Secure Shell

Secure Shell

Mike Griffiths & Deniz Savas

CiCS Dept

Sheffield University

November 2005

Secure Shell• What is ssh?• How to use it?• Single sign on using ssh• Digital certificates• Accessing and Managing Grid Resources• Wrgrid commands• Further Information

Secure Shell

• Program to log into another computer over a network• Execute commands on a remote machine• Move files from one machine to another• Provides strong authentication and secure

communications over insecure channels.• Intended as a replacement for rlogin, rsh, rcp, and

rdist.

The Secure shell protocol

• SSH is a new method of communications over the Internet that encrypts data end-to-end.

• Replaces telnet, ftp, rsh and rcp• Components

– Secure shell ssh– Secure ftp sftp– Secure copy scp

ssh

• You only need the SSH client. The server is unnecessary, unless you wish to connect back to your home machine via the Internet using SSH.

• Connecting to a WRG node

ssh -l wrsmg maxima.leeds.ac.uk • To use X-windows add the "-X" flag

– SSH will then carry Xwindows traffic over the Internet to connect• Range of options for changing ports, specifying authentication

files, encryption algorithms etc….– Use man ssh for help with options

ssh

• You only need the SSH client. The server is unnecessary, unless you wish to connect back to your home machine via the Internet using SSH.

• Connecting to a WRG node

ssh -l wrsmg maxima.leeds.ac.uk • To use X-windows add the "-X" flag

– SSH will then carry Xwindows traffic over the Internet to connect• Range of options for changing ports, specifying authentication

files, encryption algorithms etc….– Use man ssh for help with options

Running X Windows Apps

• Examples– File manager and NAG Iris explorer on Maxima

• After using ssh to access a remote host– setenv DISPLAY workstation_address:1.0 – Workstation address can be an ip number of the

workstation– Check ip number using nslookup (on linux), ipconfig (pc)

Secure ftp (sftp)

• Establishes an FTP-style file transfer session between the Unix systems

• sftp command always used in the form: sftp user@server– e.g.from titania sftp [email protected]

Transferring Files Using sftp

From the SFTP prompt (sftp>) can do the following: • get command to retrieve a file from the remote Unix

server. – get test.txt

• put command to transfer a file from your Unix system to the remote Unix system you are connected to. – put file2.txt

Navigating file systems using sftp

From the SFTP prompt (sftp>) can do the following: • ls command to display the contents of a directory on

the remote Unix system you are connected to. – ls /home/user. Will display the contents of the

directory /home/user on the remote Unix system.• cd and lcd commands change current remote

directory, or current local directory. – e.g. cd /home/user. Will change the current

remote directory to /home/user.

Summary of sftp commands 1•mget Retrieve multiple files from server•Mput Transfer multiple files to server•pwd Display remote working directory •quit or exit Quit sftp •rename oldpath newpath Rename remote file •rmdir path Remove remote directory •rm path Delete remote file •version Show SFTP version •? Synonym for help

Summary Listing of SFTP commands 2 ascii Use text transfer mode

help Display the help text

image Use binary transfer mode

lls [ls-options [path]] Display local directory listing

lmkdir path Create local directory

ls [path] Display remote directory listing

mkdir path Create remote directory

put local-path [remote-path] Upload file

Secure copy - scp

• Using SCPFast, easy method to copy single files from your Unix system to a remote Unix system.

Retrieving a file using SCP

• To retrieve a file from a remote Unix system, the syntax is: scp username@server:file local-file– username= username on the remote system– server= the name of the remote Unix system– file= the file to retrieve from the remote system – local-file= the location you wish to save the file to on your

local Unix system

Transferring a file to a remote Unix system using SCP• The syntax is: scp local-file username@server:file

– local-file= the file to transfer from the local system– username= username on the remote system– server= the name of the remote Unix system– file= the location you wish to save the file to on the remote

Unix system

Transferring Multiple Files

• mget and mput with sftp• Use tar and compress to package a directory tree

– scp transfers the packaged directory tree– uncompress and extract directory tree using tar

Security

• Authentication– Are you who you say you

are?

• Authorisation– What are you permitted to

do?

• Message protection– Integrity

– Confidentiality

• Single sign-on– Delegation

SSH Authentication

• SSH allows to perform authentication based on – what we know (our key pass-phrase) – and what we have (our private key).

SSH Authentication

• Enable single sign on to remote resources that use ssh.• Authentication Utilities

– ssh-keygen• Authentication key pair generation

– ssh-agent• Authentication agent

– ssh-add• Adds identities for authentication agent

ssh files and directories

• authorized_keys– Contains public keys of hosts and users authorised to

access this host

• known_hosts– List of hosts from which ssh authentication is allowed.

