SSH Access
The Secure SHell protocol is a cryptographic network protocol meant to allow secure connections on an otherwise unsecured network.
While this page will focus on how to use the ssh command, bundled in the openssh
package, to obtain login prompts on CS machines and for file transferts, note that it can be used for many
networking task including port forwarding, tunneling, network filesystems, etc.
The syntax to login to a remote machine is as follow:
$ ssh USERNAME@HOSTNAME.DOMAIN
Here you will want to use your CS username (see the Accounts section for more information) or your
"first.last" name for McGill campus login (not recommanded).
All available public resources (and their hostnames) are listed under the Resources section. The
domain will always be cs.mcgill.ca for all CS machines.
For example, I could type
$ ssh cs_username@lab1-1.cs.mcgill.ca
to login to one of the workstation in TR 3110 or
$ ssh cs_username@teaching.cs.mcgill.ca
to login to our public general purpose server.
Note that if you want to invoke graphical application over SSH, you will need to specify the -Y
option to allow forwarding of X graphical data (will only work on Linux), as follow:
$ ssh -Y cs_username@teaching.cs.mcgill.ca
SSH Certificates
By using SSH Certificates you will not need to add the ssh keys for every new host that you connect to. New connections usually have:
The authenticity of host 'HOSTNAME.cs.mcgill.ca (X.X.X.X)' can't be established. ECDSA key fingerprint is SHA256:RADNOMSTRINOFCHARACTERS. Are you sure you want to continue connecting (yes/no/[fingerprint])?When you type in "yes" the system sees that as a trusted host and adds it to your host keys under ~/.ssh/known_hosts file.
To use our CS ssh Certificate, download the following file from within the McGill network (VPN, or ssh tunneling):
https://ssh-cert.cs.mcgill.ca/key.pubthen add it to your known hosts file: ~/.ssh/known_hosts
On MacOS or Linux you can simply do:
curl https://ssh-cert.cs.mcgill.ca/key.pub >> ~/.ssh/known_hosts
Now when you ssh to any CS host you should no longer be prompted for the authenticity of the host (if you are please open a ticket with help@cs.mcgill.ca
You can check with a debug (-v) that you are using certificates and you will see a line like:debug1: Host 'HOSTNAME.cs.mcgill.ca' is known and matches the ECDSA-CERT host certificate
SSH Keys
Password authentication for remote login can become tedious on top of being a security liability. SSH keys, based on public key cryptography, will allow you to remotely login without a password.
The idea is that you will create 2 files: a public and a private one. You will copy the public key file on every machine you want access to without using a password (in CS, your home directory is the same everywhere, so you do not need to copy the file at all).
When you try logging in without password to a machine that knows your public key; it will authenticate you by asking your machine a question that can only be answered by knowing what the private key is. Thus, it will be your responsability to ensure the private key remains private.
Obviously, most of this will happen in the background. To generate an SSH key, simply run the following command:
$ ssh-keygen -b 4096
By default it will write your public key to $HOME/.ssh/id_rsa.pub and your private key to
$HOME/.ssh/id_rsa. If you decided to encrypt your private key for more security, by choosing a
passphrase, you can make your SSH agent remember the passphrase for the current session by running the command:
$ ssh-add
If you ran the key generation command on a CS machine, you are good to go. Otherwise, copy your public key to
$HOME/.ssh/authorized_keys on every machine you want to be able to connect to without a password. You
may want to use the special command
$ ssh-copy-id USERNAME@FQDN
to handle the distribution of your public key.
File Transfer
openssh includes many utility for file transfert. The simplest to use, if you are used to the
cp command, is probably scp, which uses almost the same syntax:
$ scp [-r] SOURCE_USERNAME@SOURCE_FQDN:SOURCE_PATH DESTINATION_USERNAME@DESTINATION_FQDN:DESTINATION_PATH
where FQDN stands for "Fully Qualified Domain Name" which basically mean
HOSTNAME.DOMAIN. The -r option can be used to specify we wish to copy directories.
Here are some examples of file transfer, note that if the source or destination host is not specified, it is assumed to be the local host.
$ scp test_file cs_username@teaching.cs.mcgill.ca:~/
will send the test file in the current working directory on my local host to my home directory on
teaching.cs.mcgill.ca.
$ scp cs_username@cs-1.cs.mcgill.ca:/tmp/a cs_username@cs-2.cs.mcgill.ca:/tmp/b
would send the file /tmp/a on host cs-1 to /tmp/b on host
cs-2.
Other file transfert utility includes sftp and rsync, but they are beyond the scope of
this documentation.
SSH Problems
Older version of SSH
Symptom:
ssh_dispatch_run_fatalor
sh_rsa_verify: cannot handle type rsa-sha2-512 key_from_blob: key type does not match cannot decode server_host_key_blob
Fix: Use the following fix until you can upgrade your OS/ssh version
ssh -o HostKeyAlgorithms=ssh-rsa cs_username @HOSTNAME.cs.mcgill.caor add to your config file:
Host *.cs.mcgill.ca
HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com
Old or wrong version of SSH Host Key
Error:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The RSA host key for HOSTNAME.cs.mcgill.ca has changed, and the key for the corresponding IP address X.X.X.X
If you used our systems in the past, the host keys of some hosts might have changed over the years.
Fix:
To avoid this simply use SSH Certificates.To remove the old host key you can run:
ssh-keygen -R HOSTNAME.cs.mcgill.ca
If you still need help please send a request to help@cs.mcgill.ca
SSH on Windows
The openssh package is now available natively on Windows since version 1803. It
can thus be invoked directly from the cmd program. If that is unsatisfactory to you, you can take a
look into a GUI application like MobaXterm (recommanded) or PuTTY (legacy option).
Being Nice
When using a CS machine remotely, we ask you to be conscious of other users and make sure not to run a task that
will deplete the machine resources. In the case of memory, it is very application dependant, but if you suspect
your task will hog the CPU, you can lower its priority with the nice command as follow:
$ nice -n 10 COMMAND
The argument to the -n option can be anything between 0 (normal priority) and
20 (lowest priority).
