MRG Interactive Developments

Mesoscale Research Group, McGill University


Establishing Batch Mode Connections between OpenSSH and SSH2

  • Secure Connection Background
  • Setup for Password-free (Batch Mode) Secure Connections
  • Establishing a Password-free Secure Connection



  • General Information about Secure Connections

    The best place to get the full story about secure connections is from the open version of the SSH protocol suite of network connectivity tools, OpenSSH. The OpenSSH suite includes secure tools for remote logins (ssh - replaces rlogin and telnet), remote file copy (scp - replaces rcp) and file transfer (sftp - replaces ftp). In addition, basic utilities for key generation and server functionality are provided with the package.

    Some of the advantages of the OpenSSH secure network connection package are (from the OpenSSH FAQ page):

    The basics about keys go something like this. SSH (SSH2 and OpenSSH) uses keys as well as passwords to identify itself to a remote server. The generated keys are a seemingly random assortment of characters that provide authentication during the secure connection. During the key generation process both public and private keys are constructed. Private keys should be kept on the local machine, but public keys can be distributed to remote servers to which the user requires password-free access. Whenever a connection is requested on the remote server, the public key is encrypted and decripted by the private key. If the keys match then the connection is established; otherwise, the user is prompted to enter a password interactively. For more information on exactly how keys work, have a go at "Introduction to Public-key Cryptography".

    Setup for Password-free (Batch Mode) Secure Connections

    The basic priciple that we're going to follow is pretty simple to understand (we'll be connecting from machine B to machine A):

    Of course, you'll need accounts on both machines A and B (although you need not have the same login name on both). We'll assume that we're working with two SSH2 systems, except as noted for OpenSSH. Run
    ssh -v
    on each machine to make sure you know what flavours of the SSH software are installed on each. (Note that the NCAR Supercomputers run OpenSSH and that local University at Albany servers run SSH2, so you'll have to follow the translation instructions provided below if you're creating a connection from NCAR SCD.) First let's generate the keys on the server (machine A):
    ssh-keygen -t rsa
    This basically gets our local directory ~/.ssh2 set up correctly on the server (cedar if you're at SUNY). Next we'll generate the keys on the client machines (machine B, one of the NCAR supercomputers in our example):
    ssh-keygen -t rsa
    ssh-keygen -t dsa
    These generate sets of public keys (id_rsa.pub and id_dsa.pub) and private keys (id_rsa and id_dsa). Now, if the client (NCAR supercomputer in the example) machine is running OpenSSH and the server is running SSH2, then you'll need to translate the key. This can be accomplished by running (on machine B, the client):
    ssh-keygen -e -f ~/.ssh/id_dsa.pub > id_dsa_ssh2.pub
    Now we concatenate and transfer the (machine B) client's public keys to the server (machine A):
    cd ~/.ssh2 (or, if using OpenSSH): cd ~/.ssh
    cat id_dsa.pub >newKeys
    cat id_rsa.pub >>newKeys
    scp newKeys user@local.domain:.ssh2/newKeys
    (if using OpenSSH): scp id_dsa_ssh2.pub user@local.domain:.ssh2/id_dsa_ssh2.pub
    Of course, you'll need to provide logins for each of these file transfers (you could just as well use sftp if you'd prefer). Following the transfer of the keys from machine B (client) to A (server), you need to finish the authorization process (on machine A, the SUNY machine in our example):
    cd ~/.ssh2
    cat newKeys >>authorized_keys
    (if using OpenSSH on the client): echo 'Key id_dsa_ssh2.pub' >>authorization
    And that should be it. Now you should try a remote login from the client (machine B):
    ssh user@local.domain
    You should now be able to access the server in batch mode (without a password prompt).

    If something has gone wrong, and you still can't access the server, you should first make sure of the SSH versions used by the two machines. Running the version query
    ssh -v
    will tell you which flavours of SSH are present on the machines. If you still have trouble, a good applied resource is
    Password-free login with SSH (if this link is broken, a text-only version resides here). Many more examples and trouble shooting guides are also available online.

    Establishing a Password-free Secure Connection

    After the setup of the secure server is complete, you will be able to connect in (non-interactive) batch mode using the OpenSSH utilities ssh and scp. For example from the command line you can type:
    ssh user@local.domain
    to open a remote shell on the server. More useful, however, is the ability to transfer files via scp in automated scripts. To transfer a file "foo" from the client to the server, the command would look something like:
    scp /path/to/foo user@local.domain:/path/to/copied/foo
    Of course, the ssh command can also be used to execute commands on the remote machine in the same way as rsh can be used in a non-secure environment in which the ~/.rhosts file allows password-free access.



    Questions or Comments? Contact our WebMaster.