Difference between revisions of "SSH"

From SciNet Users Documentation
Jump to: navigation, search
(SSH For Linux or Mac OS X Users)
Line 65: Line 65:
  
 
A more-obscure technique for setting up SSH communication is the construction of an SSH tunnel.  This can be useful if, for example, your code needs to access an external software license server from a Niagara compute node.  You can read about setting up SSH tunnels on Niagara [[SSH_Tunneling|here]].
 
A more-obscure technique for setting up SSH communication is the construction of an SSH tunnel.  This can be useful if, for example, your code needs to access an external software license server from a Niagara compute node.  You can read about setting up SSH tunnels on Niagara [[SSH_Tunneling|here]].
 +
 +
===Two-Factor authentication===
 +
 +
As a protection for you and for you data and programs, you may use Two-Factor authentication when connecting to Niagara thru SSH. This is optional.
 +
 +
What is Two-Factor authentication?
 +
 +
According to [https://en.wikipedia.org/wiki/Multi-factor_authentication|Wikipedia], Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).
 +
 +
Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
 +
 +
A good example of two-factor authentication is the withdrawing of money from an ATM; only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.
 +
 +
Two other examples are to supplement a user-controlled password with a one-time password (OTP) or code generated or received by an authenticator (e.g. a security token or smartphone) that only the user possesses.
 +
 +
Two-step verification or two-step authentication is a method of confirming a user's claimed identity by utilizing something they know (password) and a second factor other than something they have or something they are. An example of a second step is the user repeating back something that was sent to them through an out-of-band mechanism (such as a code sent over SMS), or a number generated by an app that is common to the user and the authentication system.
 +
 +
Benefits of Two-Factor authentication, 2FA:
 +
 +
2FA delivers an extra layer of protection for user accounts that, while not impregnable, significantly decreases the risk of unauthorized access and system breaches. Users benefit from increased security in the same manner as account access requires far more resources from the hacker.
 +
 +
If you already follow basic password security measures, two-factor authentication will make it more difficult for cyber criminals to breach your account because it is hard to get the second authentication factor, they would have to be much closer to you. This drastically reduces their chances to succeed.
 +
 +
A hacker may gain access to computer. This is not impossible and rather common. They can plant a malware in your computer such as a key logger which will transmit all your keyboard activity. Or a malware that will give a hacker total remote access to you computer. This hacker will easily get your passwords, but it is virtually impossible that the same hacker can get access to your second factor.
 +
 +
We encourage all our users to setup Two-Factor authentication. It’s for your own protection. To setup, you can do it [[Two-Factor_setup|here]]..

Revision as of 20:37, 24 June 2020

SSH (secure shell) is the only way to log into the systems at SciNet. It opens a secure, encrypted connection between your computer and those at SciNet, protecting not only your password, but all other data going between the machines. If you have a Linux or Mac OSX machine, you already have SSH installed; if you have a Windows machine, you will have to install additional software before logging into SciNet.

SSH For Linux or Mac OS X Users

Simple Login

To login to the systems at SciNet, you will have to open a terminal in Linux, or Mac OS X, and type

ssh USERNAME@niagara.scinet.utoronto.ca

where you will replace USERNAME with your username; you will then be prompted to type your password. Once done, you will be logged into the login nodes at the SciNet data centre, as if you have a terminal from those machines on your destop.

Note that if your username is the same on both the machine you're logging in from and the scinet machines, you can drop the USERNAME@, as SSH by default will try to use the username on the machine you are logging in from.

Copying Files

The SSH protocol can be used for more than logging in remotely; it can also be used to copy files between machines. The advantages are the same; both your password and the data you are sending or receiving are secure.

To copy small files from your home computer to a subdirectory of your /scratch directory at SciNet, you would type from a terminal on your computer

scp filetocopy.txt USERNAME@niagara.scinet.utoronto.ca:/scratch/USERNAME/some_subdirectory/

Note that soon the location of your scratch directory will change, and you will have to type:

scp filetocopy.txt USERNAME@niagara.scinet.utoronto.ca:/scratch/G/GROUPNAME/USERNAME/some_subdirectory/

Similarly, to copy files back into your current directory, you would type

scp USERNAME@niagara.scinet.utoronto.ca:/scratch/G/GROUPNAME/USERNAME/my_dirs/myfile.txt . 

