390 likes | 613 Views
Secure Shell. Mike Griffiths & Deniz Savas CiCS Dept Sheffield University November 2005. Secure Shell. What is ssh? How to use it? Single sign on using ssh Digital certificates Accessing and Managing Grid Resources Wrgrid commands Further Information. Secure Shell.
E N D
Secure Shell Mike Griffiths & Deniz Savas CiCS Dept Sheffield University November 2005
Secure Shell • What is ssh? • How to use it? • Single sign on using ssh • Digital certificates • Accessing and Managing Grid Resources • Wrgrid commands • Further Information
Secure Shell • Program to log into another computer over a network • Execute commands on a remote machine • Move files from one machine to another • Provides strong authentication and secure communications over insecure channels. • Intended as a replacement for rlogin, rsh, rcp, and rdist.
The Secure shell protocol • SSH is a new method of communications over the Internet that encrypts data end-to-end. • Replaces telnet, ftp, rsh and rcp • Components • Secure shell ssh • Secure ftp sftp • Secure copy scp
ssh • You only need the SSH client. The server is unnecessary, unless you wish to connect back to your home machine via the Internet using SSH. • Connecting to a WRG nodessh -l wrsmg maxima.leeds.ac.uk • To use X-windows add the "-X" flag • SSH will then carry Xwindows traffic over the Internet to connect • Range of options for changing ports, specifying authentication files, encryption algorithms etc…. • Use man ssh for help with options
ssh • You only need the SSH client. The server is unnecessary, unless you wish to connect back to your home machine via the Internet using SSH. • Connecting to a WRG nodessh -l wrsmg maxima.leeds.ac.uk • To use X-windows add the "-X" flag • SSH will then carry Xwindows traffic over the Internet to connect • Range of options for changing ports, specifying authentication files, encryption algorithms etc…. • Use man ssh for help with options
Running X Windows Apps • Examples • File manager and NAG Iris explorer on Maxima • After using ssh to access a remote host • setenv DISPLAY workstation_address:1.0 • Workstation address can be an ip number of the workstation • Check ip number using nslookup (on linux), ipconfig (pc)
Secure ftp (sftp) • Establishes an FTP-style file transfer session between the Unix systems • sftp command always used in the form: sftpuser@server • e.g.from titania sftp wrsmg@maxima.leeds.ac.uk
Transferring Files Using sftp From the SFTP prompt (sftp>) can do the following: • get command to retrieve a file from the remote Unix server. • get test.txt • put command to transfer a file from your Unix system to the remote Unix system you are connected to. • put file2.txt
Navigating file systems using sftp From the SFTP prompt (sftp>) can do the following: • ls command to display the contents of a directory on the remote Unix system you are connected to. • ls /home/user. Will display the contents of the directory /home/user on the remote Unix system. • cd and lcd commands change current remote directory, or current local directory. • e.g. cd /home/user. Will change the current remote directory to /home/user.
Summary of sftp commands 1 • mget Retrieve multiple files from server • Mput Transfer multiple files to server • pwd Display remote working directory • quit or exit Quit sftp • rename oldpath newpath Rename remote file • rmdir path Remove remote directory • rm path Delete remote file • version Show SFTP version • ? Synonym for help
Summary Listing of SFTP commands 2 ascii Use text transfer mode help Display the help text image Use binary transfer mode lls [ls-options [path]] Display local directory listing lmkdir path Create local directory ls [path] Display remote directory listing mkdir path Create remote directory put local-path [remote-path] Upload file
Secure copy - scp • Using SCPFast, easy method to copy single files from your Unix system to a remote Unix system.
Retrieving a file using SCP • To retrieve a file from a remote Unix system, the syntax is: scp username@server:file local-file • username= username on the remote system • server= the name of the remote Unix system • file= the file to retrieve from the remote system • local-file= the location you wish to save the file to on your local Unix system
Transferring a file to a remote Unix system using SCP • The syntax is: scp local-file username@server:file • local-file= the file to transfer from the local system • username= username on the remote system • server= the name of the remote Unix system • file= the location you wish to save the file to on the remote Unix system
Transferring Multiple Files • mget and mput with sftp • Use tar and compress to package a directory tree • scp transfers the packaged directory tree • uncompress and extract directory tree using tar
Security • Authentication • Are you who you say you are? • Authorisation • What are you permitted to do? • Message protection • Integrity • Confidentiality • Single sign-on • Delegation
SSH Authentication • SSH allows to perform authentication based on • what we know (our key pass-phrase) • and what we have (our private key).
