 Welcome back. So now we hand it off to Enrico and Thomas to talk about SSH. So SSH is one of these things that since I learned how to use it well, so many things became so much smoother. So I hope they can sort of introduce you to some of the really interesting things and how how nice they can be to connect to other remote computers. With that said, go ahead. Yeah, we will essentially give a short demo on how to connect to in this instance Triton, but it's applicable to any remote system that you can SSH to. In general, on these systems, what we are doing is we need to connect to them most of the time via a command window, so either command prompt on windows or your terminal on Linux or Mac. And in nowadays, essentially all operating systems do have installations of some kind of open or some kind of secure shell client. And nowadays, even Windows has it, and we are going to show it actually on a Windows system so to see to show you how to connect to the Triton to the Triton cluster. Enrico, if you could essentially, if you could just try to connect to Triton, so SSH to Triton. Yeah, so just to give a recap, this is a Windows machine and specifically this is an Alto Windows machine. It's the first time I'm using it. So some people here are in the same situation and I started this command prompt, which you started with this, with the start menu and then type CMD, for example. I already started it, so we don't need a new one. And so what you want me to do now is to connect to a server, right? Yeah, it's essentially SSH. Since you are on an Alto machine, you won't need to add your username because it's the same, your username is the same on Triton. But if people are not on an Alto machine or on their university machine, let's put the username there. So this command is simply username at host that you want to connect and SSH in front. So use the SSH slide to connect this user to the host. To that host. Yeah, so in my case my username is Eglirian and Triton.alto.fi is the name of the host of the remote node and now I present there and it says that the authenticity of this remote host can't be established. This is because the first time. And we can even check that the fingerprint is the same and yeah, it is the same. So am I sure? I need to explicitly type yes. And now I need my password and I'm connected. Yeah, okay. So now we would be on Triton and every time we want to do something on Triton, we would have to, well, restart or reenter our credentials, which is to some extent annoying. So what we will do is we will simply create a key called a secure shell key that can be used instead of using your password. Essentially, like at home, if you would have a pass key at your door instead of a lock or instead of a key lock, yeah, you would have to type in the password. Now we change this so that we have a key that can actually open that door. So on Windows, this is essentially, yeah, or Windows the same as Linux and Mac, the command to generate a new key is shkeygen. And yeah, you can use the default information that will create the idr-rsa key in the .ssh folder of your profile and the command that you see in the browser essentially gives some additional settings. Well, the minus t-rsa says what type of key we want to generate. We want to generate an rsa key. That's actually the default. Minus b is the number of bytes, or yeah, the byte size, bit size, I'm never sure, of the key, which I think by default is 3000 something, we will take a little bit larger key and we want to store it in the .ssh.srsa triton because we want that key to be for triton. There are different arguments, how many keys you should have and what are the best ways to do keys. Some people say, well, for each machine that you have, you use one key for everything, everywhere this machine can connect to. The idea behind that is essentially to say, well, if I lose the machine, I will have to remove that key from all machines it can connect to and then even if the machine is gone, there is no security anymore because the key can't lock in anymore. That works normally quite well. We could also remove the triton behind the area. We could use the default key name. Since the example here sets a non-default name, we will just keep to that. You will see two environment variables being called here, the user profile and the username. These environment variables point to the places where, in this case, Windows looks for the user profile and therefore for the .ssh folder afterwards, when using .ssh. The username is simply your name. The minus c in this command is simply a comment that is added to the key so that on the remote system, when we put the key onto the remote system, this comment will be added to the key so that when we check what keys are added, we can quickly see that this is the key that we use here. Maybe we change that to try to example key for usernames so that you can remove it later on without issue and can see it more easily. Should I change? Well, let's keep it maybe so that it's like the example. In practice, for me, it doesn't hurt because I don't have that name in my folder. Even on the remote, it's not going to. Yeah, but that is added to your authorized keys. Yeah. But