SSH: Difference between revisions

From CLONWiki
Jump to navigation Jump to search
Boiarino (talk | contribs)
No edit summary
Boiarino (talk | contribs)
No edit summary
 
(10 intermediate revisions by 6 users not shown)
Line 1: Line 1:
Normally ''ssh'' creates ''.Xauthority'' file in ''$HOME/.ssh'' directory. If ''$HOME'' directory is on file server and shared between different machines, it can be a conflict. It is recommended in that case to tell ''ssh'' to place ''.Xauthority'' file somewhere else, for example in ''/tmp'' directory which is usually local. Do following:
To ssh ignoring 'Offending key in /site/etc/ssh_known_hosts' do following:
 
ssh -o UserKnownHostsFile=/dev/null <hostname>
 
 
First, enable X11 forwarding: uncommented and properly set 2 following lines in ''/etc/ssh/ssh_config'' file:
 
Host *
ForwardX11 yes
 
Normally ''ssh'' creates ''.Xauthority'' file in ''$HOME'' directory. If ''$HOME'' directory is on file server and shared between different machines, it can be a conflict. It is recommended in that case to tell ''ssh'' to place ''.Xauthority'' file somewhere else, for example in ''/tmp'' directory which is usually local. Do following:


1. Uncomment or add following line in ''/etc/ssh/sshd_config'' (it will force execution of /etc/ssh/sshrc script which we'll create below; also every user's $HOME/.ssh/environment file will be processed):
1. Uncomment or add following line in ''/etc/ssh/sshd_config'' (it will force execution of /etc/ssh/sshrc script which we'll create below; also every user's $HOME/.ssh/environment file will be processed):
Line 5: Line 15:
  PermitUserEnvironment yes
  PermitUserEnvironment yes


2. Add two lines in ''/etc/profile'':
2. Create ''/etc/ssh/sshrc'' with following contents:
 
XAUTHORITY=/tmp/.Xauthority.$LOGNAME
export XAUTHORITY
 
3. Create ''/etc/ssh/sshrc'' with following contents:


  HOME=/tmp
  HOME=/tmp
Line 26: Line 31:
               echo add $DISPLAY $proto $cookie
               echo add $DISPLAY $proto $cookie
       fi | /usr/openwin/bin/xauth -q -
       fi | /usr/openwin/bin/xauth -q -
  fi
fi


(on Linux ''xauth'' is located at ''/usr/X11R6/bin/xauth'', adjust script accordingly)
(on RHEL4 ''xauth'' is located at ''/usr/X11R6/bin/xauth'', on RHEL5 at ''/usr/bin'', adjust script accordingly)


4. Create ''/root/.ssh/environment'' file with following contents:
3. Add two lines in ''/etc/profile'':


  XAUTHORITY=/tmp/.Xauthority.root
  XAUTHORITY=/tmp/.Xauthority.$LOGNAME
export XAUTHORITY


5. NOTIFY ALL USERS TO HAVE THAT FILE WITH CORRESPONDING CONTENTS IN THEIR HOME/.ssh directories. You can do it for example by placing following into ''/etc/.login'' (on linux you can use ''/etc/csh.login''):
4. NOTIFY ALL USERS TO HAVE THAT FILE WITH CORRESPONDING CONTENTS IN THEIR ''$HOME/.ssh'' directories. You can do it for example by placing following into ''/etc/.login'' (on linux you can use ''/etc/csh.login''):


  if (! -e ~/.ssh/environment ) then
  if (! -e ~/.ssh/environment ) then
Line 43: Line 49:
   echo ""
   echo ""
  endif
  endif
5. Create ''/root/.ssh/environment'' file with following contents:
XAUTHORITY=/tmp/.Xauthority.root




Line 50: Line 60:


