Ssh at ncmm

From medicin.ncmm.IT
Jump to: navigation, search

General info about ssh at UiO

SSH (Secure SHell) logins from the outside world to UiO's network are only allowed to a small select number of hosts, all of which require two-factor authentication to login. In order to ssh from home to one of NCMM's machines you need to go (jump) through one of these central login machines ("jump hosts" or "proxy hosts").

NCMM config file for Linux and Mac

We provide an ~/.ssh/config file that simplifies a number of things for typical use by NCMM members:

  • you can use short hostnames (e.g., ssh biotin4 instead of ssh biotin4.hpc.uio.no)
  • you do not need to manually specify your UiO user name on the command line, even if it differs from your local user name
  • when off-campus, the configuration will automatically first go to a UiO login machine and then from there go to your target
  • the connection to the UiO login machine is held up for 10 minutes after logging off, so a subsequent login shortly thereafter does not require you to go through two-factor authentication again

1) If you already have an ed25519 ssh key pair, you can skip this step. If you are unsure, check for the existence of the file ~/.ssh/id_ed25519. If it is there, you have such a key pair and can proceed with step 2. Otherwise, run 

ssh-keygen -t ed25519

on your local machine (laptop).

2) Upload your ed25519 public key to your UiO home directory by running (again, on your local machine) 

ssh-copy-id -i ~/.ssh/id_ed25519.pub MYUIOUSERNAME@login.uio.no

(replacing MYUIOUSERNAME with your UiO login name). If you are off-campus you will need to authenticate via 2FA.


3) Put the following into your ~/.ssh/config file - make sure to replace MYUIOUSERNAME with your UiO user name and ec-MYUIOUSERNAME with your educloud user name if you use Educloud/Fox: 

# NCMM ~/.ssh/config

# define jumphost - we give it an alias name ("uio-loginhost")
# so if this ever changes we only need to change the settings
# in a single location

Host uio-loginhost
        HostName login.uio.no


# Control* *only* when coming from off-campus (it's mainly because of 2FA) - SO:
Match host login.uio.no  !exec "ifconfig -a | egrep -q 'inet 129.240' || egrep -q '^search.* internal.ncmm(| $)' /etc/resolv.conf"
        ControlMaster auto
        ControlPath ~/.ssh/controlsock-%r@%h:%p
        # for compatibility with GNOME file manager use the following instead
        # ControlPath /run/user/1000/gvfsd-sftp/%C 
        ControlPersist 10m


# expand hostnames
Host biotin2 biotin3 biotin4
        Hostname %h.hpc.uio.no


Host hfaistos mathelier2 kuijjer2 waszak1
        Hostname %h.uio.no


# neither on uio fastnett nor internal network?  => jump through uio jumphost
Match host biotin2.hpc.uio.no,biotin3.hpc.uio.no,biotin4.hpc.uio.no,hfaistos.uio.no,mathelier2.uio.no,kuijjer2.uio.no,waszak1.uio.no  !exec "ifconfig -a | egrep -q 'inet 129.240' || egrep -q '^search.* internal.ncmm(| $)' /etc/resolv.conf"
        ProxyJump uio-loginhost


# default settings
Host uio-loginhost,biotin2.hpc.uio.no,biotin3.hpc.uio.no,biotin4.hpc.uio.no,hfaistos.uio.no,mathelier2.uio.no,kuijjer2.uio.no,waszak1.uio.no
        User MYUIOUSERNAME


Host fox.educloud.no fox
        Hostname fox.educloud.no
        User ec-MYUIOUSERNAME
        ControlMaster auto
        ControlPath ~/.ssh/controlsock-%r@%h:%p
        # for compatibility with GNOME file manager use the following instead
        # ControlPath /run/user/1000/gvfsd-sftp/%C 
        ControlPersist 10m


# other default settings
Host *
        IdentityFile ~/.ssh/id_ed25519

NCMM PowerShell script for Windows

Note: You can either install Windows Subsystem for Linux (WSL) and proceed to the instructions for Linux and Mac above, or follow the steps below.