try to key for username. Let's hope you don't have another key with that comment. Yeah, no, exactly. That's what I mean. I don't think that's it. Okay. Then, yeah, you can simply run this command. So I press enter, now generating, and now. And it asks you for passphrase. This should be a reasonably secure passphrase. Well, for now, take whatever you want. We won't see it. You can, in theory, not add a passphrase. That will create a key without a passphrase, which is also still perfectly valid. It just leads to the situation that if you lose your computer or anyone gets access to your computer, they can read that key, they can use it. As long as it has a passphrase, they also need to know the passphrase. So it's a simple security question to add a passphrase to the key. Okay, now let's copy this over to Triton, which is, yeah. Okay. Deciphering this command for Windows, because it's not as easy on Windows as on other operating systems. So type essentially extracts the information from this file. What we did here before is we created two files that you could see. Your identification has been saved as IDRSA Triton. That's your private key. Your public key has been saved in IDRSA Triton.pub. So we want to take the public key, add it to the server so that with the public key, it can verify that your private key is correct, so that you are you. So type essentially extracts the information. This pipe symbol in the middle of the command and push it to the next command. In the next command, we want to SSH to Triton and we want to get the information that we are pushing in and pipe it to the end of the SSH authorized keys folder. These double errors indicate that it should be added to the end. If you only would have one, it would override whatever you have there. So be careful with this command. In general, you can see how useful it is to know or to understand the commands that you type on a terminal. It's okay if you're not familiar with the Linux terminal, with the shell terminal we actually have in the page is a kind of a crash course video that you could actually look at before Thursday and Friday. But yeah, this type of one-liners, the more you work with this system, the more you will end up using this type of one-liners with nested commands. Unfortunately, well, for Linux and Mac, there is a specific command SSH copy ID that does this type and pipe thing. But unfortunately on Windows, this is not available. You can install, if you are an admin user on your Windows machine, you can install the Windows subsystem for Linux. Then I think you have these commands as well. Then you can just follow the Linux tutorial in the end. But if you don't want to do that, yeah, you have to go there. Unfortunately, some corners that you have to walk around. Okay, so now. Yeah. And it will ask you for your password again, because, well, otherwise, we can't just add a key without knowing who actually wants to do this command. That would otherwise be very odd if that worked. So now we have our private keys set up. We have the key added to Triton. And if you now try to log in with the SSH key. Actually, let's try to log in first. This is setting up the password manager. But let's try to log in first to see what happens now. He's asking for my password. Oh, yeah. Yes, of course, because we didn't specify. We didn't specify where we actually want to look for it. Okay. Yeah. So we have if we jump over that, oh, it's actually further down. But we can set up the SSH. Yeah, that's true. We can, okay. Normally, if you have a key set up with a password on it, every time you log into your server, it will ask you for the password of that key. So we essentially replaced one password with another, which is somewhat annoying. What we can do, however, is we can add this password to an SSH password manager. And on Windows, you need to check whether the authentication agent is active or not. And if we can, well, we can check that now. So could you open the services menu? Just, yeah, exactly. So I'm now starting it as an admin, which means I right clicked, I first searched for it, I right clicked, and then I click running as administrator. At least many of you who got there, laptop, auto-laptor recently, you should also have administrator right. And now we have the services as an administrator. Let me quickly resize the window. Yep, it's a bit difficult with the tiny laptop screen. But anyway, we need to look for that. But it seems like it's not showing it over Zoom. Oh, really, it doesn't show the services. Maybe because I'm an administrator than now. Okay. I can show it as myself. Now you should see it, right? No, still not. Zoom filters it out. All right, maybe they know that it might be a security thing. Yeah, probably. Okay, that we didn't test. So yeah, but okay, then you have to trust us that you have to. We will have some screenshots then to the page in this spot here for the windows user. Of course, this is all for the dear windows user. But so anyway, now I run it as a, you don't see it, but I'm telling you that I, doing what is said there, I open this services. And then I right click and run as administrator. I type my admin password. And then the point two is to scroll