Subsections
The safest way to log on SISSA computers is by ssh (Secure SHell) command. In this way the password you type is encrypted before being sent to the remote computer (in fact, everything in a ssh session is encrypted). Use of ssh command:
ssh machine-name.sissa.it
your-name's password:(type your password - it is not echoed to screen!)
The first time you are connecting to a machine, ssh will ask you to confirm the connection. Note that ssh doesn't ask your username: it takes as default your local username.
You can log in with a different user name typing
ssh -l your-other-name machine-name.sissa.it or
ssh your-other-name@machine-name.sissa.it
A more advanced use of ssh makes use of the so-called public key authentication. Once you set up this, you don't need to type any password to log in to remote machines, but only a passphrase to unlock your locally-stored private key. Note that
- the security of many machines can be compromised if your private key gets stolen, so protect it!
- there is no way to recover your private key if you forget your passphrase: you can not simply ask the staff to enter a new passphrase for you, you need to re-build your keys and set up once again all machines to be accessed with them; see also 2.5
Please see ssh documentation (man ssh, man ssh-keygen) for more information.
This will tell you how to set up PK authentication in less than three minutes; it will not explain you what PK authentication is. Each step is dangerous. If you don't understand what is going on, please just skip this paragraph.
- generate your keys
- You need first to generate your private and public keys:
ssh-keygen -t rsa
Be sure to choose a good passphrase: it should be longer and more difficult to guess than your password
- copy your public key to remote host
- Your public key needs to be copied to the remote host:
scp /.ssh/id_rsa.pub remotehost:.ssh/authorized_keys
Be sure you copy the public key id_rsa.pub, not the private one (id_rsa)! Note that this will overwrite any existing authorized_keys file! If you need to append to that file, scp the key to some other temporary file in your home directory, then log in to the remote host and manually append the key to the existing authorized_key file
- start the agent
- The ssh agent will keep your private key(s) ready for use:
eval `ssh-agent`
(this fancy syntax is needed because ssh-agent outputs some commands that need to be executed by the running shell)
- register your private key
- When started, ssh-agent holds no keys; you need to add them:
ssh-add -t time
(you will be prompted for your passphrase)
- enjoy!
- Now you should be able to log in to the remote system with the public key only
There is no way to recover a lost passphrase |
Always set a lifetime for your keys when using ssh-add |
Protect your keys |
There are many messages you can receive from ssh itself before and during the login procedure. Sometimes you are requested to confirm some action; note that when ssh asks you to type «yes», it actually means yes<enter>, not just <enter> or y<enter>.
- Warning: Permanently added 'storm,192.168.0.2' (RSA) to the list of known hosts.
It's the first time you connect to storm (from this client); storm host key has been automatically added to your database.
- The authenticity of host 'storm (192.168.0.2)' can't be established.
RSA key fingerprint is 39:16:52:ee:5d:a6:3b:4f:b2:35:d9:8c:7e:9e:b7:1c.
Are you sure you want to continue connecting (yes/no)?
Same as above, but your system setup requires that you accept the key before it is added to the database.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
39:16:52:ee:5d:a6:3b:4f:b2:35:d9:8c:7e:9e:b7:1c.
Please contact your system administrator.
Add correct host key in /u/gr/you/.ssh/known_hosts to get rid of this message.
Offending key in /u/gr/you/.ssh/known_hosts:119
Password authentication is disabled to avoid man-in-the-middle attacks.
X11 forwarding is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,password,keyboard-interactive).
This can be bad. However it is also possible that the remote host identification token has been changed for some reason. If you think this is the case, go to your .ssh/known_hosts file, remove the offending key (in this case located at line 119 of the file) and connect again.2.1
The use of telnet is strongly discouraged. Telnet does not encrypt what you type at the keyboard nor what comes back to your screen including your username and password. This means that everyone on the Internet may see (and steal) those information. Telnet is not supported within SISSA network.
Simply type exit at the shell prompt, or press <ctrl-d>.
You can change your password at any workstation with the command yppasswd:
$ yppasswd
Changing NIS account information for your-name on trust.sissa.it.
Please enter old password: (type your old password - not shown)
Please enter new password: (type your new password - not shown)
Please re-enter new password: (type your new password again)
Please note that
- the password is case-sensitive: «Password» is different from «paSSWorD»
- the password is changed for the cluster you were logged in only
- some machines may cache your password information for a few minutes: this means that the new password may appear to be propagated with some little delay
You can use ypchsh to change your login shell. Please see man yppasswd or man ypchsh for more information.
In the (unlikely) event you have a local (workstation-only) password, the same rules apply. Only use passwd (resp. chsh) instead of yppasswd (resp. ypchsh).
2.5 Choosing a «good» password
When choosing your password you should follow some rules to ensure a reasonable degree of security:
- Never use your first or last name, not even as part of the password
- Never use any word one can find in a dictionary; many password-cracking programs use ten or more dictionaries, so do not rely on your native language being «exotic enough»
- Never use a word one can find in a dictionary with a few digits or special characters prepended or appended: «19secret!» is not much safer than simply «secret»
- Never use a word one can find in a dictionary with some letter case scrambling: «pAsswORd» is not better than «password»
- Use a password length of at least six characters (or more)
- Use a password you can easily remember, e.g. «My password is really a good one»
«Mpirag1» (not this one please!)
Footnotes
- ... again.2.1
- The known_hosts file has very long lines. Be sure not to truncate or split them, or you will break your ssh setup.
Piero Calucci
2004-11-05