SSH and ThinLinc login using ssh-keys

To increase the security of the DTU infrastructure, the whole DTU network setup is changing, and this affects also the way users can access G-bar and the DCC HPC clusters from outside the DTU network.

Nothing changes, if you are accessing G-bar or the HPC cluster either on Campus, or via the DTU VPN. The instructions below are only relevant, if you need to access those resources from outside the DTU network, and the VPN is not a viable option, or it affects the performance critically (e.g. increased latency, incompatibility with a pre-existent pipeline, significant data transfer, etc).

If you only work on Campus or via the DTU VPN

Nothing changes for you. Just make sure that your VPN setup is up to date, and the Multi Factor Authentication is working.
You can safely skip the rest of the page.

If you work remotely, and always using the VPN is not a convenient option

SSH access will from now on require the use of ssh-keys + ssh-key passphrase + DTU password.
Instructions on how to setup your machine(s), and how to configure SSH for your G-bar/HPC account follow below.

Note: the guide below requires that you – during the setup process – are either connected to a DTU network on Campus, or via VPN (see DTU Inside for the VPN setup). Remember that the CISCO VPN requires the Multi Factor Authentication.

Detailed instructions

Prerequisites

The creation of the ssh-keys needs to be performed on your local machine. It is therefore important that:

If you don’t trust your own machine: Get one which you can trust.
If your Operating System & your main-applications are out of date and don’t get
regular updates any longer:
- Update your Operating System to something which is supported / is still supported.
  And also make sure that the web-browsers / mail-clients / whatever-connects-to-the-internet
  are up-to-date.
Without a machine which you can trust you shouldn’t connect to any DTU-systems from outside.
(The only exception for non-up-to-date-software is lab-equipment within DTU,
which is not really updateable. And these machines should also connect to separate networks
within DTU. So…. no excuses.)

NOTE: Before connecting to a new server always check that the fingerprints match (it only asks once).
If they don’t match, then someone might play a man-in-the-middle-attack on you.
And this means that your current network-connection is not trustworthy.
The ssh-fingerprints of our login-nodes are in the file https://www.hpc.dtu.dk/fp.txt

The following steps are necessary to be able to

ssh into our G-bar/HPC-setup
use our ThinLinc-setup

from outside the DTU network without being on the VPN.

Even if you are only interested in ThinLinc, you also have to do the same steps as for the G-bar/HPC-setup.

MacOSX / Linux / Windows with “ssh” / other Unix-like-Operating Systems (using openssh):

Step by step guide for MacOS, Linux, Windows with ssh (openssh)

Create a private/public key-pair for connecting to our setup

Open a terminal, and then:

cd
mkdir -p .ssh
cd .ssh
ssh-keygen -t ed25519 -f gbar

this is asking for a passphrase (password for the key), so please chose a new “good enough password”, which is _NOT_ your DTU password (and also not any old password, which you have used at DTU before, because they might be compromised, too).

$ ssh-keygen -t ed25519 -f gbar
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *********
Enter same passphrase again: *********
Your identification has been saved in gbar
Your public key has been saved in gbar.pub
The key fingerprint is:
SHA256:Pm2XrdUigYlcCMEbXUEA+1ze53IUBBOPUU92uvxiQF8 s123456@nowhere
The key's randomart image is:
+--[ED25519 256]--+
| .++.++.=+o +|
| oo.. * =.|
| .o. o o + E|
| .+ = = o + |
| S + + * |
| . . O o |
| o o = O o|
| o . B o |
| . |
+----[SHA256]-----+

Now you have two files there – gbar and gbar.pub

$ ls -l gbar*
9051786 4 -rw-------. 1 s123456 s123456 464 Aug 21 14:45 gbar
9054680 4 -rw-------. 1 s123456 s123456 99 Aug 21 14:45 gbar.pub

The gbar file contains your private key, so make sure it stays private (and under no circumstances upload this thing to a git-repository or similiar(!!!) by accident or on purpose).

The public-key is in the file gbar.pub, the content of which you need to copy into your .ssh/authorized_keys file on our setup.

