SSH tunnels and IPython

We have an OS X server blade at the lab that’s been suped up with some extra RAM (I think 24GB) and is very useful for our bioinformatics processing, as there are a number of bioinformatics tools installed on it. Additionally, running sequence analysis jobs on the server keeps my personal computer free to do other tasks instead of being swamped by these computationally expensive processes.

With that being the case, it’s also much more convenient to log in to the server remotely instead of having to sit directly at the computer to initiate jobs.

I’ve previously written how I’ve managed to set up SSH and the SSH config file to simplify my life for remotely logging in to the server. That part is pretty straightforward. However, we also use IPython Notebooks to document how we’ve processed data. IPython Notebooks run through a web browser, so how can we still use them when we’ve SSH’d into the remote server via the command line?

It turns out, you can set up a SSH tunnel and then connect to the server through your browser. This does require that you have access to the server, as well as available ports on both your client and server to connect through.

Here’s how I create a tunnel into our server:

ssh -L client_port_Number_over8000:localhost:server_port_Number_over8000 user_name@server_ip_address

That’s a lot to type, especially if you’re logging into the server multiple times a week or even multiple times a day. To get around this, we can edit the SSH config file (found in ~/.ssh/config)

Host easy_to_remember_nickname
HostName IP_address_of_remote_server
User remote_server_login_username
ControlMaster auto
LocalForward localhost:client_portNumber_over8000 localhost:server_portNumber_over8000
ServerAliveInterval 30

With this info in the config file, recreating the tunnel is as easy as typing the following on the command line:

$ssh easy_to_remember_nickname

Once the tunnel is established, open a new Terminal window and SSH into the server. Once the SSH connection is established, change to the directory containing your IPython notebook(s) (Note: this is not needed if you’ve set up an IPython config file that sets the default IPython directory), then launch IPython on the remote machine:

$ipython notebook --no-browser --port=first_port_number_listed_in_tunnel_command

Now, on the machine you’re using, start your browser and enter the following into the URL of your browser:

localhost:first_port_number_listed_in_tunnel_command

This should connect through the tunnel and you’ll have the normal web-based view of your notebooks, but those notebooks are actually housed on a remote machine!

Synology-specific and user-specific SSH key requirements

Earlier, I figured out how to set up SSH keys for SSH authentication in to a Synology server, and eliminate the use of a password for authentication.

These were steps towards securing the Synology, but what I really wanted to accomplish was being able to disable the “root” account to really put the server on lockdown. Although the process is technically very easy (just edit the /etc/ssh/sshd_config file and change “PermitRootLogin” to “yes”), I still needed to verify that I could SSH in to the Synology with another user account. Having SSH’d in to the Synology in the past, I had learned that the only other user account (besides “root”) that has SSH permissions by default is the “admin” account.

So, knowing that I had already established private and public keys on my computer AND had connected to the Synology from my computer using said keys, I tried to SSH with the admin account. What happened? Got this message: “Permission denied (publickey).”

That’s both good and bad.

Good that the Synology is definitely not using password authentication any more.
Bad that I can only login using the “root” account.

So, how to resolve this? Since I had been under the impression that the server just needed a single public key that corresponded to a single private key, I was a bit stumped. I had assumed that the public key provided to the Synology would apply to all existing user accounts. After a fair amount of searching (and I think perusing the Synology forums), I stumbled across the reason for this.

It turns out that each individual user has their own location on the Synology to store authorized public keys! After discovering that, it was fairly straightforward to add my existing public key on my computer to the appropriate user’s (in this case, “admin”) SSH authorized keys file. I used the following command to accomplish this:

$cat /path/to/ssh_public_key/id_rsa.pub | ssh root@synologyaddress 'cat >> /volume1/homes/SynologyUserName/.ssh/authorized_keys'

The brief explanation of the command:
First we used “cat”, which normally prints the text of your intended file (in this case, the id_rsa.pub) to the screen. But, instead of printing the info to the screen we “piped” that info (that’s the “|” character) to our SSH connection. The info of the “id_rsa.pub” file gets sent to server over our SSH connection and then we tell the server to use “cat” to append (that’s the purpose of the “>>“) that information to the authorized keys file for the specific user.