SSH Authentication • Enable single sign on to remote resources that use ssh. • Authentication Utilities • ssh-keygen • Authentication key pair generation • ssh-agent • Authentication agent • ssh-add • Adds identities for authentication agent
ssh files and directories • authorized_keys • Contains public keys of hosts and users authorised to access this host • known_hosts • List of hosts from which ssh authentication is allowed. Contains public key for remote host
Enabling Single Sign On Using SSH • Enable using the Utility ssh-keygen • ssh-keygen • Generates and manages authentication keys for ssh
Steps for setting up single sign on • General steps for enabling your local host to access an account on a remote host without providing a password • Generate a key pair from your local host • Copy public key to remote host you require access • Edit authorized_keys file on the remote host
Running ssh-keygen • Generate a key pair of type rsa • ssh-keygen –t rsa • At the prompt for a file name press return the default filename will be generated for the pair • At the prompt for a pass phrase and the prompt to re-enter the pass phrase just hit return. • A pair of keys has now been generated the private key must be protected.
Preparing the Remote Host for Single Sign On • Copy the public key you created using ssh-keygen to the .ssh directory on the remote host • Append your public key to the authorised_keys file in the .ssh directory • Single sign on using secure shell is now enabled.
Comments • Enables distributed application shell scripts that request applications and transfers resources between different systems on which you have accounts. • Approach does not require logon to access each node
Grid Security Infrastructure • Grid Security Infrastructure uses PKI to protect security of communications on the internet • Public key infrastructure integrate digital certificates, public key cryptography and certification authorities • Digital certificates allow individual users and hosts to confidently validate the identity of each party involved in a transaction • Use X509v3 Digital Certificates
GSI Delegation • Proxies are temporary certificates signed by the owner • Expiry date • Private key • Relies on conventional filesystem security • Enables remote processes to authenticate with further resources • Hence single sign-on
Apply to Use Grid Resources • White Rose Grid • Download, complete and sign a form. • National Grid Service • Complete on line form provide case • Details at: • http://www.shef.ac.uk/wrgrid/access
Why??? • Extra compute resource? • Run jobs when local queues are busy… • Run more jobs… • Run jobs faster
How to Obtain an X509v3 Certificate • Obtain certificate from CA • Get request approved by local registration authority (ID required) • Get certificate from CA, install it and test it. • May need to Use OpenSSL to convert certificate for use • Details at • http://www.shef.ac.uk/wrgrid/access
Protection of Credentials • Permission on long term-term private key file read only (userkey.pem by default is read only) • The passphrase for encrypting your private key must be secure • Private keys and proxy files should not be stored on movable media • Private keys should be copied using secure methods only (sftp NOT ftp or rcp)
Using the Grid • Iceberg grid commands • wrhelp • Geodise toolkit with matlab (available on iceberg) • gsissh, gsiscp • From maxima • Globus toolkit gt2.4
wr grid commands : Overview • wrhelp • wrnn • Proxy Management • Execute Commands (e.g. unix ) on remote node • Transfer files • Submit jobs
wr grid commands : Help and nodes • wrhelp • Gives list of available commands • Type command with –help option to get help • wrnn • List of wrg nodes and ngs nodes with correct contact information • Given a nickname for a node will return the crrect conatct name • ssh –X wrsmg@`wrnn snowdon`
wr grid commands : Proxy management • wrgpi • Initialises a proxy • wrgpinf • Displays information about current proxy • wrgpd • Deletes proxy
wr grid commands : Execute Commands • wrunx • Execute unix command (/bin ) • wrunx nodenickname command options • wrexe • Run executable on specified path • Wrexe fullnodecontact command+path options • Can use jobmanager i.e. sge, pbs, condor
wr grid commands : File Transfer • wrft • Wrft fromnode fromfile+path tonode tofile+path • Use nickname in wrnn to specify fromnode and tonode • File must include path which is RELATIVE to the HOME area on a node. • i.e. no need to remember where home on different nodes located • Can do third party file transfers
wr grid commands : Job management • Use wrft to transfer required resources to node • wrjobsubmit • wrjobsubmit fullcontactnamefornode rslfile • Full contact name for node (not nick name) can include job manager • Provide the name of an rsl file • Returns a handle for the job • wrjobstatus • wrjobstatus jobhandle • wrjobkill • wrjobkill jobhandle
Further Information • Registration and Access • http://www.shef.ac.uk/wrgrid/access/index.html • Status information about nodes • http://www.shef.ac.uk/wrgrid/status.html • RSL Scripting • http://www.ipg.nasa.gov/ipgusers/globus/4-globus.html • Documentation Index • http://www.shef.ac.uk/wrgrid/documents/index.html • Contacts • http://www.shef.ac.uk/wrgrid/contact.html