Secure shell
Download
1 / 39

Secure Shell - PowerPoint PPT Presentation


  • 166 Views
  • Uploaded on

Secure Shell. Mike Griffiths & Deniz Savas CiCS Dept Sheffield University November 2005. Secure Shell. What is ssh? How to use it? Single sign on using ssh Digital certificates Accessing and Managing Grid Resources Wrgrid commands Further Information. Secure Shell.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Secure Shell' - donna-tran


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Secure shell
Secure Shell

Mike Griffiths & Deniz Savas

CiCS Dept

Sheffield University

November 2005


Secure shell1
Secure Shell

  • What is ssh?

  • How to use it?

  • Single sign on using ssh

  • Digital certificates

  • Accessing and Managing Grid Resources

  • Wrgrid commands

  • Further Information


Secure shell2
Secure Shell

  • Program to log into another computer over a network

  • Execute commands on a remote machine

  • Move files from one machine to another

  • Provides strong authentication and secure communications over insecure channels.

  • Intended as a replacement for rlogin, rsh, rcp, and rdist.


The secure shell protocol
The Secure shell protocol

  • SSH is a new method of communications over the Internet that encrypts data end-to-end.

  • Replaces telnet, ftp, rsh and rcp

  • Components

    • Secure shell ssh

    • Secure ftp sftp

    • Secure copy scp


ssh

  • You only need the SSH client. The server is unnecessary, unless you wish to connect back to your home machine via the Internet using SSH.

  • Connecting to a WRG nodessh -l wrsmg maxima.leeds.ac.uk

  • To use X-windows add the "-X" flag

    • SSH will then carry Xwindows traffic over the Internet to connect

  • Range of options for changing ports, specifying authentication files, encryption algorithms etc….

    • Use man ssh for help with options


ssh

  • You only need the SSH client. The server is unnecessary, unless you wish to connect back to your home machine via the Internet using SSH.

  • Connecting to a WRG nodessh -l wrsmg maxima.leeds.ac.uk

  • To use X-windows add the "-X" flag

    • SSH will then carry Xwindows traffic over the Internet to connect

  • Range of options for changing ports, specifying authentication files, encryption algorithms etc….

    • Use man ssh for help with options


Running x windows apps
Running X Windows Apps

  • Examples

    • File manager and NAG Iris explorer on Maxima

  • After using ssh to access a remote host

    • setenv DISPLAY workstation_address:1.0

    • Workstation address can be an ip number of the workstation

    • Check ip number using nslookup (on linux), ipconfig (pc)


Secure ftp sftp
Secure ftp (sftp)


Transferring files using sftp
Transferring Files Using sftp

From the SFTP prompt (sftp>) can do the following:

  • get command to retrieve a file from the remote Unix server.

    • get test.txt

  • put command to transfer a file from your Unix system to the remote Unix system you are connected to.

    • put file2.txt


Navigating file systems using sftp
Navigating file systems using sftp

From the SFTP prompt (sftp>) can do the following:

  • ls command to display the contents of a directory on the remote Unix system you are connected to.

    • ls /home/user. Will display the contents of the directory /home/user on the remote Unix system.

  • cd and lcd commands change current remote directory, or current local directory.

    • e.g. cd /home/user. Will change the current remote directory to /home/user.


Summary of sftp commands 1
Summary of sftp commands 1

  • mget Retrieve multiple files from server

  • Mput Transfer multiple files to server

  • pwd Display remote working directory

  • quit or exit Quit sftp

  • rename oldpath newpath Rename remote file

  • rmdir path Remove remote directory

  • rm path Delete remote file

  • version Show SFTP version

  • ? Synonym for help


Summary listing of sftp commands 2
Summary Listing of SFTP commands 2

ascii Use text transfer mode

help Display the help text

image Use binary transfer mode

lls [ls-options [path]] Display local directory listing

lmkdir path Create local directory

ls [path] Display remote directory listing

mkdir path Create remote directory

put local-path [remote-path] Upload file


Secure copy scp
Secure copy - scp

  • Using SCPFast, easy method to copy single files from your Unix system to a remote Unix system.


Retrieving a file using scp
Retrieving a file using SCP

  • To retrieve a file from a remote Unix system, the syntax is: scp [email protected]:file local-file

    • username= username on the remote system

    • server= the name of the remote Unix system

    • file= the file to retrieve from the remote system

    • local-file= the location you wish to save the file to on your local Unix system


Transferring a file to a remote unix system using scp
Transferring a file to a remote Unix system using SCP

  • The syntax is: scp local-file [email protected]:file

    • local-file= the file to transfer from the local system

    • username= username on the remote system

    • server= the name of the remote Unix system

    • file= the location you wish to save the file to on the remote Unix system


Transferring multiple files
Transferring Multiple Files

  • mget and mput with sftp

  • Use tar and compress to package a directory tree

    • scp transfers the packaged directory tree

    • uncompress and extract directory tree using tar


Security
Security

  • Authentication

    • Are you who you say you are?

  • Authorisation

    • What are you permitted to do?

  • Message protection

    • Integrity

    • Confidentiality

  • Single sign-on

    • Delegation


Ssh authentication
SSH Authentication

  • SSH allows to perform authentication based on

    • what we know (our key pass-phrase)

    • and what we have (our private key).


Ssh authentication1
SSH Authentication

  • Enable single sign on to remote resources that use ssh.