Copy the file to the cluster

If you already have a .ssh/authorized_keys in your HOME directory on the cluster:

Login to the cluster (when connected to a DTU network, either on Campus or via VPN) and just add the new entry to this file.

You can for example just append a new entry with doing a

cat >> .ssh/authorized_keys

and then paste the “public key” into the terminal and then finish
this with <ctrl>-d to close the file.

Or if you prefer you can use any plain text editor on the cluster to edit the file .ssh/authorized_keys.

If you don’t have such a file yet, then you can just execute these two commands from your machine:

Make sure that you are on a DTU network, and then copy the public-key into the right place:

# create the folder (with the right permissions), in case it doesn't exist 
ssh s123456@transfer.gbar.dtu.dk mkdir -m 700 -p .ssh
# copy the public key into the right place
scp gbar.pub s123456@transfer.gbar.dtu.dk:.ssh/authorized_keys
# fix the permissions of the file (need to be '600', i.e. only 'rw' by you)
ssh s123456@transfer.gbar.dtu.dk chmod 600 .ssh/authorized_keys

How to connect to the system with ssh and the ssh-key

Now you should be able to connect to our setup with the key:

ssh -i ~/.ssh/gbar s123456@login.hpc.dtu.dk

and it should ask for the your ssh-key-passphrase and your DTU-password afterwards and then you should have a login-shell on our login-node.
Use “exit” to exit or press <ctrl>-d to return to your current shell on your local machine.

Optional: simplify the ssh-login procedure

To make it a bit easier and type less, you can
create a file named .ssh/config in your HOME directory on your local machine, with something like that in it

--------------snip-------------------
Host gbar1
User s123456
IdentityFile ~/.ssh/gbar
Hostname login1.gbar.dtu.dk
---------------snip------------------

then you can just connect via ssh with the simple command

ssh gbar1

and will ask for your passphrase for your key and your DTU-password (as the second factor) and you
are connected.

How to connect to the system using the ssh-key with the ThinLinc client

You have to enable public-key-authentication within the ThinLinc-client and then you just use the
“gbar” public/private key as the authentication method.

Start the ThinLinc-client

-> Options
-> Security
-> Authentication method: “public key”
-> “OK”

Choose the “gbar” file as the “key”, and from now on you are using the key-pair for authentication and it will ask you
for the passphrase of your key-pair.

The webinterface of our ThinLinc-setup is at the moment only reachable when connected from inside the DTU-network.

Use putty

Step by step guide for Putty

Create the ssh key pair

On your local “trustworthy machine”, create the key-pair:

In a shell, type

mkdir -p keys && cd keys

Generate a key-pair for putty

puttygen -t ed25519 -o gbar-putty -O private

Now extract the private key, so that it can be used by thinlinc

puttygen gbar-putty -o gbar-openssh.key -O private-openssh-new

As a check, that the private key is matching:

puttygen gbar-putty -o gbar-openssh.pub -O public-openssh

Copy the file to the cluster

You need to copy the public-key into your .ssh/authorized_keys file on the gbar system.

On your local machine do a cat gbar-openssh.pub, then copy the contents into the clipboard and then open a SSH-session to G-bar (you need to be on a DTU network for this!), and copy the contents of the clipboard into your .ssh/authorized_keys file:

mkdir -m 700 -p .ssh
cat .ssh/authorized_keys

copy and paste the content of the clipboard and then finish this with <ctrl>-d to close the file. Then fix the permissions, so it is only accessible by you:

chmod 600 .ssh/authorized_keys

Or use the method mentioned above with ssh and scp to copy your public-key into your authorized_keys file.

How to connect to the system with putty and the ssh-key

From command-line:

putty -i gbar-putty s123456@login2.hpc.dtu.dk

From the putty-gui:

data -> username: 's123456'
data -> ssh -> auth:

Browse to the private key, select the generated putty key-pair

hostname -> login.gbar.dtu.dk (or login2.gbar.dtu.dk or login.hpc.dtu.dk or login2.hpc.dtu.dk)

select “default-profile”, and then press “Save”.