

5. Enter the username and password credentials for logging into the remote server, and then type:

$ vim .ssh/authorized_keys

to access the list of authorized keys on the remote host. (You can use nano/emacs editors instead of vi/vim, too)

puttygen9

6. When you’ve opened the list of authorized_keys in the remote host, it will look something like below:

puttygen10

7. To this file, copy and paste the contents of the publickey.txt file saved previously (see step 1). Save the ‘authorized_keys‘ file, log out of the remote host and close PuTTY.

SSH agent forwarding

PuTTY uses its own SSH agent, called ‘pageant‘, which will be used for the ‘SSH agent forwarding’.
You will find the executable file in PuTTY’s installation folder. (C:\Program Files\PuTTY).

1. Double click on ‘pageant’, it will open in the system tray (bottom right corner). Open it.

pageant_1

2. Click ‘Add Key’. Find your Private key and click ‘Open’. If you protected your SSH key with a passphrase, you will be asked to enter it.

3. Your SSH key is now loaded on the SSH agent.
pageant_2

Pageant is now running in the background.

NOTE: Going forward, whenever you try to access the remote-host (to which you’ve copied your public ssh key) using PuTTY, you’d be able to login without providing your password. You’d only have to enter your username and passphrase (provided when setting up your ssh key pair) to login.

NOTE: You will ONLY be able to copy your public key to frank (staff/PhD) and not to other compute servers (e.g., canterbury). However, once you’ve copied your public key to frank, you’d then be able to hop on to other compute servers from there.

Mobaxterm

MobaXterm is a recommended free X server and SSH client for Windows, as an alternative to PuTTY. You can download the Home edition here:

https://mobaxterm.mobatek.net/download-home-edition.html

It has its own SSH-key generation tool and its own internal SSH agent, which can be used to forward your SSH keys.

SSH Key generation

1. Open MobaXterm and go to ‘Tools -> MobaKeyGen (SSH key generator)‘.

moba_1

2. Click ‘Generate‘ and move your mouse cursor in the big empty field until the green bar at the top indicates that it is complete.

moba_2

3. Add a relevant comment at the ‘Key comment‘ box and add a ‘Key passphrase‘ to protect your SSH keys.
Click at ‘Save private key‘ and select a location to save your private key.

moba_3

4. Copy your public key from the ‘Public key’ box and paste it into a notepad. Save it in the same folder with your Private key. This will be copied later to the remote server.

moba_5

 

SSH-agent

Enable the native SSH agent and append your private key to be loaded automatically. Go to ‘Settings -> Configuration -> SSH‘.

Check the ‘Use internal SSH agent “MobAgent” ‘ and untick the ‘Use external Pageant‘ box.

moba_agent_2

Click the ‘+‘ key at the right side, select your private key and click ‘Open‘. You will the key listed in the white box. Click ‘OK‘. Now your private key will be loaded automatically when you start MobaXterm.

moba_agent_4

Restart MobaXterm if you are asked.

 

SSH session

If you have completed the above necessary steps, create a new session.

1. On the main screen, open the ‘Sessions‘ tab at the left, right click in the empty area and select ‘New session‘.

moba_session_1

2. Click at the ‘SSH’ button, fill the name of the remote server at the ‘Remote host‘ field, and your EECS username at the ‘Specify username‘ field. Click ‘OK’.

moba_session_2

3. Double-click on the new session, this will SSH you into the remote server without entering your password.

moba_session_3

Optional: If you’re using one of the ‘login servers’ to hop on to an EECS compute server, type the following command the check if your SSH agent has forwarded your SSH key in the new session:

[jdoe123@frank] $ ssh-add -L

 

Linux

Terms

ssh-keygen : Creates the public-private key pair.

ssh-copy-id :Copies the public key into the remote server’s .ssh/authorized_keys file.

ssh-add -l : Lists the SSH-keys in the current connection

Key generation

1. Open a Terminal, type the following command and press enter:

ssh-keygen

2. Follow the instructions to generate the private/public key pair.
Press Enter at the “Enter file in which to save the key” part to create a key using the default name and path.
NOTE: Add a passphrase for security reasons.

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/harry/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): ***********
Enter same passphrase again: ***********
Your identification has been saved in /home/harry/.ssh/id_rsa.
Your public key has been saved in /home/harry/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:dFLmbsDRF7c6accolFOxILVyyxPTCGshT55Uwn54FS8 harry@local-desktop
The key's randomart image is:
+---[RSA 2048]----+
|      ..O+* =+.  |
|       B.%.Bo+ . |
|       .%.%oE o  |
|       ooXo= *   |
|        SoB * o  |
|         . + o   |
|                 |
|                 |
|                 |
+----[SHA256]-----+

 

From that message you understand that your SSH key pair has been generated:

Private key : /homes/USERNAME/.ssh/id_rsa
Public key: /homes/USERNAME/.ssh/id_rsa.pub

4. Copy public key
Provided you have a QMUL IT account you can add your keys at https://support.eecs.qmul.ac.uk/ssh, if you do not please contact servicedesk@qmul.ac.uk with your public key for the EECS cluster and we will get back to you as quickly as possible.

SSH access

SSH into the server with your keys to make sure it works. If you used a passphrase for your SSH keys, then you’ll be prompted to enter that.

 
$ ssh -i ~/.ssh/id_rsa EECS_USERNAME@LOGIN_SERVER

If the user Joe Doe with EECS Username jdoe123 wants to copy the public key to the server frank.eecs.qmul.ac.uk, he will use:

$ ssh -i ~/.ssh/id_rsa jdoe123@frank.eecs.qmul.ac.uk

MacOS

The instructions for MacOS are the same with Linux to generate and copy the SSH keys, so please follow the Linux  guide.

2018-NOTE: We’ve noticed a BUG in  ‘High Sierra‘  and later, where the ssh key is not being forwarded properly. The solution to that is :

  1. Manually add your Private key
  2. Confirm it’s loaded
  3. SSH into the remote server and check that your SSH key has been forwarded, like:

$ ssh-add ~/.ssh/id_rsa
$ ssh-add -L
$ ssh jdoe123@frank.eecs.qmul.ac.uk -A

[jdo123@frank] $ ssh-add -L

 

SSH Agent Forwarding

NOTE: If you try to access an EECS Compute Server via a login-server,  you must enable your SSH agent forwarding. To do that on a terminal, append the ‘-A‘ flag at the end of the ssh command, for example:

$ ssh -i ~/.ssh/id_rsa jdoe123@frank.eecs.qmul.ac.uk -A

To confirm that your key is present when you SSH into the login server, type:

[jdoe123@frank] $ ssh-add -L

If your agent forwarding worked fine, the result will be the content of the Public key being used to authenticate against your Public key, for example:

[jdoe123@frank] $ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYSaRizDUt87d8gh8sg78DGHGDGHd8hs87h8hd8sGnAHmYSLrnR4+4DxQH7agZXzgkb4ShlBbB5TfDDhYJMYBMPvjNW7HC8cgycfduNNz0sV1WbQ1GZ5phRw34THM8E6MPnhL/DbqQMe6DOA9+yegsgAQYHo9wE35BSa6hx6UmymuM+nn2M98CrJ /home/jdoe123/.ssh/id_rsa

If you see anything else like a ‘The agent has no identities.’ message, that means you did sth wrong, so read the previous instructions again, step by step.

Add ssh keys to server

Provided you have a QMUL IT account you can add your keys at https://support.eecs.qmul.ac.uk/ssh, if you do not please contact servicedesk@qmul.ac.uk with your public key for the EECS cluster and we will get back to you as quickly as possible.