  • Authentication Utilities

    • ssh-keygen

      • Authentication key pair generation

    • ssh-agent

      • Authentication agent

    • ssh-add

      • Adds identities for authentication agent


Ssh files and directories
ssh files and directories

  • authorized_keys

    • Contains public keys of hosts and users authorised to access this host

  • known_hosts

    • List of hosts from which ssh authentication is allowed. Contains public key for remote host


Enabling single sign on using ssh
Enabling Single Sign On Using SSH

  • Enable using the Utility ssh-keygen

  • ssh-keygen

    • Generates and manages authentication keys for ssh


Steps for setting up single sign on
Steps for setting up single sign on

  • General steps for enabling your local host to access an account on a remote host without providing a password

    • Generate a key pair from your local host

    • Copy public key to remote host you require access

    • Edit authorized_keys file on the remote host


Running ssh keygen
Running ssh-keygen

  • Generate a key pair of type rsa

    • ssh-keygen –t rsa

  • At the prompt for a file name press return the default filename will be generated for the pair

  • At the prompt for a pass phrase and the prompt to re-enter the pass phrase just hit return.

  • A pair of keys has now been generated the private key must be protected.


Preparing the remote host for single sign on
Preparing the Remote Host for Single Sign On

  • Copy the public key you created using ssh-keygen to the .ssh directory on the remote host

  • Append your public key to the authorised_keys file in the .ssh directory

  • Single sign on using secure shell is now enabled.


Comments
Comments

  • Enables distributed application shell scripts that request applications and transfers resources between different systems on which you have accounts.

  • Approach does not require logon to access each node


Grid security infrastructure
Grid Security Infrastructure

  • Grid Security Infrastructure uses PKI to protect security of communications on the internet

  • Public key infrastructure integrate digital certificates, public key cryptography and certification authorities

  • Digital certificates allow individual users and hosts to confidently validate the identity of each party involved in a transaction

  • Use X509v3 Digital Certificates


Gsi delegation
GSI Delegation

  • Proxies are temporary certificates signed by the owner

    • Expiry date

    • Private key

  • Relies on conventional filesystem security

  • Enables remote processes to authenticate with further resources

  • Hence single sign-on


Apply to use grid resources
Apply to Use Grid Resources

  • White Rose Grid

    • Download, complete and sign a form.

  • National Grid Service

    • Complete on line form provide case

  • Details at:

    • http://www.shef.ac.uk/wrgrid/access


Why???

  • Extra compute resource?

  • Run jobs when local queues are busy…

  • Run more jobs…

  • Run jobs faster


How to obtain an x509v3 certificate
How to Obtain an X509v3 Certificate

  • Obtain certificate from CA

  • Get request approved by local registration authority (ID required)

  • Get certificate from CA, install it and test it.

  • May need to Use OpenSSL to convert certificate for use

  • Details at

    • http://www.shef.ac.uk/wrgrid/access


Protection of credentials
Protection of Credentials

  • Permission on long term-term private key file read only (userkey.pem by default is read only)

  • The passphrase for encrypting your private key must be secure

  • Private keys and proxy files should not be stored on movable media

  • Private keys should be copied using secure methods only (sftp NOT ftp or rcp)


Using the grid
Using the Grid

  • Iceberg grid commands

    • wrhelp

  • Geodise toolkit with matlab (available on iceberg)

  • gsissh, gsiscp

    • From maxima

  • Globus toolkit gt2.4


Wr grid commands overview
wr grid commands : Overview

  • wrhelp

  • wrnn

  • Proxy Management

  • Execute Commands (e.g. unix ) on remote node

  • Transfer files

  • Submit jobs


Wr grid commands help and nodes
wr grid commands : Help and nodes

  • wrhelp

    • Gives list of available commands

    • Type command with –help option to get help

  • wrnn

    • List of wrg nodes and ngs nodes with correct contact information

    • Given a nickname for a node will return the crrect conatct name

    • ssh –X [email protected]`wrnn snowdon`


Wr grid commands proxy management
wr grid commands : Proxy management

  • wrgpi

    • Initialises a proxy

  • wrgpinf

    • Displays information about current proxy

  • wrgpd

    • Deletes proxy


Wr grid commands execute commands
wr grid commands : Execute Commands

  • wrunx

    • Execute unix command (/bin )

    • wrunx nodenickname command options

  • wrexe

    • Run executable on specified path

    • Wrexe fullnodecontact command+path options

    • Can use jobmanager i.e. sge, pbs, condor


Wr grid commands file transfer
wr grid commands : File Transfer

  • wrft

    • Wrft fromnode fromfile+path tonode tofile+path

  • Use nickname in wrnn to specify fromnode and tonode

  • File must include path which is RELATIVE to the HOME area on a node.

    • i.e. no need to remember where home on different nodes located

  • Can do third party file transfers


Wr grid commands job management
wr grid commands : Job management

  • Use wrft to transfer required resources to node

  • wrjobsubmit

    • wrjobsubmit fullcontactnamefornode rslfile

    • Full contact name for node (not nick name) can include job manager

    • Provide the name of an rsl file

    • Returns a handle for the job

  • wrjobstatus

    • wrjobstatus jobhandle

  • wrjobkill

    • wrjobkill jobhandle


Further information
Further Information

  • Registration and Access

    • http://www.shef.ac.uk/wrgrid/access/index.html

  • Status information about nodes

    • http://www.shef.ac.uk/wrgrid/status.html

  • RSL Scripting

    • http://www.ipg.nasa.gov/ipgusers/globus/4-globus.html

  • Documentation Index

    • http://www.shef.ac.uk/wrgrid/documents/index.html

  • Contacts

    • http://www.shef.ac.uk/wrgrid/contact.html


ad