(on Linux ''/etc/init.d/sshd restart'')
(on Linux ''/etc/init.d/sshd restart'')
7. If need to make ssh without password between different clon machines for some user, login as that user and do following (chmod commands are important !):
mkdir .ssh
chmod 700 .ssh
cd .ssh
ssh-keygen -t rsa
    <hit return 3 times>
#cp id_rsa.pub authorized_keys
ssh-copy-id <machine_name_you_are_in>
chmod 600 *
After that for this user all machines with the same home directory have to be accessible without typing password. If machine has different home directory, copy contents of the 'id_rsa.pub' into remote machine 'authorized_keys' file.
8. Tunneling: for example to tunnel from home to clontrig0 for vnc (port 5902) do following:
ssh -L 5902:localhost:4321 login1.jlab.org
and then from the same window:
ssh -L 4321:localhost:5902 clontrig0
Now if VNCVIEWER on home machine connect to localhost:5902, it will actually connect to clontrig0:5902.

Latest revision as of 15:55, 1 July 2019

To ssh ignoring 'Offending key in /site/etc/ssh_known_hosts' do following:

ssh -o UserKnownHostsFile=/dev/null <hostname>


First, enable X11 forwarding: uncommented and properly set 2 following lines in /etc/ssh/ssh_config file:

Host *
ForwardX11 yes

Normally ssh creates .Xauthority file in $HOME directory. If $HOME directory is on file server and shared between different machines, it can be a conflict. It is recommended in that case to tell ssh to place .Xauthority file somewhere else, for example in /tmp directory which is usually local. Do following:

1. Uncomment or add following line in /etc/ssh/sshd_config (it will force execution of /etc/ssh/sshrc script which we'll create below; also every user's $HOME/.ssh/environment file will be processed):

PermitUserEnvironment yes

2. Create /etc/ssh/sshrc with following contents:

HOME=/tmp
XAUTHORITY=$HOME/.Xauthority.$USER
export XAUTHORITY
if read proto cookie && [ -n "$DISPLAY" ]
then
      if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]
      then
              # X11UseLocalhost=yes
              echo add unix:`echo $DISPLAY |
              cut -c11-` $proto $cookie
      else
              # X11UseLocalhost=no
              echo add $DISPLAY $proto $cookie
      fi | /usr/openwin/bin/xauth -q -
fi

(on RHEL4 xauth is located at /usr/X11R6/bin/xauth, on RHEL5 at /usr/bin, adjust script accordingly)

3. Add two lines in /etc/profile:

XAUTHORITY=/tmp/.Xauthority.$LOGNAME
export XAUTHORITY

4. NOTIFY ALL USERS TO HAVE THAT FILE WITH CORRESPONDING CONTENTS IN THEIR $HOME/.ssh directories. You can do it for example by placing following into /etc/.login (on linux you can use /etc/csh.login):

if (! -e ~/.ssh/environment ) then
  echo ""
  echo "===== ERROR: create file '~/.ssh/environment' containing following line:"
  echo "=====       XAUTHORITY=/tmp/.Xauthority.$LOGNAME"
  echo "===== OTHERWISE SSH/X11 MAY NOT WORK PROPERLY"
  echo ""
endif

5. Create /root/.ssh/environment file with following contents:

XAUTHORITY=/tmp/.Xauthority.root


6. Restart ssh service by

svcadm restart network/ssh

(on Linux /etc/init.d/sshd restart)

7. If need to make ssh without password between different clon machines for some user, login as that user and do following (chmod commands are important !):

mkdir .ssh
chmod 700 .ssh
cd .ssh
ssh-keygen -t rsa
   <hit return 3 times>
#cp id_rsa.pub authorized_keys
ssh-copy-id <machine_name_you_are_in>
chmod 600 *

After that for this user all machines with the same home directory have to be accessible without typing password. If machine has different home directory, copy contents of the 'id_rsa.pub' into remote machine 'authorized_keys' file.

8. Tunneling: for example to tunnel from home to clontrig0 for vnc (port 5902) do following:

ssh -L 5902:localhost:4321 login1.jlab.org

and then from the same window:

ssh -L 4321:localhost:5902 clontrig0

Now if VNCVIEWER on home machine connect to localhost:5902, it will actually connect to clontrig0:5902.