User Tools

Site Tools


Configure SSH on a Remote Compute Server

Requirements

To configure an ssh connection to a remote Compute Server using a public key and a private key requires:

  • A remote Compute Server with an ssh server
    • openssh in this UNIX example
  • csh installed on the remote Compute Server
  • private key and public key files on the ssh client and server

An EASA Server will work as any other ssh client.

For testing, we recommend installing a third party ssh client like putty. We will also use putty to generate the keys for the Windows example.

EASA uses Java for ssh file operations, which uses an sftp implementation; Thus sftp must be enabled.

To enable sftp for openssh on linux,

  • Uncomment the line in the following file (remove the initial # symbol):
    • sshd_config
      • #Subsystem sftp /usr/lib/openssh/sftp-server

Create Private and Public key files

It does not matter where the private key and public key are created, the private key will be installed on the client machine (the EASA Server) and the public key will be used for any ssh server, in this case, the remote Compute Server

  • If the private/public key pair is created on the client machine
    • Move the public key to the server machine
  • If the key pair is from the remote machine
    • Move the private key to the client machine.
  • If the private/public key files are to be created on Windows
    • We need a third party software like Putty
  • If the private/public key files are to be created on UNIX
    • Create them at the command line.
  • → Both cases are explained below.

Create Private and Public key files on Windows

  • To create a private key and a public key file we need a third party software, putty in this case.
    • Once putty is installed, we have two programs:
      • puttygen to work with the keys
        • (to generate, to import, to export and to even take public key in text format)
      • putty to test
  • Open puttygen
  • Check parameters, the recommended ones are:
    • SSH-2 RSA
    • 2048 bits
  • Click on Generate button
  • Keep moving the mouse over the indicated area to generate the key
  • Copy the public key in text format
    • Save it somewhere
  • Set key passphrase and confirm passphrase fields with the desired password to protect private key
  • Click on Save private key button, save it in .pkk format
    • (This will be used by putty to make tests)
  • Click in Conversions on the toolbar
    • Select Export OpenSSH key
    • This will be used by EASA to connect with remote Compute Server
    • Save the key without extension
  • No need to save public key as we copied it in text format.
    • It can be saved if desired, but we won't use it

Create Private and Public key files on UNIX

We can do this just using the following command:

  • ssh-keygen -t rsa -b 2048
    • Select <ENTER> at the 'filename prompt' → the names will be:
      • id_rsa for private key
      • id_rsa.pub for public key)
  • At the passphrase prompt (to protect private key):
  • Type a password
  • Select <ENTER>

If this command was run on the remote Compute Server then the public key can stay in that machine, the private key has to be moved to the client machine (EASA Server ). In that case SAMBA will be needed to make a share between the UNIX machine and Windows machine, or you can use any other approach to move the file. Be careful with the permissions of the private key file, as it is 600, so maybe you will need to change the permissions to 755 or something like that to be able to take the file remotely.

Also copy the public key file to any other remote Compute Servers that require this kind of ssh authentication.


Configure Public Key in the remote compute server(s)

An ssh server has to be running on this machine, we will need to create a folder under the user which will be used to connect through SSH. In my case, I have an user called user1 on this machine and its path to its home folder is /home/user1:

  • Create a folder called .ssh/ in the home folder:
    • cd /home/user1
    • mkdir .ssh
  • Create an empty authorized_keys file:
    • cd /home/user1/.ssh
    • touch authorized_keys
  • Put the public key in the authorized_keys file:
    • If public key was created on windows
      • Paste the key text into the authorized_key file (use a text editor like gedit):
        • sudo gedit /home/user1/.ssh/authorized_keys
        • Paste key text
        • Save the file (sudo rights are needed)
  • If public key was created on UNIX
    • Directly copy the content of the public key file into authorized_keys with:
      • cat path/publickeyname >> /home/user1/.ssh/authorized_keys
  • Use chmod to configure permissions for the following folders and files:
    • chmod 750 /home/user1
    • chmod 700 /home/user1/.ssh
    • chmod 600 /home/user1/.ssh/authorized_keys

Testing and Debugging

Now we use putty to connect from the client machine to the remote machine.

The private key file must be installed in the file system of the client machine:

  • Open putty
  • Enter the IP address or remote machine name as host
  • Leave port 22 and SSH selected
  • In the left side tree,
    • Go to Connection
      • open SSH
      • Click on Auth
  • Click on Browse button
    • Find the private key file.
    • Choose the one with .ppk extension
  • In the left side tree,
    • Click on sessions.
    • Set a name on Saved session field
    • Click Save to keep the configuration just in case we need to make more tests
  • Click Open button
  • A window will open prompting for a user
    • user1 in this example
  • If successful it will say something like:
    • Authenticating with public key “xxxx”
    • Passphrase for key “xxxx”:
  • Type passphrase to unblock private key

Otherwise if it does not work it will say something like:

  • Server refused our key
  • In this case we can enable debugging on the ssh server to see what's happening:
    • In the remote machine, look for the SSH configuration file.
      • In our openssh example its:
        • /etc/ssh/sshd_config
    • Open sshd_config with a text editor.
      • We use gedit (sudo is needed to save file):
        • sudo gedit sshd_config
        • Inside sshd_config
          • Set:
            • Loglevel DEBUG3
    • Now we attempt to connect using putty,
      • Then check /var/log/secure or if it does not exist then /var/log/auth.log

Configure EASA to use private key

Now everything is ready to configure EASA to use the private key to connect with the remote Compute Server. The private key has to be somewhere in the file system of the EASA Server.

  • From EASA→Administrator→Configure→Compute Servers
    • Open the Compute Server Configuration Tool
    • Create a new SSH SERVER PROCESSING (or edit an old one)
      • Username has to be the user configured on the remote system, user1 in this example
  • Working Subdirectory has to be /home/user1/
  • Id File: must be the full path to the file:
    • C:\keyfiles\id_rsa
    • (This file must be the private key you exported in openssh format
  • Id Passphrase: must be the password which protects the private key
  • Configure a Compute Server if you created a new SSH SERVER PROCESSING
  • Test the connection