2 Using SSH
There is something almost inevitable in scientific computing: you will need to connect to some remote machine at some point. Most of the time, that is a daily activity, whether you connect to a remote computer or HPC cluster. The most common protocol for such connections is SSH. This note provides some insights in common usage of SSH.
2.1 Port forwarding
When running applications in a remote server where you have no administration rights (often the case in a scientific cluster), you might need to redirect a port through an SSH tunnel so that it is accessible from your local workstation. The following snippet illustrates the command format as pseudo-code:
ssh -L \
"<local_port>:localhost:<remote_port>" \
"<REMOTE_USER>@<REMOTE_HOST>"For example:
ssh -L 8080:localhost:8080 walter@192.168.1.102.2 Key pair authentication
This section guides you through the generation of a key pair generation and authentication. Additional steps to setup a connection through VS Code are provided.
Creating the keys: generate the SSH key pair locally (i.e. on your workstation); common options are:
-t rsa: key type (RSA is widely supported)-b 4096: key length (more bits = stronger, recommended 4096)-C: comment (usually your email)
When running the command, accept defaults for storage at ~/.ssh/id_rsa[.pub]; optionally add a passphrase for additional security (but then you will need to enter it each time you need to connect, so that’s undesirable if the only reason you are creating the SSH key is to have quick access to the server).
ssh-keygen -t rsa -b 4096 -C "yourusername@your.server.com"
ssh-keygen -t ed25519 -b 4096 -C "yourusername@your.server.com"If you have password access to the server and ssh-copy-id run the following:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@remote_hostAlternatively (in Windows PowerShell for instance but reformat it in a single line or replace the pipes by backticks) manually append to the ~/.ssh/authorized_keys:
cat ~/.ssh/id_rsa.pub | \
ssh yourusername@your.server.com \
"mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys"As a last option do it by hand, but you risk breaking the format of authorized_keys.
Testing Linux server: before anything, try connecting with you identity:
ssh -i ~/.ssh/id_rsa yourusername@your.server.comIf that falls-back to your password connection, connect normally to the server and make sure the rights of both SSH directory and authorized keys file are right before trying again:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keysMaybe the server SSH has not been enabled for key authentication, which can be inspected without opening the actual configuration file through (requires sudo rights):
sudo sshd -T | grep pubkeyauthenticationIf it is not enabled, you can edit the file (find and modify PubkeyAuthentication yes) as follows and restart the service:
sudo vim /etc/ssh/sshd_config
sudo systemctl restart sshd
# Additional step for SELinux only:
restorecon -Rv ~/.sshTest again; upon new failure, try the verbose mode of SSH connection on your workstation:
ssh -v yourusername@your.server.comwhile simultaneously connected to the server (sudo) reading the logs:
# Debian-based:
sudo tail -f /var/log/auth.log
# Under RHEL/CentOS/Fedora:
sudo tail -f /var/log/secureAdding the key to VS Code by perform the following steps:
- Install
Remote-SSHextension - Press
F1and search forRemote-SSH: Open SSH Configuration File - Add an entry like the following (modifying the host name and user):
Host myserver
HostName your.server.com
User yourusername
IdentityFile ~/.ssh/id_rsaIf the above fails to fill in your right user name (sometimes Windows username will appear) you can try the following workaround to enforce user:
Host yourusername@your.server.com
HostName your.server.com
User yourusername
IdentityFile ~/.ssh/id_rsaAbout cluster usage: that is the single case you might want to store both public and private keys at the same .ssh; to navigate across nodes (assuming your $HOME directory is the same) you need both keys. Please keep in mind to use a different key pair than the one you use to connect to the cluster for security reasons.