After doing that, I can now connect using the “admin” user account. That means I can now disable the “root” user login capabilities.

Secure Shell (SSH) SSHure iSSH SSHweet!

SSH allows you to connect to a remote computer and run task remotely. In my situation, this is great for remotely logging in to one of our lab computers that is designed for intensive computing tasks (24GB of RAM!).

Using SSH is also fairly straightforward. To get started logging in to a remote computer/server that you have access to, just type the following in Terminal (and substitute your own username and the address of your target computer):

$ssh username@remotecomputeraddress

Enter your password for the remote computer.

Alternatively, instead of dealing with passwords every time you log in to a remote computer, generate some SSH keys!  Not only can you eliminate the need to use a password and automatically log in when you type your ssh command, but by using keys you can virtually eliminate people being able to use a brute force password attack to break in to your computer/server!

First, generate your key set.  The following command will generate a private and a public key.  The public key can be placed on any server you want SSH key access to.  You can just send the public key to anyone who has the capabilities (both the know-how and authorization) to install it in the correct location on the computer/server you’d like to connect to.  The private key on your computer will then be able to match with your public key on any computer that the public key has been installed on!  No passwords needed for connection!

Generate the keys:

$ssh-keygen -t rsa


Feel free to use an empty password when you are prompted; just hit the “Enter” button and then confirm by hitting the “Enter” button again. This password is only used when physically using your computer to initiate a SSH session. For most people, having a password to initiate a SSH from their computer becomes more of a hassle than it’s worth. However, if you anticipate someone else using your computer, and you’d like to prevent them from easily using SSH to remotely login to servers that you’ve installed SSH keys on, then it would be advised to enable a password for your SSH sessions.

Looking in your

~/.ssh


folder reveals the following:

$ls ~/.ssh
id_rsa  id_rsa.pub  known_hosts


The “id_rsa.pub” file is your public key file. This is the file that can be transferred to other computers to enable password-free SSH capabilities on those computers.

Now that we have our keys, we need to transfer the public key to the server. Assuming you have administrative privileges for the server, there are two options for putting the public key on the server. If it’s the first key, we can use the following command:

$ssh-copy-id username@remotecomputeraddress


That will not only copy the public key from the computer to the server, but it will also create the proper directories if they don’t already exist on the server.

Otherwise, if you have the appropriate permissions, you can also use the following command to append your public key to an existing “authorized_keys” file on the server:

cat ~/.ssh/id_rsa.pub | ssh username@remotecomputeraddress 'cat >> .ssh/authorized_keys'


But, in order for the value of SSH keys to be fully realized, the destination computer/server should have password authentication disabled.  Doing so means that only computers with authorized SSH keys will be allowed access

I’m using SSH keys to lock down my home Synology server.  To do this, I SSH’d into the Synology as user “root”, since “root” is the only user authorized to make system changes.

$ssh root@SynologyIPaddress


By default, Synology only seems to have the text editing program “vi”. Let me tell you, it is NOT intuitive how to use it.  For example, to delete characters, you have to use the ‘x’ key!  Luckily the University of Washington has a nice tutorial on how to use “vi” for editing documents.

$vi /etc/ssh/sshd_config


Once you’re in the file, remove the “#” from in front of the two lines shown below AND change “yes” to “no” in the line “PasswordAuthentication”.  Then, be sure to save the file.
samb@Mephistopheles: ~_018

After quitting (don’t forget to save changes!), we need to restart the SSH service. I ended up doing this via the GUI since some of the common command line suggestions for restarting SSH didn’t work.

Now, when trying to SSH in, you’ll only be allowed in if you’re doing trying to do so from an authorized computer that has a public key installed on the server. On that note, it would be prudent to backup your private key so that if your computer dies, you’ll still be able to authenticate with the remote computer by installing your private key on a new client computer.