1 / 39

Secure Shell

Secure Shell. Mike Griffiths & Deniz Savas CiCS Dept Sheffield University November 2005. Secure Shell. What is ssh? How to use it? Single sign on using ssh Digital certificates Accessing and Managing Grid Resources Wrgrid commands Further Information. Secure Shell.

donna-tran
Télécharger la présentation

Secure Shell

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Shell Mike Griffiths & Deniz Savas CiCS Dept Sheffield University November 2005

  2. Secure Shell • What is ssh? • How to use it? • Single sign on using ssh • Digital certificates • Accessing and Managing Grid Resources • Wrgrid commands • Further Information

  3. Secure Shell • Program to log into another computer over a network • Execute commands on a remote machine • Move files from one machine to another • Provides strong authentication and secure communications over insecure channels. • Intended as a replacement for rlogin, rsh, rcp, and rdist.

  4. The Secure shell protocol • SSH is a new method of communications over the Internet that encrypts data end-to-end. • Replaces telnet, ftp, rsh and rcp • Components • Secure shell ssh • Secure ftp sftp • Secure copy scp

  5. ssh • You only need the SSH client. The server is unnecessary, unless you wish to connect back to your home machine via the Internet using SSH. • Connecting to a WRG nodessh -l wrsmg maxima.leeds.ac.uk • To use X-windows add the "-X" flag • SSH will then carry Xwindows traffic over the Internet to connect • Range of options for changing ports, specifying authentication files, encryption algorithms etc…. • Use man ssh for help with options

  6. ssh • You only need the SSH client. The server is unnecessary, unless you wish to connect back to your home machine via the Internet using SSH. • Connecting to a WRG nodessh -l wrsmg maxima.leeds.ac.uk • To use X-windows add the "-X" flag • SSH will then carry Xwindows traffic over the Internet to connect • Range of options for changing ports, specifying authentication files, encryption algorithms etc…. • Use man ssh for help with options

  7. Running X Windows Apps • Examples • File manager and NAG Iris explorer on Maxima • After using ssh to access a remote host • setenv DISPLAY workstation_address:1.0 • Workstation address can be an ip number of the workstation • Check ip number using nslookup (on linux), ipconfig (pc)

  8. Secure ftp (sftp) • Establishes an FTP-style file transfer session between the Unix systems • sftp command always used in the form: sftpuser@server • e.g.from titania sftp wrsmg@maxima.leeds.ac.uk

  9. Transferring Files Using sftp From the SFTP prompt (sftp>) can do the following: • get command to retrieve a file from the remote Unix server. • get test.txt • put command to transfer a file from your Unix system to the remote Unix system you are connected to. • put file2.txt

  10. Navigating file systems using sftp From the SFTP prompt (sftp>) can do the following: • ls command to display the contents of a directory on the remote Unix system you are connected to. • ls /home/user. Will display the contents of the directory /home/user on the remote Unix system. • cd and lcd commands change current remote directory, or current local directory. • e.g. cd /home/user. Will change the current remote directory to /home/user.

  11. Summary of sftp commands 1 • mget Retrieve multiple files from server • Mput Transfer multiple files to server • pwd Display remote working directory • quit or exit Quit sftp • rename oldpath newpath Rename remote file • rmdir path Remove remote directory • rm path Delete remote file • version Show SFTP version • ? Synonym for help

  12. Summary Listing of SFTP commands 2 ascii Use text transfer mode help Display the help text image Use binary transfer mode lls [ls-options [path]] Display local directory listing lmkdir path Create local directory ls [path] Display remote directory listing mkdir path Create remote directory put local-path [remote-path] Upload file

  13. Secure copy - scp • Using SCPFast, easy method to copy single files from your Unix system to a remote Unix system.

  14. Retrieving a file using SCP • To retrieve a file from a remote Unix system, the syntax is: scp username@server:file local-file • username= username on the remote system • server= the name of the remote Unix system • file= the file to retrieve from the remote system • local-file= the location you wish to save the file to on your local Unix system

  15. Transferring a file to a remote Unix system using SCP • The syntax is: scp local-file username@server:file • local-file= the file to transfer from the local system • username= username on the remote system • server= the name of the remote Unix system • file= the location you wish to save the file to on the remote Unix system

  16. Transferring Multiple Files • mget and mput with sftp • Use tar and compress to package a directory tree • scp transfers the packaged directory tree • uncompress and extract directory tree using tar

  17. Security • Authentication • Are you who you say you are? • Authorisation • What are you permitted to do? • Message protection • Integrity • Confidentiality • Single sign-on • Delegation

  18. SSH Authentication • SSH allows to perform authentication based on • what we know (our key pass-phrase) • and what we have (our private key).

