Connecting with SSH
All NERSC computers (except HPSS) are reached using either the Secure Shell (SSH) communication and encryption protocol (version 2) or by Grid tools that use trusted certificates.
HPSS can be accessed securely with ftp or hsi, via the use of encrypted tokens. Please see the HPSS pages for a description of this procedure.
Secure Shell (SSH)
SSH (Secure Shell) is an encryted network protocol used to log into computers over an unsecured network. On UNIX/LINUX/BSD type sytems, SSH is also the name of a suite of software applications for connecting via the SSH protocol. The SSH applications can execute commands on a remote machine and transfer files from one machine to another. All communications are automatically and transparently encrypted, including passwords. Most versions of SSH provide login (ssh, slogin) a remote copy operation (scp), and many also provide a secure ftp client (sftp). Additionally, SSH allows secure X Window connections.
Run ssh on your local workstation, specifying the remote destination machine as follows:
myhost% ssh firstname.lastname@example.org
email@example.com's password: enter NIM password for user elvis
In the above, a NERSC user named "elvis" connects via a workstation named "myhost" to the system named "edison".
Passwordless logins and file transfers
You can use SSH to set up a convenient environment for connecting and copying files remotely without being prompted for a password each time. We give the basic outline for setting this up below; if you need further help please contact your system administrator.
SSH can authenticate to remote matchines when a user has the correct "passphase" and "private key" to match a "public key" installed on the remote system. To use this mechanism, the user must first generate a private/public key combination using an arbitrarily chosen passphase.
To set up passphrase authentication, do the following on your local UNIX/LINUX/BSD based system: (or follow the instructions for your SSH-enabled application)
- Make sure you have SSH installed on your local machine.
- Make sure you have a directory named $HOME/.ssh on your local machine
- Run the command ssh-keygen -t rsa -b 4096. (notice this will generate an RSA key. DSA or DSS keys are to be decprecated on NERSC systems, and already not accepted on Cori). By default, this will create files in $HOME/.ssh named id_rsa and id_rsa.pub . The file id_rsa contains your private key; id_rsa.pub is the corresponding public key. You will be prompted to enter a passphrase. This is a text string, similar to a password, that you will use for passphrase authentication. Do not make it the same as your password.
Then do the following on each remote machine that you want to access. (NOTE: This method will be deprecated on NERSC machines for allocation year 2016. After January 12, 2016 all public keys must be stored in the NERSC NIM database. See below.)
- Make a directory $HOME/.ssh on the remote machine (if it doesn't already exist).
- Copy the contents of the file on your local machine named $HOME/.ssh/id_rsa.pub into a file on the remote machine named $HOME/.ssh/authorized_keys2. Make sure that you have not introduced any spurious line breaks into the file when you copy it. This single file can hold multiple public keys on separate lines.
- Log out of the remote machine. Now when you connect to the remote machine from your local workstation, SSH will prompt you for the passphrase.
You can eliminate the need to type your passphrase every time you connect. This is done by using the ssh-agent and ssh-add utilities. They are part of the standard SSH distribution.
Before you connect you can run a shell under ssh-agent. Then issue the ssh-add command, enter your passphrase once, then use ssh to connect to remote machines. If you have placed your public key the the remote .ssh directory, you will be connected with no prompt for a password or passphrase.
For example, on the local workstation:
% ssh-agent csh
% ssh-add ~/.ssh/id_rsa
Need passphrase for /home/user/.ssh/id_rsa
Enter passphrase for /home/usr/.ssh/id_rsa my_passphrase
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)
For even more convenience, you can start your X11 window manager to run under ssh-agent. Then all new processes started from within that environment will know about the passphrase stored by ssh-add.
See your system administrator for information on how to accomplish this. The following example is specific to RedHat Linux:
Edit the files in the /etc/X11/gdm/Sessions/ directory. Instead of using exec, make the X session run under ssh-agent. Here's an example /etc/X11/gdm/Sessions/Default file:
Log out and log back in again. You must do the following once each time you log in and start the X11 windowing system:
Start an xterm or other terminal. Type
and type in the passphrase you used when you generated your identity file.
The last step loads your passphrase into memory. Now every time you access a remote machine from your workstation, you will not be prompted for your passphrase nor password.
For example, this command will connect you to edison (assuming you have a public key stored there) in a new xterm and log you in automatically:
% xterm -e ssh edison.nersc.gov
Public Key Storage in NIM
Beginning on January 12, 2016, public-key authentication will be available only to users who have stored their SSH public keys in the NERSC NIM database via the NIM web interface. Public keys stored in $HOME/.ssh/authorized_keys on the NERSC Global Filesystem will no longer be honored. This change is being made to enhance system and account security.
This NIM storage mechanism is currently (Nov. 20, 2015) enabled only on Cori. You can test this feature on Cori by renaming or removing your $HOME/.ssh/authorized_keys file and then trying to log in or run your workflows.
Only RSA keys are valid in NIM (you will need to generate a new SSH key pair if you use DSA).
You can find the public key upload page in a few different ways:
- "My Stuff" -> "My SSH Keys" link
- “SSH Keys" tab on the user tab bar
- "Search" -> "SSH Keys" link
For more details on this new functionality, please see these slides presented at the December 2015 monthly NUG teleconference.
Secure Connections from Macs and PCs Using SSH
You will need an SSH-capable application in order to login to NERSC computers. A number of applications are available, both freeware and commercial products. Your local workplace, school, or organization may have a site license for an SSH software package.
Troubleshooting SSH Problems
Some common error messages are:
- "Access Denied" or "Permission Denied" -This is likely a username or password problem. Make sure you are using the proper NERSC user name. You may also have too many login failures or may have been disabled due to extended inactivity. To clear your login failures, simply login to NIM. If you are still unable to login, contact the Account Support Office at 1-800-66-NERSC, menu option 2.
The authenticity of host 'edison.nersc.gov' can't be established.You may get this message the first time you connect to a new machine. Note that many NERSC systems have several distinct login nodes, so you might see the above message for each login node. Just type "yes" to continue.
RSA key fingerprint is <omitted>
Are you sure you want to continue connecting (yes/no)?
NERSC consultants will attempt to help you solve problems concerning access to NERSC machines. However, our consultants have expertise only on software installed by NERSC and running on NERSC computers. This does not include software running locally on users' computers.
The best source of information for configuring your local computer is your local system administrator. Local coworkers can often help. Our consultants are not always able to provide help for the myriad of different programs and platforms that could be used to connect to the Internet.