Connecting with SSH
All NERSC computers (except HPSS) are reached using either the Secure Shell (SSH) communication and encryption protocol (version 2) or by Grid tools that use trusted certificates.
HPSS can be accessed securely with ftp or hsi, via the use of encrypted tokens. Please see the HPSS pages for a description of this procedure.
For security reasons, most network ports into NERSC systems are blocked, except for those running SSH or Grid services. A side effect of this is that ftp "tunneling" is not available for file transfers. If you have a need for incoming port access, please contact NERSC consulting.
Secure Shell (SSH)
SSH (Secure Shell) is a program to log into another computer over a network, execute commands on a remote machine, and move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. All communications are automatically and transparently encrypted, including passwords. This prevents "password sniffing", one of the most common means by which computer system security is compromised. Most versions of SSH provide a remote copy operation (scp), and many also provide a secure ftp client (sftp). Additionally, SSH allows secure X Window connections.
Similar to many other communications packages, SSH is implemented with a server "daemon" (sshd) to handle inbound connections, and client (ssh, scp, and sftp) to handle outbound connections.
Run ssh on your local workstation, specifying the remote destination machine as follows:
myhost% ssh email@example.com
firstname.lastname@example.org's password: enter NIM password for user elvis
In the above, a NERSC user named "elvis" connects via a workstation named "myhost" to the system named "hopper".
Passwordless logins and file transfers
You can use SSH to set up a convenient environment for connecting and copying files remotely without being prompted for a password each time. Below we outline the way this is typically done. If this does not work, you may have to ask your system administrator for help.
SSH connections can be authenticated using "passphrase" authentication. The user generates a private/public key pair to be used by SSH for authentication. This can be very convenient once it is set up. For example, the user can store his/her passphrase in memory on a local workstation once at the start of the workday and then connect to other machines from that workstation without being prompted for passwords or passphrases.
To set up passphrase authentication, on your local machine:
- Make sure you have SSH installed on your local machine.
- Make sure you have a directory named $HOME/.ssh on your local machine
- Run the command ssh-keygen -t rsa or ssh-keygen -t dsa. By default, this will create files in $HOME/.ssh named id_rsa or id_dsa and id_rsa.pub or id_dsa.pub. The file id_rsa or id_dsa contains your private key; id_rsa.pub or id_dsa.pub is the corresponding public key. You will be prompted to enter a passphrase. This is a text string, similar to a password, that you will use for passphrase authentication. Do not make it the same as your password.
Then do the following on each remote machine that you want to access.
- Make a directory $HOME/.ssh on the remote machine (if it doesn't already exist).
- Copy the contents of the file on your local machine named $HOME/.ssh/id_rsa.pub or id_dsa.pub into a file on the remote machine named $HOME/.ssh/authorized_keys2. Make sure that you have not introduced any spurious line breaks into the file when you copy it. This single file can hold multiple public keys on separate lines.
- Log out of the remote machine. Now when you connect to the remote machine from your local workstation, SSH will prompt you for the passphrase.
You can eliminate the need to type your passphrase every time you connect. This is done by using the ssh-agent and ssh-add utilities. They are part of the standard SSH distribution.
Before you connect you can run a shell under ssh-agent. Then issue the ssh-add command, enter your passphrase once, then use ssh to connect to remote machines. If you have placed your public key the the remote .ssh directory, you will be connected with no prompt for a password or passphrase.
For example, on the local workstation:
% ssh-agent csh
% ssh-add ~/.ssh/id_rsa
Need passphrase for /home/user/.ssh/id_rsa
Enter passphrase for /home/usr/.ssh/id_rsa my_passphrase
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)
For even more convenience, you can start your X11 window manager to run under ssh-agent. Then all new processes started from within that environment will know about the passphrase stored by ssh-add.
See your system administrator for information on how to accomplish this. The following example is specific to RedHat Linux:
Edit the files in the /etc/X11/gdm/Sessions/ directory. Instead of using exec, make the X session run under ssh-agent. Here's an example /etc/X11/gdm/Sessions/Default file:
Log out and log back in again. You must do the following once each time you log in and start the X11 windowing system:
Start an xterm or other terminal. Type
and type in the passphrase you used when you generated your identity file.
The last step loads your passphrase into memory. Now every time you access a remote machine from your workstation, you will not be prompted for your passphrase nor password.
For example, this command will connect you to hopper (assuming you have a public key stored there) in a new xterm and log you in automatically:
% xterm -e ssh hopper.nersc.gov
Secure Connections from Macs and PCs Using SSH
You will need an SSH-capable application in order to login to NERSC computers. A number of applications are available, both freeware and commercial products. Your local workplace, school, or organization may have a site license for an SSH software package.
Troubleshooting SSH Problems
Some common error messages are:
- "Access Denied" or "Permission Denied" -This is likely a username or password problem. Make sure you are using the proper NERSC user name. You may also have too many login failures or may have been disabled due to extended inactivity. To clear your login failures, simply login to NIM. If you are still unable to login, contact the Account Support Office at 1-800-66-NERSC, menu option 2.
The authenticity of host 'hopper.nersc.gov' can't be established.You may get this message the first time you connect to a new machine. Note that many NERSC systems have several distinct login nodes, so you might see the above message for each login node. Just type "yes" to continue.
RSA key fingerprint is <omitted>
Are you sure you want to continue connecting (yes/no)?
NERSC consultants will attempt to help you solve problems concerning access to NERSC machines. However, our consultants have expertise only on software installed by NERSC and running on NERSC computers. This does not include software running locally on users' computers.
The best source of information for configuring your local computer is your local system administrator. Local coworkers can often help. Our consultants are not always able to provide help for the myriad of different programs and platforms that could be used to connect to the Internet.