Difference between revisions of "Ssh at ncmm"
From medicin.ncmm.IT
(ssh for NCMM people) |
(Document creation and uploading of ed25519 key) |
||
| Line 7: | Line 7: | ||
We provide an ~/.ssh/config file that simplifies a number of things for typical use by NCMM members: | We provide an ~/.ssh/config file that simplifies a number of things for typical use by NCMM members: | ||
| − | * you can use short hostnames (e.g., | + | * you can use short hostnames (e.g., <code>ssh biotin4</code> instead of <code>ssh biotin4.hpc.uio.no</code>) |
* you do not need to manually specify your UiO user name on the commandline, even if it differs from your local user name | * you do not need to manually specify your UiO user name on the commandline, even if it differs from your local user name | ||
* when off-campus, the configuration will automatically first go to a UiO login machine and then from there go to your target | * when off-campus, the configuration will automatically first go to a UiO login machine and then from there go to your target | ||
* the connection to the UiO login machine is held up for 10 minutes after logging off, so a subsequent login shortly thereafter does not require you to go through two-factor authentication again | * the connection to the UiO login machine is held up for 10 minutes after logging off, so a subsequent login shortly thereafter does not require you to go through two-factor authentication again | ||
| − | Put the following into your ~/.ssh/config file - make sure to replace MYUIOUSERNAME with your UiO user name and ec-MYUIOUSERNAME with your educloud user name if you use Educloud/Fox: | + | 1) |
| + | If you already have an ed25519 ssh key pair, you can skip this step. If you are unsure, check for the existence of the file <code>~/.ssh/id_ed25519</code>. | ||
| + | If it is there, you have such a key pair and can proceed with step 2. Otherwise, run | ||
| + | ssh-keygen -t ed25519 | ||
| + | on your local machine (laptop). | ||
| + | |||
| + | 2) | ||
| + | Upload your ed25519 public key to your UiO home directory by running (again, on your local machine) | ||
| + | ssh-copy-id -i ~/.ssh/id_ed25519.pub MYUIOUSERNAME@login.uio.no | ||
| + | (replacing <code>MYUIOUSERNAME</code> with your UiO login name). If you are off-campus you will need to authenticate via 2FA. | ||
| + | |||
| + | |||
| + | 3) Put the following into your <code>~/.ssh/config</code> file - make sure to replace <code>MYUIOUSERNAME</code> with your UiO user name and <code>ec-MYUIOUSERNAME</code> with your educloud user name if you use Educloud/Fox: | ||
<nowiki> | <nowiki> | ||
# NCMM ~/.ssh/config | # NCMM ~/.ssh/config | ||
Revision as of 22:11, 29 March 2023
General info about ssh at UiO
ssh logins from the outside world to UiO's network are only allowed to a small selected number of hosts, all of which require two-factor authentication for login. In order to ssh from at home to one of NCMM's machines you need to go through one of these central login machines.
NCMM config file
We provide an ~/.ssh/config file that simplifies a number of things for typical use by NCMM members:
- you can use short hostnames (e.g.,
ssh biotin4instead ofssh biotin4.hpc.uio.no) - you do not need to manually specify your UiO user name on the commandline, even if it differs from your local user name
- when off-campus, the configuration will automatically first go to a UiO login machine and then from there go to your target
- the connection to the UiO login machine is held up for 10 minutes after logging off, so a subsequent login shortly thereafter does not require you to go through two-factor authentication again
1)
If you already have an ed25519 ssh key pair, you can skip this step. If you are unsure, check for the existence of the file ~/.ssh/id_ed25519.
If it is there, you have such a key pair and can proceed with step 2. Otherwise, run
ssh-keygen -t ed25519
on your local machine (laptop).
2) Upload your ed25519 public key to your UiO home directory by running (again, on your local machine)
ssh-copy-id -i ~/.ssh/id_ed25519.pub MYUIOUSERNAME@login.uio.no
(replacing MYUIOUSERNAME with your UiO login name). If you are off-campus you will need to authenticate via 2FA.
3) Put the following into your ~/.ssh/config file - make sure to replace MYUIOUSERNAME with your UiO user name and ec-MYUIOUSERNAME with your educloud user name if you use Educloud/Fox:
# NCMM ~/.ssh/config
# define jumphost - we give it an alias name ("uio-loginhost")
# so if this ever changes we only need to change the settings
# in a single location
Host uio-loginhost
HostName login.uio.no
# Control* *only* when coming from off-campus (it's mainly because of 2FA) - SO:
Match host login.uio.no !exec "ifconfig -a | egrep -q 'inet 129.240' || egrep -q '^search.* internal.ncmm(| $)' /etc/resolv.conf"
ControlMaster auto
ControlPath ~/.ssh/controlsock-%r@%h:%p
# for compatibility with GNOME file manager use the following instead
# ControlPath /run/user/1000/gvfsd-sftp/%C
ControlPersist 10m
# expand hostnames
Host biotin2 biotin3 biotin4
Hostname %h.hpc.uio.no
Host hfaistos mathelier2 kuijjer2 waszak1
Hostname %h.uio.no
# neither on uio fastnett nor internal network? => jump through uio jumphost
Match host biotin2.hpc.uio.no,biotin3.hpc.uio.no,biotin4.hpc.uio.no,hfaistos.uio.no,mathelier2.uio.no,kuijjer2.uio.no,waszak1.uio.no !exec "ifconfig -a | egrep -q 'inet 129.240' || egrep -q '^search.* internal.ncmm(| $)' /etc/resolv.conf"
ProxyJump uio-loginhost
# default settings
Host uio-loginhost,biotin2.hpc.uio.no,biotin3.hpc.uio.no,biotin4.hpc.uio.no,hfaistos.uio.no,mathelier2.uio.no,kuijjer2.uio.no,waszak1.uio.no
User MYUIOUSERNAME
Host fox.educloud.no fox
Hostname fox.educloud.no
User ec-MYUIOUSERNAME
ControlMaster auto
ControlPath ~/.ssh/controlsock-%r@%h:%p
# for compatibility with GNOME file manager use the following instead
# ControlPath /run/user/1000/gvfsd-sftp/%C
ControlPersist 10m
# other default settings
Host *
IdentityFile ~/.ssh/id_ed25519
