SSH remote access¶
Description¶
The CPHT provides SSH remote access to its internal computer resources by a SSH service gateway called pascal.cpht.polytechnique.fr
.
Note
The CPHT gateway service is provided by 2 hosts : pascal1.cpht.polytechnique.fr
and pascal2.cpht.polytechnique.fr
. A DNS round-robin load balancing system allows resources to be distributed between these 2 hosts.
Documentation¶
Requirements:
Note
A workflow is available here to help you to understand SSH access processus at CPHT.
You have a SSH key pair¶
SSH entry point for CPHT:
ssh.cpht.polytechnique.fr
or pascal.cpht.polytechnique.fr
$ ssh my_login(Q)ssh(P)cpht(P)polytechnique(P)fr
SSH access to resources behind SSH gateway of CPHT using a jump, to access for example private resources like clusters (cholesky, hopper, montblanc, hedin, etc).
Here is the command that allows you to connect (requires OpenSSH 7.3) :
$ ssh -J my_login(Q)ssh(P)cpht(P)polytechnique(P)fr my_login@machine_destination
You can also create an alias in ~/.ssh/config
:
Host alias_target_host
HostName target_hostname
ProxyJump my_login(Q)ssh(P)cpht(P)polytechnique(P)fr
Then connect to this alias :
$ ssh my_login@alias_target_host
if your OpenSSH client < 7.3 it is possible to use the ProxyCommand
directive. In your ~/.ssh/config
:
Host alias_target_host
HostName target_hostname
ProxyCommand ssh -W %h:%p ssh.cpht.polytechnique.fr
Warning
Old syntax ProxyCommand nohup ssh pascal nc %h %p 2>&1
is obsolete et must be updated in your ~/.ssh/config.
You don't have a SSH key pair¶
-
Linux or MAC OS X
-
In a terminal, check on your computer that you don't have a key pair :
$ cd ~/.ssh $ ls authorized_keys2 id_rsa known_hosts config id_rsa.pub
Find a key pair like
id_rsa
andid_rsa.pub
(orid_ed25519
andid_ed25519.pub
). Thepub
file is the public key (which can be communicated to anyone) while the other is the private key. If you don't see these files, it is necessary to generate them.RSA Algorithm
It depends on the size of the key. A key length less than 4096 bits is now considered not secure. So, we recommend to use the
ed2556
algorithm from now on.Ed25519 Algorithm
It’s the most recommended public-key algorithm available today. The Ed25519 public-key is compact. It only contains 68 characters, compared to RSA 3072 that has 544 characters.
-
In a terminal, run this command
ssh-keygen
withed25519
algorithm:shell $ ssh-keygen -t ed25519
-
This command asks you to save the key in the default file
id_ed25519
file, then asks a passphrase to protect the private key :Generating public/private ed25519 key pair. Enter file in which to save the key (/home/ubuntu/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ubuntu/.ssh/id_ed25519 Your public key has been saved in /home/ubuntu/.ssh/id_ed25519.pub
-
Transmit the public key
id_ed25519.pub
to IT support) of CPHT. -
IT support will then copy the contents of your public key into
~/.ssh/authorized_keys
of yourhome
directory and then confirm you that you can connect to the gateway.
-
-
Windows (with PuTTY)
-
Download and install SSH client : PuTTY
-
Run the tool
PuTTYgen
et selectED25519
as the key type, then click onGenerate
: -
Move your mouse cursor randomly in the area below the progress bar, as shown below :
-
Once the progress bar is complete, the window below appears and asks you for a key passphrase that protects the private key :
-
Transmit the public key in the field starting with ssh-rsa... to IT support) of CPHT.
-
IT support will then copy the contents of your public key into
~/.ssh/authorized_keys
of yourhome
directory and then confirm you that you can connect to the gateway.
-
Enable Two-factor authentication¶
Access without SSH key
This method allows you to sign in without an SSH key from outside (internet) by using the password of the Polytechnique account and a temporary passcode given through a TOTP application on your smartphone.
-
In a terminal, open a SSH session on the CPHT gateway
ssh.cpht.polytechnique.fr
(requires an SSH key pair for this procedure, see above) -
Run the command :
$ google-authenticator
-
Google Authenticator generates a QR code as below :
-
Save (eg. screenshot) the emergency scratch codes and the secret key somewhere in case you lose or format your smartphone
-
Press the
y
key to update the Google Authenticator configuration in yourhome
directory -
Flash the QR code with for example FreeOTP application available for iOS (iphone) and Android
-
Sign out from CPHT gateway
-
Test Two-factor authentication : To do this, edit your SSH configuration on your workstation by adding an entry to
~/.ssh/.config
file :
Host ssh_otp
Hostname ssh.cpht.polytechnique.fr
Pubkeyauthentication no
- Open a SSH session on CPHT gateway with the alias
ssh_otp
stated above, enter your Polytechnique credentials then the verification code given by theFreeOTP
app of your smartphone :
$ ssh my_login@ssh_otp
##############################################################
# #
# Centre de Physique Theorique #
# #
##############################################################
# !!! Acces autorise uniquement !!! #
# #
# Deconnectez vous immediatement si vous n'etes pas autorise #
# toute action sera tracee et enregistree #
# -----------------------------------------------------------#
# !!! Authorized access only !!! #
# #
# Disconnect immediately otherwise #
# All action will be monitored and recorded #
##############################################################
Password:
Password:
Verification code:
#################################################################################
# Vous etes connecte a une ressource administree par #
# la Cellule Informatique Commune CMLS / CPHT / CMAP #
# ---------------------------------------------------- #
# bureau : 061004 et 1061060 #
# email : support(Q)cpht(P)polytechnique(P)fr #
# documentation : https://gitlab.labos.polytechnique.fr \ #
# /CPHT_documentation/documentation_utilisateurs/wikis/home #
#################################################################################