down and find this open SSH, authentication agent and you can see it for security. Security first. And then I found it. I then double click on it. And then now I have it as disabled. And I'm gonna put it as automatic delayed start. Is that the best, maybe? Yeah. Yeah, doesn't matter. Maybe we'll need to now start manually. So there should be, I think also, also an option to directly start that service. And I did. Okay, then that in that it's active. So then you can copy this SH add user, SH add command. Yeah, maybe I can type it. So okay, I have the impression that your share stopped or is this you don't see me typing? No, I don't see you typing. Is it security first again? Do you see me typing now? No. Okay. You want to unshare and reshare? Maybe do you want to? Yeah, quickly share them. Go ahead. I can see if you want. Yeah. Yeah. Most likely when I switched to the administrator, it blocked the sharing. That's possible. Yeah. Okay. My zoom actually froze. Okay. So maybe we tell them for this, you know, I have to do the only thing I can do is quit the zoom and rejoin. All right. Okay. That was fun. So you can see we really do this live and now in Rikos properly frozen. Should we look at the questions and answers for HackMD? So, yeah, at least this time the whole internet didn't go down. Last time we gave this course, Amazon had some problem and the whole internet in the Western Europe was down. Actually, I had a short hiccup with Twitch and was already thinking whether there's more problems than that. So, okay, what questions do we have? So the question, can we use any SSH client? And the answer to that is yes, any client works. We'd go over some general principles here and show it for certain clients, but many of the ideas here can be applied to other things as well. Should we go back to in Rikos screen share? Probably. So, okay. We have learned that if you are sharing your screen and become the administrator of your computer, Zoom stops working. So, it's also something that we've learned. But now I guess you see me typing, right? So, if I type the dot SSH and then backslash ID dash underscore RSA underscore right. So, now I'm adding this key that we generated earlier to the manager, to the authentication agent, right? Yeah. And now the passphrase. You have to add it once and now it's added. So, okay. Now, as we just noticed, if you want to SSH onto Triton, it will still ask us for a password because we haven't set up, well, two things about that. If you SSH to a remote system, it will, SSH will check some default keys, key names. The default key names are ID, RSA, ID, I think ED, SCA. And I think ID still TSA if that is still accepted by the server. These three key names will be checked by default. If they are non-existent, it will try to lock you in with a password and accept if you tell it differently. So, in order to avoid having to write lots and lots of additional command line parameters, there is a really nice thing that you can set up for SSH, which is the config, which is a simple text file. So, we go over the proxy jump for now. That is for that we might come to it back later, but for now we will hop over that. This, okay. For the config file, you need a file called config, not config.txt, but config, which is why on the example, it creates it like this, which is a bit of a hack, which is essentially copying nothing into a file. The reason why it's not like that is, like this, you actually get a file without file extension. If you use an editor for it, Windows tends to just add .txt to stuff, and then it doesn't work. So, yeah, let's create that file and use your favorite editor to edit it, as long as you make sure that it's saving it as config and not config.txt in the end. This could, for example, be Notepad or Notepad++ or, well, Notepad++ is probably the simplest or the nicest way to do it, because it's a bit more convenient than, I think you have to resize that. So, the file that we have is, well, saved in cusousaglarian.ssh backslash config. So, file open. And now this PC, r2hdc, uses aglarian.ssh config. And there's also the files that contain our known hosts. So, that's the key that we added for Triton earlier. That's our two ssh keys, the public and the private one. And this is the config. Currently, the config is empty. There's nothing in there. So, we want to make life easy for us. And the config file helps you in doing that. It can define hosts, which you can simply use with ssh afterwards. The host in that instance is the name that you need to type after ssh. So, if we define a host Triton, we can connect to this host by saying ssh Triton. We need to define a user that is the username that you need for Triton. The host name in that instance is Triton.alto.fi. And that is the name that you would normally have to type in for ssh. So, in addition to this, we need to now say what identity file we want to use. And I'm not entirely sure at the moment whether the example in this instance is correct in that. Oh, it probably is not. If you copy the identity file line here and instead of, well, yeah, copy it in. And here do a tilt slash dot ssh, no, tilt backslash, no, tilt slash dot ssh slash idr is a Triton in front of