Skip to content

Secure Shell (SSH)#

To use the HPC systems at NHR@FAU, you have to log into a cluster frontend via an SSH (Secure Shell) client. For all HPC accounts created via the HPC portal, thus, in particular all NHR project accounts, the use of SSH public key authentication is mandatory. Password-based authentication is only possible for some legacy accounts and will be phased out eventually.

Basics#

SSH provides an encrypted connection to a remote host. It can be used for shell (command line) access but also for file transfers. Furthermore, other communication protocols can be "tunneled" through SSH.

Under Linux, iOS, and recent Windows 10 versions, a command-line SSH client is pre-installed and available via Terminal/Console/PowerShell. If you want to have a graphical user interface, you can use third-party clients like MobaXterm (Windows). We do not recommend using PuTTY due to limitations in the available SSH configuration. See the section on SSH for an overview.

Simple usage for login#

Connecting to a remote host in order to get a shell there works as follows:

ssh UserName@HostName

When connecting to a remote host for the first time, the client will ask you to validate a host key fingerprint in order to ensure that you are actually connecting to the correct host. The host keys and fingerprints of the publicly accessible hosts at NHR@FAU are listed on the respective cluster documentation pages.

Copying data#

All OpenSSH distributions on Linux, Mac, and current Windows 10 versions support secure file transfers. With MobaXterm you can use "drag and drop" in the GUI, and WinSCP is entirely GUI-based anyway.

For all command-line based options, secure copy from the local host to the remote host works as follows:

scp filename(s) UserName@HostName:remote_directory

This will copy the local file(s) filename(s) to the directory remote_directory on the remote system. If remote_directory is a relative path, the target is $HOME/remote_directory. The target directory must exist prior to the copy attempt. Keep in mind that at NHR@FAU, nearly all available file systems are mounted on all frontends (see File Systems documentation). It is therefore sufficient to copy data to only one frontend, e.g., csnhr.nhr.fau.de.

The other direction works in a similar way:

scp UserName@HostName:remote_directory/filename(s) target_directory

Wildcards (*, ?) can be used on the remote side but must be escaped from the local shell, e.g.:

scp hpcuser@csnhr.nhr.fau.de:docs/diss_\*.tex .

The command line option -r can copy subdirectories recursively, and the option -p will preserve modification times and access rights.

For WinSCP, it is possible to choose from different file transfer protocols, mainly scp and sftp. A comparison can be found on the WinSCP website. Especially for large files, scp is usually much faster, however, the transfer cannot be resumed.

For more complex file transfers or a larger amount of files, we recommend using rsync. It provides more extensive functionality than scp, e.g., resuming file transfers, excluding specific files, or checking if files already exist at the destination. It is, however, only available for Linux and Mac.

SSH supports two basic ways of authentication: passwords and public/private key pairs.

Password authentication#

With password-based authentication, when connecting to a host via SSH you have to provide a username and a password. This method is only available to legacy accounts at NHR@FAU and will be disabled in the foreseeable future.

Public/private key pair authentication#

A key pair consists of two parts (which are essentially long numbers)): a public key and a private key. Data that was encrypted with one of the keys can only be decrypted with the other. How to generate a public/private key pair is described in the section on Connecting with SSH. The key pair can be used for secure authentication without a shared secret (i.e., a password).

When the key pair has been set up, the SSH client will not ask for a password but for a passphrase instead. The passphrase is used to decrypt the private key, after which authentication can take place without having to provide a password. Once authentication is done, your SSH client and the server will set up an encrypted connection.

There are a couple of default keys the client will try. With OpenSSH under Linux, keys are stored in your ~/.ssh folder, but other implementations may have other default locations. In order to select a specific key for a connection, you can specify it on the command line:

ssh -i /Path/To/PrivateKeyFile UserName@HostName

In this case, /Path/To/PrivateKeyFile will be used instead of the default private key.

Problem resolution#

If an SSH connection fails, it is often useful to add the option -v or even -vvv (for more verbosity) to the SSH command line. If you are in contact with NHR@FAU support, they will most likely ask you to provide the diagnostic output you get with -vvv.