Skip to content

Using SSH

SSH stands for secure shell. It is a protocol that allows you to connect remotely to our HPC login nodes and interact with our services via the command-line. It is the primary way that most people use our services.

Tip

If you are unfamiliar with SSH and have some time, you might want to check out this LinkedIn Learning overview series.

Commonly accessed servers#

1
2
3
4
5
# SSH connection command to access the HPC login nodes:
$ ssh USERNAME@hpc-login.rcc.fsu.edu

# SFTP connection command to access storage export servers:
$ sftp USERNAME@export.rcc.fsu.edu

SSH from Windows, Mac, or Linux#

All modern operating systems (Mac, Windows, Linux) allow you to use SSH directly from the command-line. Locate and run the Terminal (Mac/Linux) or Command Line (Windows) application, and use the syntax above to connect to our systems. To disconnect, type exit.

For example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
$ ssh abc12a@hpc-login.rcc.fsu.edu

Welcome to the RCC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RCC/HPC Documentation can be found here:
https://rcc.fsu.edu/docs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Last login: Tue Aug  9 10:30:25 2022 from 196.168.1.1


** Disk usage (GPFS) quota report: 10.01G used of 135G available
For a disk quota report, run: gpfs_quota


[abc12a@h22-login-24 ~]$

Using graphical programs with SSH#

Note

For anything besides trivial graphical usage, we recommend using Open OnDemand, our web-based portal to the HPC.

Graphical SSH from Linux#

To invoke a graphical SSH connection from a Linux workstation, add the -Y option to the SSH command:

1
$ ssh -Y abc12a@hpc-login.rcc.fsu.edu

Graphical SSH from Mac#

To invoke a graphical SSH connection from a Mac workstation, you will need to start the XQuartz app (bundled with recent versions of OSX). Then, open the Terminal app, and use the same syntax as connecting from Linux:

1
$ ssh -Y abc12a@hpc-login.rcc.fsu.edu

Graphical SSH from Windows#

Although basic SSH functionality is supported out-of-the-box in modern versions of Windows (v10 or newer), if you want to use interactive programs with a graphical user interface over SSH on Windows, we recommend MobaXTerm.

MobaXTerm is a simple but powerful SSH client for Windows that includes graphical support. It comes in both free and paid editions. The software features a built-in X11 Windows server which is required for using graphical applications on the HPC. A detailed demonstration for how to use MobaXTerm is available on the vendor's website.

Using SSH keys#

By default, when connecting via SSH to our resources, you use your RCC password to login. However, there is a more secure and potentially more convenient way to login. To use SSH keys, you must create a keypair, which consists of two files, a private key and a public key. You then upload the public key to our servers to identify yourself, and the private key which you keep on your computer.

Warning

Never share your private SSH key with anyone, including RCC staff.

Setting up a keypair#

Note

If you are using Windows, you will need to use Windows Powershell to complete the following steps.

If you have MobaXTerm installed, you can use this procedure to setup a keypair.

Before using SSH keys, you must generate a keypair. You can do this by opening up the Terminal (Mac/Linux) or Powershell App (Windows) and the typing the following command:

1
$ ssh-keygen -t rsa

Once you type this command, you will see a message similar to the following:

1
Enter file in which to save the key (/home/YOU/.ssh/id_rsa):

You can now press Enter to continue. Then, you will see:

1
Enter passphrase (empty for no passphrase):

You may enter a prassphrase, but this is optional. If you enter a passphrase, you will be required to enter it before using your private key to connect to the server. This is not the same as password authentication; the passphrase is used to unlock your private key, and it is never transferred across the network. The benefit to using a passphrase is that it protects your private key in case anybody ever gets access to the file.

Once you complete these steps, you should see something similar to the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
Your identification has been saved in /home/YOU/.ssh/id_rsa.
Your public key has been saved in /home/YOU/.ssh/id_rsa.pub.
The key fingerprint is:
4a:dd:0a:c6:35:4a:3f:ed:24:38:8f:74:44:4d:93:63 YOU@a
The key's randomart image is:
+--[ RSA 2048]----+
|          .oo.   |
|         .  o.E  |
|     + .     o   |
|     . = = .     |
|      = = .      |
|     o + S = +   |
|      . o + o .  |
|           . o   |
|                 |
+-----------------+

This creates two files on your computer: a public key (stored in ~/.ssh/id_rsa.pub) and a private key (~/.ssh/id_rsa).