it. Because I think I remember that I did the stupid thing of being in the right folder for it. And yeah. Like this, you mean? Yes. All right. So the common line, actually, the tilde. Yes. But ssh understands it. Exactly. I'm impressed. I didn't know. I'm pretty sure. Well, if it doesn't work, we will see. But I'm pretty sure it works. So what this does is that this tilde is normally the Linux indicator for your home directory. Your home directory is the same as your user profile in Windows, essentially. And from there, it wants it should go into the ssh folder and there the idr is a Triton key. This should be used to identify against or to identify for Triton. So if you save this, I'm not sure if you already did that. Okay. And go back to the command prompt and now type ssh Triton. Just Triton without anything. Because that's the nickname that we get. Because that's the host, the name we call this host. So let's see. Center. It takes a bit of time because Triton takes sometimes takes a bit of time to log in. Checking the keys. Checking the keys. And in case someone might wonder why are we doing this, this is the most single thing that you do most often when you work with HPC. I don't know how to tell how many times per day you would need to type your password. So it's absolutely, you know, you don't want to count the times across the years and realize that you spent one month typing password. So here we are. It works. We stole the password in the in the OpenSH password manager. We have set up our Triton host and we can directly connect to it. Yeah. This is essentially what you need to do to connect to Triton. There is the additional problem that if you are outside of the university network, either outside of the VPN or not on and not on campus or not in the alter network, you can't directly connect to Triton. If you try this from outside the VPN and outside auto, you will just not be able to connect at all. There are a couple of general login servers that you can access from outside that you can use as so-called proxies. And the most commonly used one is Kosh. And essentially you would have to follow the same instructions as for Triton to set it up for Kosh as well. In addition, if you want to, in addition, SSH allows you to directly tell, okay, I don't want to first lock onto that. So I don't want to manually first lock onto the one server and then onto the other server. But directly telling you can tell SSH directly that you want to do a proxy jump over that other server. So it will lock into the other server and then onto Triton. That's what these two things essentially do. And again, you will need to modify the tilt slash SSH and so on. You can also show that from inside because you can lock in from inside onto Kosh if I'm not completely mistaken. From here that I go to Kosh. Yeah. Well, no, if you lock out here, set up your config to also allow the login via Kosh. Yeah. But then I need to copy the public key to Kosh because now it's not there. That's true. Because it's a different Kosh home folder. It's different than the Triton folder. Yes. But I guess, I mean, this was like, I can't stress again how much this will say hours and hours of your life because daily you will need. So do you think now it's like should I do the Kosh thing or do you want to do the show for the Linux slash Mac? I can also do the stuff for the Linux machine. You can check briefly if there's anything on HackMD. That's a good idea. There's a lot of HackMD. Is there anything that's not answered or that should get an additional answer? Or be highlighted? I would want to mention like there was a good question there that if you think that you're only going to be using Triton a few times during the summer, do you really need these? And like the answer I posted there is that not necessarily. Of course, you can use the passwords, but it's a good idea to learn about these in wider context as well. Because if you're going to be using, let's say, version control systems like version AltIFI or GitHub for storing your code, which is highly recommended because like then you will, they are amazing tools that everybody uses in software like any software related work. Like if you're going to work in any industry, you need to know about version control systems. They always use SSH keys for altercation because, well, that's the easiest way of doing it. You don't want to type your password. Your password is basically like your true name if you are from the tales of the earth sea. People like you don't want to say your true name to everybody because they can misuse it. So like you definitely want to have it secret and hidden. So having SSH keys is a major boon in these kinds of fields as well or using version control systems. Yeah. Complete agreement from my side. Okay. Since I have my machine set up locally, I will just use the VDI to demonstrate this for an Ubuntu system. For Mac, it's essentially exactly the same. So as we did it before, the first few steps are essentially almost the same. The only difference is that we don't need to specify the user profile. Don't need to specify the user profile by a environment variable, but we have the tilt here that essentially does this for