SSH

From CC Doc
Jump to: navigation, search
Other languages:
English • ‎français

Secure Shell (SSH) is a widely-used standard to connect to remote servers in a secure way. The entire SSH connection is encrypted - especially the login credentials (username and password). SSH is the normal way for Compute Canada users to connect in order to execute commands, submit jobs, follow the progress of these jobs and in some cases, transfer files.

Various implementations of the SSH standard exist for most major operating systems.

  • On OS X (Apple) and Linux the most widely used client is OpenSSH, a command line application installed by default on these platforms.
  • For Windows, individuals have to install an SSH client on their own: options include PuTTY, MobaXTerm, WinSCP, and Bitvise.

To use any of these implementations of SSH successfully, you need to know (1) the name of the machine to which you want to connect, (2) your userid and (3) your password.

The machine name will be something like cedar.computecanada.ca or niagara.computecanada.ca.

Your userid is your Compute Canada default account, typically something like jsmith, and the password is the same one you use to log in to the Compute Canada database, ccdb.computecanada.ca. The userid is not your CCI, like abc-123, nor a CCRI like abc-123-01, nor your email address.

When using Linux or MacOS, you will need to open a terminal, for example /Applications/Utilities/Terminal.app for Apple hardware, and then use the command shown below:

Question.png
[name@server ~]$ ssh -Y userid@machine_name

The option -Y forwards X11 traffic which allows you to use graphical applications on the remote server such as certain text editors. Note that to use graphical applications you also need to have an X11 server installed on your workstation. Under Linux an X11 server will normally already be installed, but users of OS X will typically need to install an external package such as such XQuartz. Under windows, MobaXterm comes with an X11 server, while for PuTTY users, there is VcXsrv. The first time that you connect to a remote server you'll be asked to store a copy locally of its "host key", a unique identifier that allows the ssh client to verify, when connecting next time, that this is the same server.

Note that when connecting via SSH to a Compute Canada cluster you will be randomly assigned to one of several distinct login nodes used for the cluster to balance the connection load, so that you may well land on a different login node from one connection to another, e.g. cedar1, cedar5, gra-login4 or gra-login2. If you use a program like screen to manage your login sessions, you will need to make sure that you are on the same login node to open an older session, by making an SSH connection to the appropriate login node from whichever one you initially landed on. If for example I was assigned gra-login4 when I typed ssh userid@graham.computecanada.ca but I want to be on gra-login2, I can simply type ssh gra-login2 from gra-login4 to get there.

For more on Windows-based SSH clients, see:

For more on generating key pairs, see:

For how to use SSH to allow communication between compute nodes and the internet, see:

Connection errors[edit]

While connecting to one of our clusters, you might get an error message similar to those listed below:

  • no matching cipher found
  • no matching MAC found
  • unable to negotiate a key exchange method
  • couldn't agree a key exchange algorithm
  • remote host identification has changed.

The last of these error messages can point to a man-in-the-middle attack, or to an upgrade of security of the cluster you are trying to connect to. If you get this, verify that the host key mentioned in the message matches one of the host keys published at SSH host keys. If it does, it is safe to continue connecting. If the host key does not appear on our published list, terminate the connection and contact support.

One such upgrade occurred on the Niagara cluster on May 31, 2019. See this page for the one-time action required from users after the security upgrade. Further upgrades of this type are expected on all clusters in late September/October 2019; see SSH security improvements for more information.

If you see any of the other error messages, you will have to upgrade your OS and/or SSH client that supports strong ciphers, key exchange protocols and MAC (message authentication code) algorithms.

Here are known versions that will fail and will have to be upgraded:

  • OpenSSH on CentOS/RHEL 5
  • PuTTY v0.64 and earlier on Windows

Compute Canada Role Identifier