The Data Management wiki page has much more information on doing large transfers efficiently.

SSH for Windows Users

To use SSH on Windows, you will have to install SSH software. SciNet recommends, roughly in order of preference:

  • Cygwin is an entire linux-like environment for Windows. Using something like Cygwin is highly recommended if you are going to be interacting a lot with linux systems, as it will give you a development environment very similar to that on the systems you'll be using. Download and run setup.exe, and install any packages you think you'll need. Once this is done, you will have icons for terminals, including one saying something like "X11". From either of these, you'll be able to type ssh user@niagara.scinet.utoronto.ca as above; if you think you will need to pop up windows from SciNet machines (e.g., for displaying data or using Profiling Tools), you'll need to use the X11 terminal and type ssh -Y user@niagara.scinet.utoronto.ca. Other ssh tools such as scp will work as above.
  • MobaXterm is a tabbed ssh client with some Cygwin tools all wrapped up into one executable.
  • OpenSSH For Windows installs only those parts of Cygwin necessary to run SSH. Again, once installed, opening up one of the new terminals allows you to use SSH as in the Linux/Mac OSX section above, but X11 forwarding for displaying windows may not work.
  • PuTTY is one of the better stand-alone SSH programs for windows. It is a small download, and is enough to get you logged into the SciNet machines. For advanced use like X11 forwarding however, you are better off using Cygwin. A related program, PSCP, can be used to copy files using a graphical user interface.
    WARNING: Make sure you download putty from the official website, because there are "trojanized" versions of putty around that will send your login information to a site in Russia (as reported here).


X11 Forwarding

If during your login session you will only need to be typing and reading text, the techniques described above will suffice. However, if in a session you will need to be displaying graphics — such as plotting data on the scinet machines or using our performance profiling tools — you can use SSH's very powerful ability to forward several different types of data over one connection. To enable "X11 forwarding" over this SSH connection, add the option -Y to your command,

ssh -Y USERNAME@niagara.scinet.utoronto.ca
  • Both, Windows and Mac OS users, will need to install an additional program to have X-forwarding working, usually referred to as "Xserver" which will interprete the data (graphics) forwarded and displayed on the local computer.
  • Mac OS users need to install XQUARTZ
  • Windows users could opt for installing MobaXterm which is a ssh-client which already includes an Xserver.


Advanced SSH Usage

There are a few SSH techniques that are handy to know.

SSH Keys

You can automate the process of logging into SciNet systems by setting up SSH keys. You can read about doing so by visiting this page.

SSH Tunnels

A more-obscure technique for setting up SSH communication is the construction of an SSH tunnel. This can be useful if, for example, your code needs to access an external software license server from a Niagara compute node. You can read about setting up SSH tunnels on Niagara here.

Two-Factor authentication

As a protection for you and for you data and programs, you may use Two-Factor authentication when connecting to Niagara thru SSH. This is optional.

What is Two-Factor authentication?

According to [1], Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).

Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.

A good example of two-factor authentication is the withdrawing of money from an ATM; only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.

Two other examples are to supplement a user-controlled password with a one-time password (OTP) or code generated or received by an authenticator (e.g. a security token or smartphone) that only the user possesses.

Two-step verification or two-step authentication is a method of confirming a user's claimed identity by utilizing something they know (password) and a second factor other than something they have or something they are. An example of a second step is the user repeating back something that was sent to them through an out-of-band mechanism (such as a code sent over SMS), or a number generated by an app that is common to the user and the authentication system.

Benefits of Two-Factor authentication, 2FA:

2FA delivers an extra layer of protection for user accounts that, while not impregnable, significantly decreases the risk of unauthorized access and system breaches. Users benefit from increased security in the same manner as account access requires far more resources from the hacker.

If you already follow basic password security measures, two-factor authentication will make it more difficult for cyber criminals to breach your account because it is hard to get the second authentication factor, they would have to be much closer to you. This drastically reduces their chances to succeed.

A hacker may gain access to computer. This is not impossible and rather common. They can plant a malware in your computer such as a key logger which will transmit all your keyboard activity. Or a malware that will give a hacker total remote access to you computer. This hacker will easily get your passwords, but it is virtually impossible that the same hacker can get access to your second factor.

We encourage all our users to setup Two-Factor authentication. It’s for your own protection. To setup, you can do it here..