us. And the way the username is being referenced is by the dollar sign and the curly brackets here are necessary because this is in a string and should be represented as a string. So if I want to create the key, I will create one here. And I have my two keys created, ID, RSA Triton and the Triton pop key. Now, the same as before, I need to copy this over as that it's exactly the same on a Mac. And luckily, in contrast to Windows, we do have this SHCopy ID, which copies the identity file. So the input, that's the minus i. This file, it reads the key from the file that's given with the minus i parameter and copies it over to Triton. I will demonstrate that I don't need to add my username here because since I'm on the VDI system, my username is already FaultD1. So that will be passed on and I now need to type my password. Okay, so that was added. If I try to connect now, I will have the same issue that... Oh, no, I don't because, yeah, Linux already checked this for me. It actually already works because Linux does add the SHC key to the... Yeah, which is actually set up here, that it's adding it. So I wouldn't need to run this command, but yeah, I will run it anyway so that it actually Oh. You run login pre. Oh, yeah, I'm already logged in. Yep, stupid me. Can you, by the way, make the font a bit bigger? That was a question in the how can the... Can you... Yes, I can try, wait. Yeah, can do. So that was essentially what I was prompted to before when I tried to connect. The rest is essentially exactly the same as on Windows. I can add a config file, in this case, I can directly nano the file and add my settings that I want to have here, like host, Triton. Let's do the Triton via cosh version here. So I now assume I'm not on campus. So I will create a host that connects to Triton.alto.fi and use the proxy to connect to it. So this is Triton.alto.fi. The identity file is... Now I will add the proxy jump, which will be cosh, and so that the... Yeah, I don't need to add the username because the username is already there. So at home, I would add the username... We just edit so that it's the same. So we can have the username as my username. We have the host name is cosh.alto.fi, the identity file is still.sh slash id rsa Triton, and that is it. Okay, now I'm going back up because of course I don't have that key yet installed on cosh, so I also need to add that key to cosh. So what did I do wrong? Does anyone see what? Can you show the error again? It might be maybe there's spaces and tabs or something like that. Oh no, uppercase, lowcase. Maybe it's user and not username. Yeah, it's user. Yeah, you're right. But actually, I'm showing something else. We don't need the .alto.fi anymore because we have already set up cosh as that this is cosh.alto.fi. And probably, yeah, it tried to connect with the key, but that didn't work. So it asks me for my password. No, I hope I didn't type it wrong. And this is the reason why by adding keys is so useful that you don't type wrong passwords. Okay, so now if I would go to Triton, no, Triton via cosh, it will take one jump over cosh and go to Triton. I don't see that jump over cosh. But if, wait, is there, yeah. You can see where I was logging in from last time. Last time I was logging in directly from the VDI system. If I log out now and log back in, it tells me that I was last logged in from cosh.alto.fi. So it even tells me that, yeah, my last login was rooted via cosh. Yeah. And this is, there's one very, very small difference between Linux and Macs. And this is in setting up the SSH add. So adding the key to the password manager. For a Mac, you need to use the Apple Keychain. And essentially on a Mac system, this additional keyword does exactly that. And that is the only difference that there is between Linux and a Mac machine. And yeah, you can then easily connect it. Yeah, Mac has its own automatic key manager. So whenever you log in, it will open this kind of agent and which can contain your software passwords or whatever, like stuff like that. And SSH can support or write to that same keychain if you give it this. If you give it this flag, then it puts it into your Apple Keychain and recreates it from there as well. And now I will show two small hacks that are small things that unfortunately only work so nicely on the Linux system. Because unfortunately, neither Windows nor Mac natively have a nice SFTP support. And that is actually connecting to data here. So I've set up my SSH and SFTP is the secure FTP client. And Nautilus has an SFTP client that actually uses the config from the general SSH settings. So what I can do, and this is very convenient, I can directly SSH to the cluster. This will take a moment because we need to log in. But then I have Triton open. This is the root folder for Triton and my home folder would be somewhere in here. And I can remove that share again. And that makes at least smaller file transfers very, very easy. If you have really large stuff, I would still suggest to use things like Arsync because they check if stuff was properly transferred. But if you have small things or need to modify a few files somewhere, this is a very convenient way to access the files and modify