ssh - NCI National Facility
National Computational Infrastructure
NCI National Facility
Home Notices and News Accounts Facilities, Software and Userguides Frequently Asked Questions Training Annual Reports
line
Software at a site Software by category Facilities at a site Login
line
 
        Generic (all NCI systems)       Version specific (all NCI systems)       Host and version specific
 
   ssh
ssh

Categories for this software: Network Access and Grid Services
What is ssh Secure Shell is a replacement for many mechanisms for remote login to a machine by using encrypted sessions, including the username and password. In particular it functionally replaces telnet, rsh, rlogin, rcp and even ftp.

Some useful links include

Additional Notes In principle, there are two major implementations of ssh, these being ssh v1, ssh v2 (SSH3 is being developed, and OpenSSH uses v1 and v2 protocols). They are different protocols and unfortunately they are not compatible. Ssh v2 is known to be more secure. The new National Facility Altix cluster AC only accepts sshv2. Some machines will accept connections from both ssh1 and ssh2 clients, but you should use ssh v2 by preference due to increasing problems with ssh v1 security mechanisms. If ssh is already installed on your machine then you can determine the version just by typing ssh -V. If both ssh1 and ssh2 are installed on your machine then 'ssh' and 'scp' will mean ssh2 and scp2, but version 1 commands might be available as separate commands such as ssh1 and scp1.

For details on how to download and install ssh we suggest you consult the SSH FAQ http://www.employees.org/~satch/ssh/faq/. In particular, Getting Secure Shell. Your local system administrator should be able to help you. Most unix operating systems (especially shrink-wrapped linux systems, like Redhat) now come with Secureshell already bundled in the installation. MacOS X includes openssh which can be used either from the Terminal application or through an xterm under X11. Otherwise, you can download it from Mirror Aarnet. It's also available from the main site ftp://ftp.ssh.com.

For Macintosh (MacOS9) we suggest downloading Nifty Telnet, and for Windows we suggest downloading Putty. Installation of these programs is via a straight-forward one click self-unpacking installer.

How to connect using SSH
Once installed on your desktop machine you should be ready to connect to the remote system. Note for all flavours of client, on your first connection to the machine you will be asked by your client software about accepting the bona-fides of the machine you are connecting to.

Unix
To connect from a unix systems, the simplest method to connect to the remote system (lets call it remote.instit.edu.au) will be execute a command similar to:
ssh remote.instit.edu.au -l username
OR
ssh username@remote.instit.edu.au
where username is your account on the remote system.

Windows
For Putty users, start the program and put in remote.instit.edu.au in the 'Host Name' dialogue and make sure that the SSH radio button is selected. (Note that by clicking on the Default Settings, and the clicking on Save your system will remember that you want SSH by default in the future). It is also a good idea to check you are using SSH v2 protocol also by default.

Macintosh
Users of Nifty Telnet will find the dialogue boxes similar to those described here. For Macintosh's running PPC linux you may need to add the flag '-Y' or '-X' to your ssh connection.

Replacing ftp with a secure shell version
Unix: Most of the time users will tend to use the command scp for transferring files. See man scp for more details. It is functionally equivalent to rcp. The command sftp is also available from version 2 onwards.

Windows: There are sftp and scp clients as a part of Putty, we tend to like using a gui program such as Filezilla. Filezilla uses the Putty engine and so will behave in a familiar way. Once the Filezilla client is installed you simply enter sftp://remote.instit.edu.au in the entry Address, and your username and password in the appropriate fields. (The port will be automatically set.) This will give you a nice drag and drop gui to help transfer files.

Some users have found winscp easier to use.

MacOS X:Some nice free guis for sftp are CyberDuck or Fugu. You can also install gftp using Fink.

Other SSH notes
SSH without passwords
If you want to use SSH without passwords (ie set up a web of trust between two machines) then please consult our brief ssh-without-passwds how-to guide. This covers both ssh1 and ssh2.

If you want to use a cheap nearly complete X implement on you windows machines you will also want to consider VNC. (see our software pages on VNC for more details). However, you should also consider encrypting the session over a forwarded port of a Putty ssh session (see below for more details on port forwarding).