We provide a PowerShell script (ps1) file that simplifies a number of things for typical use by NCMM members:

  • you can use short hostnames (e.g., ssh.ps1 biotin4 instead of ssh biotin4.hpc.uio.no)
  • you do not need to manually specify your UiO user name on the command line, even if it differs from your local user name
  • when off-campus, the configuration will automatically first go to a UiO login machine and then from there go to your target
  • the connection to the UiO login machine is held up for 10 minutes after logging off, so a subsequent login shortly thereafter does not require you to go through two-factor authentication again

1) If you already have OpenSSH Client installed on your Windows system, you can proceed to the next step. Otherwise, launch PowerShell and run Install-WindowsFeature -Name OpenSSH.Client. This client is required to run the command `ssh` and associated commands in PowerShell and CMD.

2) If you already have an ed25519 ssh key pair, you can skip this step. If you are unsure, check for the existence of the file ~\.ssh\id_ed25519 (by, for example, issuing the command Get-ChildItem "$env:USERPROFILE\.ssh" in PowerShell. If it is there, you have such a key pair and can proceed to step 2. Otherwise, run 

ssh-keygen -t ed25519

on your computer.

3) Upload your ed25519 public key to your UiO home directory by running (again, on your local machine) 

type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh MYUIOUSERNAME@login.uio.no "umask 077; mkdir -p .ssh && cat >> .ssh/authorized_keys"

(replacing MYUIOUSERNAME with your UiO login name). If you are off-campus you will need to authenticate via 2FA.

4) Paste the following into, for example, Notepad, and save the file as, for example, ssh.ps1 in your user directory. Make sure to replace UIO_USERNAME with your UiO user name (including in ec-UIO_USERNAME, where the "ec" part remains intact). 

$MYUIOUSERNAME = "UIO_USERNAME"
$LOGINHOSTUSERNAME = "UIO_USERNAME"
$loginHost = "login.uio.no"
$global:IdentityFile = "~/.ssh/id_ed25519"

# Get IP network info
$ipConfig = Get-NetIPAddress | Select-Object -ExpandProperty IPAddress
$hasSpecificIP = $ipConfig -match "129.240"
$hasSearchDomain = Read-Host "Are you on the internal.ncmm network? (y/n)" -eq 'y'

function RunSSH ($sshHost, $user, $proxy) {
    $sshCmd = "ssh -i $($global:IdentityFile) $($user)@$($sshHost)"
    if ($useProxyJump -and $proxy) {
        $sshCmd += " -J $($proxy)"
    }
    Write-Host "Running: $sshCmd"
    Start-Process -FilePath "cmd.exe" -ArgumentList "/k", $sshCmd
}

$useProxyJump = -not $hasSpecificIP -and $hasSearchDomain -eq "n"

# Login logic
switch ($args[0]) {
    "uio-login" {
        RunSSH $loginHost $MYUIOUSERNAME $null
    }
    "biotin2" { RunSSH "biotin2.hpc.uio.no" $MYUIOUSERNAME $LOGINHOSTUSERNAME@$loginHost }
    "biotin3" { RunSSH "biotin3.hpc.uio.no" $MYUIOUSERNAME $LOGINHOSTUSERNAME@$loginHost }
    "biotin4" { RunSSH "biotin4.hpc.uio.no" $MYUIOUSERNAME $LOGINHOSTUSERNAME@$loginHost }
    "hfaistos" { RunSSH "hfaistos.uio.no" $MYUIOUSERNAME $LOGINHOSTUSERNAME@$loginHost }
    "mathelier2" { RunSSH "mathelier2.uio.no" $MYUIOUSERNAME $LOGINHOSTUSERNAME@$loginHost }
    "kuijjer2" { RunSSH "kuijjer2.uio.no" $MYUIOUSERNAME $LOGINHOSTUSERNAME@$loginHost }
    "waszak1" { RunSSH "waszak1.uio.no" $MYUIOUSERNAME $LOGINHOSTUSERNAME@$loginHost }
    "fox" {
        $user = "ec-$UIO_USERNAME"
        RunSSH "fox.educloud.no" $user $null
    }
    default {
        Write-Host "Unknown host. Exiting."
        exit 1
    }
}

You can then launch this script in PowerShell by typing its name.

Retrieved from "https://wiki.uio.no/medicin/ncmm/IT/index.php?title=Ssh_at_ncmm&oldid=526"