Skip to content

SSH remote access

Description

The CPHT provides SSH remote access to its internal computer resources by a SSH service gateway called pascal.cpht.polytechnique.fr.

Note

The CPHT gateway service is provided by 2 hosts : pascal1.cpht.polytechnique.fr and pascal2.cpht.polytechnique.fr. A DNS round-robin load balancing system allows resources to be distributed between these 2 hosts.

Documentation

Requirements:

  1. An X school account in XAJAM directory
  2. A SSH key pair
  3. (Option) Enable Two-factor authentication

Note

A workflow is available here to help you to understand SSH access processus at CPHT.

You have a SSH key pair

SSH entry point for CPHT:

ssh.cpht.polytechnique.fr or pascal.cpht.polytechnique.fr

$ ssh my_login(Q)ssh(P)cpht(P)polytechnique(P)fr

SSH access to resources behind SSH gateway of CPHT using a jump, to access for example private resources like clusters (cholesky, hopper, montblanc, hedin, etc).

graph LR You --> SSH-Gateway; SSH-Gateway --> ServerX;

Here is the command that allows you to connect (requires OpenSSH 7.3) :

$ ssh -J my_login(Q)ssh(P)cpht(P)polytechnique(P)fr my_login@machine_destination

You can also create an alias in ~/.ssh/config :

Host alias_target_host
    HostName target_hostname
    ProxyJump my_login(Q)ssh(P)cpht(P)polytechnique(P)fr

Then connect to this alias :

$ ssh my_login@alias_target_host

if your OpenSSH client < 7.3 it is possible to use the ProxyCommand directive. In your ~/.ssh/config:

Host alias_target_host
    HostName target_hostname
    ProxyCommand ssh -W %h:%p ssh.cpht.polytechnique.fr

Warning

Old syntax ProxyCommand nohup ssh pascal nc %h %p 2>&1 is obsolete et must be updated in your ~/.ssh/config.

You don't have a SSH key pair

  • Linux or MAC OS X

    1. In a terminal, check on your computer that you don't have a key pair :

      $ cd ~/.ssh
$ ls
authorized_keys2  id_rsa      known_hosts
config            id_rsa.pub

      Find a key pair like id_rsa and id_rsa.pub (or id_ed25519 and id_ed25519.pub). The pub file is the public key (which can be communicated to anyone) while the other is the private key. If you don't see these files, it is necessary to generate them.

      RSA Algorithm

      It depends on the size of the key. A key length less than 4096 bits is now considered not secure. So, we recommend to use the ed2556 algorithm from now on.

      Ed25519 Algorithm

      It’s the most recommended public-key algorithm available today. The Ed25519 public-key is compact. It only contains 68 characters, compared to RSA 3072 that has 544 characters.

    2. In a terminal, run this command ssh-keygen with ed25519 algorithm:

      shell $ ssh-keygen -t ed25519

    3. This command asks you to save the key in the default file id_ed25519 file, then asks a passphrase to protect the private key :

      Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/ubuntu/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ubuntu/.ssh/id_ed25519
Your public key has been saved in /home/ubuntu/.ssh/id_ed25519.pub

    4. Transmit the public key id_ed25519.pub to IT support) of CPHT.

    5. IT support will then copy the contents of your public key into ~/.ssh/authorized_keys of your home directory and then confirm you that you can connect to the gateway.

  • Windows (with PuTTY)

    1. Download and install SSH client : PuTTY

    2. Run the tool PuTTYgen et select ED25519 as the key type, then click on Generate :

      Create a SSH key with PuTTY Key Generator

    3. Move your mouse cursor randomly in the area below the progress bar, as shown below :

      Générer une clé SSH avec PuTTY Key Generator

    4. Once the progress bar is complete, the window below appears and asks you for a key passphrase that protects the private key :

      Create a SSH key with PuTTY Key Generator

    5. Transmit the public key in the field starting with ssh-rsa... to IT support) of CPHT.

    6. IT support will then copy the contents of your public key into ~/.ssh/authorized_keys of your home directory and then confirm you that you can connect to the gateway.

Enable Two-factor authentication

Access without SSH key

This method allows you to sign in without an SSH key from outside (internet) by using the password of the Polytechnique account and a temporary passcode given through a TOTP application on your smartphone.

  1. In a terminal, open a SSH session on the CPHT gateway ssh.cpht.polytechnique.fr (requires an SSH key pair for this procedure, see above)

  2. Run the command :

    $ google-authenticator

  3. Google Authenticator generates a QR code as below :

    Google Authenticator

  4. Save (eg. screenshot) the emergency scratch codes and the secret key somewhere in case you lose or format your smartphone

  5. Press the y key to update the Google Authenticator configuration in your home directory

  6. Flash the QR code with for example FreeOTP application available for iOS (iphone) and Android

    FreeOTP

  7. Sign out from CPHT gateway

  8. Test Two-factor authentication : To do this, edit your SSH configuration on your workstation by adding an entry to ~/.ssh/.config file :

Host ssh_otp
    Hostname ssh.cpht.polytechnique.fr
    Pubkeyauthentication no
  1. Open a SSH session on CPHT gateway with the alias ssh_otp stated above, enter your Polytechnique credentials then the verification code given by the FreeOTP app of your smartphone :
$ ssh my_login@ssh_otp
##############################################################
#                                                            #
#             Centre de Physique Theorique                   #
#                                                            #
##############################################################
#            !!! Acces autorise uniquement !!!               #
#                                                            #
# Deconnectez vous immediatement si vous n'etes pas autorise #
#          toute action sera tracee et enregistree           #
# -----------------------------------------------------------#
#              !!! Authorized access only !!!                #
#                                                            #
#             Disconnect immediately otherwise               #
#        All action will be monitored and recorded           #
##############################################################

Password: 
Password: 
Verification code: 
#################################################################################
#     Vous etes connecte a une ressource administree par                        #
#     la Cellule Informatique Commune CMLS / CPHT / CMAP                        #
#    ----------------------------------------------------                       #
#        bureau : 061004 et 1061060                                             #
#         email : support(Q)cpht(P)polytechnique(P)fr                                 #
# documentation : https://gitlab.labos.polytechnique.fr \                       #
#                 /CPHT_documentation/documentation_utilisateurs/wikis/home     #
#################################################################################