  19. SSH Authentication • Enable single sign on to remote resources that use ssh. • Authentication Utilities • ssh-keygen • Authentication key pair generation • ssh-agent • Authentication agent • ssh-add • Adds identities for authentication agent

  20. ssh files and directories • authorized_keys • Contains public keys of hosts and users authorised to access this host • known_hosts • List of hosts from which ssh authentication is allowed. Contains public key for remote host

  21. Enabling Single Sign On Using SSH • Enable using the Utility ssh-keygen • ssh-keygen • Generates and manages authentication keys for ssh

  22. Steps for setting up single sign on • General steps for enabling your local host to access an account on a remote host without providing a password • Generate a key pair from your local host • Copy public key to remote host you require access • Edit authorized_keys file on the remote host

  23. Running ssh-keygen • Generate a key pair of type rsa • ssh-keygen –t rsa • At the prompt for a file name press return the default filename will be generated for the pair • At the prompt for a pass phrase and the prompt to re-enter the pass phrase just hit return. • A pair of keys has now been generated the private key must be protected.

  24. Preparing the Remote Host for Single Sign On • Copy the public key you created using ssh-keygen to the .ssh directory on the remote host • Append your public key to the authorised_keys file in the .ssh directory • Single sign on using secure shell is now enabled.

  25. Comments • Enables distributed application shell scripts that request applications and transfers resources between different systems on which you have accounts. • Approach does not require logon to access each node

  26. Grid Security Infrastructure • Grid Security Infrastructure uses PKI to protect security of communications on the internet • Public key infrastructure integrate digital certificates, public key cryptography and certification authorities • Digital certificates allow individual users and hosts to confidently validate the identity of each party involved in a transaction • Use X509v3 Digital Certificates

  27. GSI Delegation • Proxies are temporary certificates signed by the owner • Expiry date • Private key • Relies on conventional filesystem security • Enables remote processes to authenticate with further resources • Hence single sign-on

  28. Apply to Use Grid Resources • White Rose Grid • Download, complete and sign a form. • National Grid Service • Complete on line form provide case • Details at: • http://www.shef.ac.uk/wrgrid/access

  29. Why??? • Extra compute resource? • Run jobs when local queues are busy… • Run more jobs… • Run jobs faster

  30. How to Obtain an X509v3 Certificate • Obtain certificate from CA • Get request approved by local registration authority (ID required) • Get certificate from CA, install it and test it. • May need to Use OpenSSL to convert certificate for use • Details at • http://www.shef.ac.uk/wrgrid/access

  31. Protection of Credentials • Permission on long term-term private key file read only (userkey.pem by default is read only) • The passphrase for encrypting your private key must be secure • Private keys and proxy files should not be stored on movable media • Private keys should be copied using secure methods only (sftp NOT ftp or rcp)

  32. Using the Grid • Iceberg grid commands • wrhelp • Geodise toolkit with matlab (available on iceberg) • gsissh, gsiscp • From maxima • Globus toolkit gt2.4

  33. wr grid commands : Overview • wrhelp • wrnn • Proxy Management • Execute Commands (e.g. unix ) on remote node • Transfer files • Submit jobs

  34. wr grid commands : Help and nodes • wrhelp • Gives list of available commands • Type command with –help option to get help • wrnn • List of wrg nodes and ngs nodes with correct contact information • Given a nickname for a node will return the crrect conatct name • ssh –X wrsmg@`wrnn snowdon`

  35. wr grid commands : Proxy management • wrgpi • Initialises a proxy • wrgpinf • Displays information about current proxy • wrgpd • Deletes proxy

  36. wr grid commands : Execute Commands • wrunx • Execute unix command (/bin ) • wrunx nodenickname command options • wrexe • Run executable on specified path • Wrexe fullnodecontact command+path options • Can use jobmanager i.e. sge, pbs, condor

  37. wr grid commands : File Transfer • wrft • Wrft fromnode fromfile+path tonode tofile+path • Use nickname in wrnn to specify fromnode and tonode • File must include path which is RELATIVE to the HOME area on a node. • i.e. no need to remember where home on different nodes located • Can do third party file transfers

  38. wr grid commands : Job management • Use wrft to transfer required resources to node • wrjobsubmit • wrjobsubmit fullcontactnamefornode rslfile • Full contact name for node (not nick name) can include job manager • Provide the name of an rsl file • Returns a handle for the job • wrjobstatus • wrjobstatus jobhandle • wrjobkill • wrjobkill jobhandle

  39. Further Information • Registration and Access • http://www.shef.ac.uk/wrgrid/access/index.html • Status information about nodes • http://www.shef.ac.uk/wrgrid/status.html • RSL Scripting • http://www.ipg.nasa.gov/ipgusers/globus/4-globus.html • Documentation Index • http://www.shef.ac.uk/wrgrid/documents/index.html • Contacts • http://www.shef.ac.uk/wrgrid/contact.html

More Related