Contains public key for remote host

Enabling Single Sign On Using SSH

• Enable using the Utility ssh-keygen• ssh-keygen

– Generates and manages authentication keys for ssh

Steps for setting up single sign on

• General steps for enabling your local host to access an account on a remote host without providing a password– Generate a key pair from your local host– Copy public key to remote host you require access– Edit authorized_keys file on the remote host

Running ssh-keygen

• Generate a key pair of type rsa– ssh-keygen –t rsa

• At the prompt for a file name press return the default filename will be generated for the pair

• At the prompt for a pass phrase and the prompt to re-enter the pass phrase just hit return.

• A pair of keys has now been generated the private key must be protected.

Preparing the Remote Host for Single Sign On• Copy the public key you created using ssh-keygen to

the .ssh directory on the remote host• Append your public key to the authorised_keys file in

the .ssh directory• Single sign on using secure shell is now enabled.

Comments

• Enables distributed application shell scripts that request applications and transfers resources between different systems on which you have accounts.

• Approach does not require logon to access each node

Grid Security Infrastructure

• Grid Security Infrastructure uses PKI to protect security of communications on the internet

• Public key infrastructure integrate digital certificates, public key cryptography and certification authorities

• Digital certificates allow individual users and hosts to confidently validate the identity of each party involved in a transaction

• Use X509v3 Digital Certificates

GSI Delegation

• Proxies are temporary certificates signed by the owner– Expiry date– Private key

• Relies on conventional filesystem security• Enables remote processes to authenticate with

further resources• Hence single sign-on

Apply to Use Grid Resources• White Rose Grid

– Download, complete and sign a form.

• National Grid Service– Complete on line form provide case

• Details at:– http://www.shef.ac.uk/wrgrid/access

Why???

• Extra compute resource?• Run jobs when local queues are busy…• Run more jobs…• Run jobs faster

How to Obtain an X509v3 Certificate

• Obtain certificate from CA• Get request approved by local registration authority

(ID required)• Get certificate from CA, install it and test it.• May need to Use OpenSSL to convert certificate for

use• Details at

– http://www.shef.ac.uk/wrgrid/access

Protection of Credentials

• Permission on long term-term private key file read only (userkey.pem by default is read only)

• The passphrase for encrypting your private key must be secure

• Private keys and proxy files should not be stored on movable media

• Private keys should be copied using secure methods only (sftp NOT ftp or rcp)

Using the Grid

• Iceberg grid commands– wrhelp

• Geodise toolkit with matlab (available on iceberg)• gsissh, gsiscp

– From maxima

• Globus toolkit gt2.4

wr grid commands : Overview

• wrhelp• wrnn• Proxy Management• Execute Commands (e.g. unix ) on remote node• Transfer files• Submit jobs

wr grid commands : Help and nodes

• wrhelp– Gives list of available commands– Type command with –help option to get help

• wrnn– List of wrg nodes and ngs nodes with correct contact

information– Given a nickname for a node will return the crrect conatct

name– ssh –X wrsmg@`wrnn snowdon`

wr grid commands : Proxy management

• wrgpi– Initialises a proxy

• wrgpinf– Displays information about current proxy

• wrgpd– Deletes proxy

wr grid commands : Execute Commands

• wrunx– Execute unix command (/bin )– wrunx nodenickname command options

• wrexe– Run executable on specified path– Wrexe fullnodecontact command+path options– Can use jobmanager i.e. sge, pbs, condor

wr grid commands : File Transfer

• wrft– Wrft fromnode fromfile+path tonode tofile+path

• Use nickname in wrnn to specify fromnode and tonode

• File must include path which is RELATIVE to the HOME area on a node.– i.e. no need to remember where home on different nodes

located

• Can do third party file transfers

wr grid commands : Job management

• Use wrft to transfer required resources to node• wrjobsubmit

– wrjobsubmit fullcontactnamefornode rslfile– Full contact name for node (not nick name) can include job

manager– Provide the name of an rsl file– Returns a handle for the job

• wrjobstatus– wrjobstatus jobhandle

• wrjobkill– wrjobkill jobhandle

Further Information

• Registration and Access– http://www.shef.ac.uk/wrgrid/access/index.html

• Status information about nodes– http://www.shef.ac.uk/wrgrid/status.html

• RSL Scripting– http://www.ipg.nasa.gov/ipgusers/globus/4-globus.html

• Documentation Index– http://www.shef.ac.uk/wrgrid/documents/index.html

• Contacts– http://www.shef.ac.uk/wrgrid/contact.html