SSH Secure Shell

SSH is used to get a secure terminal-connection to a login server. All Linux loginservers can be reached with SSH client software, not only on the standard port 22, but also on ports 80 and 443.

NB: as of December 2022, not all science logins are allowed to login on the login servers anymore. Should you have trouble logging in on our loginservers, please contact postmaster.

  • Windows:
    • MobaXterm. From the MobaXterm website: “MobaXterm is an enhanced terminal for Windows with an X11 server, a tabbed SSH client and several other network tools for remote computing (VNC, RDP, telnet, rlogin). MobaXterm brings all the essential Unix commands to Windows desktop, in a single portable exe file which works out of the box.” The support of OpenGL could also be a reason to start using MobaXterm. If you use it professionally, you should consider subscribing to MobaXterm Professional Edition. MobaXterm is available on the S-disc.
    • Mosh (mobile Shell) when roaming and intermittent connections.
    • PuTTY.
    • The OpenSSH client provided by Cygwin.
  • Linux: Your computer should have ssh installed by default. Otherwise, install the openssh-client package. Install Mosh (mobile Shell) when roaming or having intermittent connections.
  • OS X: the ssh client should be available on your Mac. For graphical/X11 functionality one can install XQuartz. Install Mosh (mobile Shell) when roaming or having intermittent connections.
  • Android: JuiceSSH or ConnectBot. Install Mosh (mobile Shell) when roaming or having intermittent connections.

SSH keys

ssh can use login and password to authenticate with the server, but you can also use ssh keys as an alternative authentication method. ssh keys are public-private key pairs that you can generate using the ssh-keygen command on linux. Read the manpage man ssh-keygen to learn more. You can set a password on the private key, to prevent it from being copied and used by someone else to impersonate you.

Steps:

  • generate ssh keys: eg ssh-keygen -t ed25519 (press enter a lot, or read the prompts and set a password if you want that). The keypair will end up in ~/.ssh/ on linux machines.
  • copy the public key to the server (use ssh-copy-id <server>), the public key of your keypair will be added to ~/.ssh/authorized_keys (make sure the permissions are strict enough!)

If you set a password on the keypair, you will be prompted every time you use it, or you can configure ssh-agent to remember your key for a limited time. For automated scripts, you need unprotected keypairs, because a script cannot prompt you.

It’s possible to generate keys with different names, for different uses.

SSH settings and tips

To avoid warnings about possibly changed ssh keys and prevent messages with ‘unkown host’ the first time you connect to a host in the science.ru.nl domain, we have signed the public keys of all our servers. If you add the following lines to the file ‘config’ in the .ssh directory in your (local) home directory (maybe this file has to be created)

CanonicalDomains science.ru.nl
CanonicalizeFallbackLocal no
CanonicalizeHostname yes

and the following line to .ssh/known_hosts

@cert-authority *.science.ru.nl ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHpJveyOrLKFRDsbiW/29OadbCbkmUaIXnWbhVwtytbpftAc7Stj2RYa8yBmgfdm82T/UBVu1tLbeeCYQI8UlCvbAALMx+I60ux+iEGVdDBgIOjeu6LuY12pksVlXy/nKc59+m3AdMXfGHA8cI/O8eFosQLJ+dck7SBcvTT4lPhEcSQxg==

then C&CZ-signed ssh keys of science.ru.nl hosts will be automatically accepted. The change to the ‘config’ file ensures that

ssh lilo

will match with lilo.science.ru.nl and the line in known_hosts ensures that only for hostnames matching with *.science.ru.nl ssh will check whether the public key of the host is signed by C&CZ and if that is indeed the case will accept the host key. If you do not want to change the config file then you will always have to use the fully qualified hostname lilo5.science.ru.nl.

Ssh can be used for:

  • port forwarding on another host
  • proxying for example web traffic
  • almost complete vpn functionality

Please consult this article for some excellent tips on how to use and configure your ssh client.

Preventing ssh disconnects

In case you experience connectivity issues using ssh, use the following settings for your ssh-client. This can be done by adding the following lines to the config file .ssh/config (or /etc/ssh/ssh_config):

TCPKeepAlive no
ServerAliveInterval 60
ServerAliveCountMax 10