Copying your public key to the server#

Once you have created a keypair, you will now need to copy your public key to the RCC server. The following command reads your public key into memory and transfers it over SSH to the correct location in your home directory.

1
$ cat ~/.ssh/id_rsa.pub | ssh USERNAME@hpc-login.rcc.fsu.edu "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

You will be prompted for your RCC user account password when you run this command. Once you complete this command, however, you should be able to login to the server using your key instead of a password. Try it:

1
$ ssh USERNAME@hpc-login.rcc.fsu.edu

If you specified a passphrase, you may be prompted for that. If you did not, you should be automatically logged in.

By the way...

Because most of our public-facing systems use a shared filesystem, you will be able to use your private key to connect to most RCC systems (HPC, parallel storage, archival storage).

Server Signature reference#

The first time that you connect to our systems, your client will ask you to confirm the host key. This is a security measure to prevent man-in-the-middle attacks. All of our public-facing systems expose the same RSA, DSA, and ECDSA keys. You can check the host key against the reference below to ensure that you are connecting to one of our servers:

MD5 Signatures#

1
2
3
4
2048 MD5:c0:6a:38:02:ee:ec:a1:4b:65:2a:c1:c2:f9:0a:9e:91(RSA)
256 MD5:b6:77:3f:69:39:0c:9b:e3:51:9e:73:31:a3:64:83:3f (ECDSA)
256 MD5:b0:90:b1:1f:31:fb:4b:fa:be:97:e2:82:90:f6:f9:e3 (ED25519)
1024 MD5:42:e6:e9:8b:73:27:44:3f:5d:2e:5f:04:43:1d:35:a5 (DSA)

SHA256 Signatures#

1
2
3
4
2048 SHA256:al+ouqhHedLLmtLrCu/Wr3k/u6FTDaCtfKv03gLkWoc (RSA)
256 SHA256:9zOowqoXMGNIGJ0gsCLJ5YmMxk37HOikhsRrGvapU6s (ECDSA)
256 SHA256:OdDmdK7PRmQXgwOpVbWWC/EPE1fg9H0mlsL0m3H9JKI (ED25519)
1024 SHA256:uClXRvMe8owMilTjhjdyM+TlvpFML9FGA53SWwtFwY4 (DSA)

Connection Problems?#

The most common connection problem is for off-campus access. For security reasons, you must use the FSU VPN to connect to any of our systems from off-campus. See our documentation for how to use the VPN.

Changed Host Keys#

Very occasionally, we change the SSH keys for our systems. In the past, this occurred fairly often, but in August 2016, we implemented consistent server signatures.

When this happens, you will see a message similar to the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
------------------------(RSA key)
Please contact your system administrator.
Add correct host key in /home/USER/.ssh/known_hosts to get rid of this message.
Offending key in /home/USER/.ssh/known_hosts:19
RSA host key for 'my IP' has changed and you have requested strict checking.
Host key verification failed.

You will need to do the following:

  1. remove and re-add the identification key, and
  2. verify that you are actually connecting to the correct host.

Remove and re-add the identification key#

You will need to manually remove the host key on the client before you attempt to reconnect. Take note of the following line in the warning output in the message above:

1
Offending key in /home/USER/.ssh/known_hosts:19

Open the known_hosts file in your favorite text editor (hint: it's a hidden file), and remove the "offending" line. In this example, you would open /home/USER/.ssh/known_hosts and delete line 19.

Ensure that you are actually connecting to the correct host.#

When you attempt to reconnect, you should see a message similar to the following:

1
2
3
4
ssh USERNAME@hpc-login.rcc.fsu.edu
The authenticity of host 'hpc-login.rcc.fsu.edu (144.174.80.99)' can't be established.
RSA key fingerprint is c0:6a:38:02:ee:ec:a1:4b:65:2a:c1:c2:f9:0a:9e:91.
Are you sure you want to continue connecting (yes/no)?

BEFORE you approve the request to connect, ensure the host key shown in the message matches one of our published server keys in the above Server Signature Reference section of this document.

If it does not, please abort the connection attempt (Ctrl + C on most systems), and contact RCC support.