them. On Windows, you can mount the cluster files. There is also a tutorial about data storage where you can mount at least the work directory. Mm-hmm. Wasn't that on this header? I think it's in the remote workflows. Ah, no, it wasn't on the data storage. It was remote access to data. My mistake, sorry. So on Windows, you can access the, that's the work folder, which is essentially scratch. So data.triter.alto.fi, access works, and your username will mount this, mount this folder, and you can do a similar thing. But there's no direct mount to your home folder, unfortunately. You can install things like SSHFS, which will allow you to essentially do the same that I just did with Windows under Linux. And for Mac, this is also more of an issue. And I haven't found a good way to actually access the files on the Mac, but I'm not using Mac. So I didn't dig into too much detail there. And probably SSHFS is also possible there. There are also other clients like Mobile X-Term and other other clients that can do all kinds of stuff. So there was also somebody asking about Kiti, and like there's SSH tools that you can use, but the system-based SSH is like the simplest to do, but yeah, there's alternatives as well. In general, I would say if you have some kind of shell or connection or some kind of shell that you are comfortable with, use it. That's fine. It's just we are showing it for what's installed on every, well, on every installation. So on the defaults without adding additional tools because some people like the one tool, some people like the other, we don't have a real preference there because we mostly just go over the command line. Okay, let's see. Are there any more questions? Yeah, the best way to save the SSH passphrase, yeah, in your part in the password manager, they will remember it. And the Windows client I think is essentially dependent on the security, is dependent on whatever your login password is, because that is I think used for that. And for Linux, it's the same with your credentials, with your login. Strong password. There isn't, wait, let's see if I can quickly find that. That is, yeah, this is I think a perfect example of what is a good password. Because, yeah, essentially, it's pretty simple, the longer the better. It can be something there. Well, okay, it shouldn't be one, one, one, one, one, one, one, one, one. But even 20 ones are potentially more secure than a short gibberish. Because as long as the attacker doesn't know that your password is 20, that the password has 20, or yeah, 20, has a length of 20, they would need to essentially, yeah, do a brute force attack. And yeah, one, one, one, one, one is as secure as anything else, as long as your attacker doesn't know about it, or know about details. Because at some point, after a certain length, the default password attacks are just not used anymore. The problem with one, one, one, one, one is you type 20 ones, and you're not sure where, how many you actually typed in. So it will happen very often that you are at 19 ones, or at 21 ones. And yeah, it just won't work. Yeah, okay, removing the SSH key from Python. Yeah, as mentioned, the authorized keys. Actually, it would probably make sense for me to just remove mine again. But that I'll do probably later. So the place is in the dot SSH, not dot singularity. And then in the authorized keys, there, it's listed. So in my temporary key, this one, I would need to delete, use nano and delete it. Yeah, there was also like, somebody asked a point and point and question that, like, we've been showing these keys, we're not like preaching security. And, and the main thing to remember with SSH keys is that the private key is the important one, like you don't show the private key to anyone. Like that's, that's the one that gives you access. Like, if Thomas here shows the public keys with the authorized keys, that only means that if you, if you know that, you can only give access for Thomas to my other places. Like, you can, you can just like, you can put that wherever you want, but you will just give Thomas more access. But like, in the current, like, as long as the key length is suitable, like in this case, like the 4,000 beats, you cannot reverse engineer the private key from the public key. And that is the point of the SSH keys. So you can, you can give the public key to anybody and, and they will, they can give you access based on the public key. But like, if you keep the private key hidden, then they cannot like, decide for how the key works. It's, it's an interesting base. Yeah, essentially, yes, you can crack the key. It just takes so long that probably humanity is almost dead by then. Maybe that will change if we get quantum computers and they guess the keys correctly in fast enough time. But that's a different question. Once that problem is there, we might, we might need to reconsider some security things. Okay, should we take a break now for 10 minutes starting five minutes after the hour, and then we do the connecting to Triton. So what we do next is sort of another summary and the very, very minimum you need to do in order to take part in the course starting tomorrow, right? Is that correct? So see you in five minutes. Bye.