SSH Tunnels/Port Forwarding
X11 forwarding is a special option in many SSH clients. This not only sets up the port forwarding, but also creates secure credentials at the remote end and sets the DISPLAY environment variable.
To set up X11 forwarding from a command line 'ssh' client, try using either 'ssh -Y' or 'ssh -X'. '-Y' is a only in newer versions of openssh but is more secure and has fewer compatibility problems. In Windows PuTTy, there is an option to setup X11 forwarding on a new connection. Note that you must already have an X server running on your PC before you connect.

More generally, port forwarding is used to set up an encrypted channel over which you can run non-secure clients. For example, you could do regular ftp commands over a port-forwarded ssh connection.

For windows users using Putty:
Let us consider a connection to the VNC server on remote.instit.edu.au. (You must have installed VNC on your windows desktop first, as per our VNC software page). We know from our documentation that a VNC server is listening on port 5953 at a resolution of 1024 x 768 x 16bit. In the 'Connection/SSH/Tunnel' window (see left hand side of Putty Window), select something like:
Source Port:5900
Destination Port: remote.instit.edu.au:5953
There are a number of other entries on this page, but they won't affect the tunnel. The local host port 5900 was chosen for clarity but 5953 would probably make more sense.
Select Add. Then click on the Session window (see left hand side of Putty Window) and type in remote.instit.edu.au for the Hostname. Connect to the lc using your user name and password. The local machines port 5900 will now forward packets to port 5953 of the lc. You can now start VNC and connect to localhost:5900 and you will see a VNC client login to the lc. We describe other details about VNC over ssh on our VNC software web page.

For Unix/Linux users:
Using either OpenSSH or the real SSH, you can simply do

ssh -L 5900:localhost:5953 username@remote.instit.edu.au
which will forward your local port 5900 through to port 5953 on the remote machine.

For MacOSX users:
You can either follow the above unix command or download a program called SSHTunnelManager which provides a graphical interface to the standard Unix ssh. To setup a port forward go to the menu SSHTunnelManager/Preferences and enter the connection name, your username and the hostname of the machine to connect to. Then in the Tunnel Setup pane, press the + button to create a new tunnel. Complete the port, host and port fields which are the local port number, destination host name and destination port number eg.

5900 localhost 5953
Then click apply.

What to do if your interactive graphics are too slow
If you are using an interactive graphical program (for example matlab or gambit) and it is too slow, it may be because of the overhead from sending the X graphics through ssh. There are two ways to set up your display for this, depending on how strong you would like the authentication of the display.

On a number of clusters only the interactive nodes are available and there is not an easy method for getting access to the internal nodes without an SSH tunnel. For example, on a PBS queueing system it won\'t work with the qsub -I 'interactive queue' jobs as these require the graphics display to be set by ssh.

For purely interactive jobs on interactive nodes of a cluster you set your display by typing the following on the interactive nodes of the cluster after you have logged in
tcsh: setenv DISPLAY=full-name-of-your-desktop-computer:0
bash: export DISPLAY=full-name-of-your-desktop-computer:0
You can then use either host based, or magic cookies to authorise access to your local desktop.

Method 1: host-based (not recommended, but good for simple debugging)
On your local machine type
xhost +loginnodename.instit.edu.au
This will allow any user on the sc to access your desktop screen.

Method 2: magic-cookies
Before you start the graphical program, copy your authority file from your local machine to the cluster.
scp .Xauthority sc_userid@loginnodename.instit.edu.au:temp-xauth
then on sc
xauth merge temp-xauth
This copies a 'magic cookie' from your desktop computer to remote machine so that when remote machine tries to connect to your display your desktop computer knows that it is allowed to. It will only allow authorised keys (ie ones you have given the cookie to) to attach, rather than the whole machine as in the host based method.
'
How to Use ssh at Other Australian HPC Centres
Other Australian HPC Centres where ssh is installed  
 



XML Query for ssh

 
Email problems, suggestions, questions to help@nf.nci.org.au