NREN (NASA Research and Engineering Network)

+ NASA Homepage
+ Ames Research Center
+ NASA Advanced Supercomputing

Customer Service: SSH-Passthrough

	Search

There are two basic approaches to transferring files in and out of the Columbia Enclave:

Initiate the data transfer from Columbia: simplest and fastest, but remote firewall is showstopper.
SSH Passthrough: convenient, but potentially slow way of transferring data into a Columbia node.

NAS DMZ: fast and simple; but data-staging adds intermediate step(s).
Secure Unattended Proxy (SUP)

This tutorial steps through the process of establishing SSH Passthrough between a sample local host and Columbia. For each step, the command output is shown in the text boxes, with some verbage (like warning banners) truncated for brevity. Notes after steps 3, 5 and 7 will cover special cases where the NAS login is different from that on the local machine or there are multiple machines from which you are accessing Columbia.

SSH-Passthrough

The steps below establish SSH-Passthrough between a local host (bama.arc.nasa.gov) and Columbia.

First, set up Public Key Authentication:

Generate the private/public key pair. The passphrase should comply with NASA password requirements. Note that if you forget the passphrase, it cannot be recovered; you will need to generate a new key pair.

bama> ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/export/home/user/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in 

/export/home/user/.ssh/id_rsa. 

Your public key has been saved in 

/export/home/user/.ssh/id_rsa.pub.

The key fingerprint is:
69:c1:50:29:2b:1f:5c:e7:fe:96:ff:99:26:a6:86:06 user@bama

Convert the public key to a format ('SECSH') usable by the commercial SSH package on the SFEs:

bama> cd ~/.ssh

bama> ssh-keygen -e -f id_rsa.pub > id_rsa2.pub

Copy the commercial-SSH key to your .ssh2 directory on sfe1 (or sfe2):

bama> scp ~/.ssh/id_rsa2.pub sfe1.nas.nasa.gov:~/.ssh2/.

---------------------------------------------------------------- 
WARNING! This is a US Government computer. This system is for 
----------------------------------------------------------------

Plugin authentication

Enter PASSCODE: 

Authenticated with partial success.

user@sfe1.nas.nasa.gov's password: 

id_rsa2.pub          100% |*****************************|   330       00:00

NOTE: When NAS login is different from that on the local machine, replace 'sfe1.nas.nasa.gov' with 'user@sfe1.nas.nasa.gov', where 'user' is your NAS username.
NOTE: If there are multiple machines from which you are accessing Columbia, rename the commercial ssh key on the remote end to include your hostname. (This way, key files will be unique to the host and not get overwritten.) So the above command would be:

bama> scp ~/.ssh/id_rsa2.pub sfe1.nas.nasa.gov:~/.ssh2/id_rsa2_bama.pub

Log in to sfe1, perferably from a second terminal window, cd to .ssh2, and include a reference to the public key in the authorization file:
bama> ssh sfe1.nas.nasa.gov

---------------------------------------------------------------- 
WARNING! This is a US Government computer. This system is for
----------------------------------------------------------------

Plugin authentication

Enter PASSCODE: 

Authenticated with partial success.

user@sfe1.nas.nasa.gov's password: 

---------------------------------------------------------------- 
WARNING! This is a US Government computer. This system is for 
----------------------------------------------------------------

user@sfe1 user $ cd .ssh2

user@sfe1 .ssh2 $ echo "Key   id_rsa2.pub" >> authorization
NOTE: f there are multiple machines from which you are accessing Columbia, your commercial ssh key file should already include your hostname. So the last command above would be:

user@sfe1 .ssh2 $ echo "Key id_rsa2_bama.pub" >> authorization

Copy your openSSH public key to columbia, by first copying it to sfe1...
bama> scp ~/.ssh/id_rsa.pub sfe1.nas.nasa.gov:. 
	
---------------------------------------------------------------- 
WARNING! This is a US Government computer. This system is for 
----------------------------------------------------------------
	
Plugin authentication
	
Enter PASSCODE: 

Authenticated with partial success.

user@sfe1.nas.nasa.gov's password: 

id_rsa.pub    100% |*****************************|   223    00:00
NOTE: When NAS login is different from that on the local machine, replace 'sfe1.nas.nasa.gov' with 'user@sfe1.nas.nasa.gov', where 'user' is your NAS username.
NOTE: If there are multiple machines from which you are accessing Columbia, rename the OpenSSH key on the remote end to include your hostname. So the above commands would be:

bama> scp ~/.ssh/id_rsa.pub sfe1.nas.nasa.gov:id_rsa_bama.pub
user@sfe1 $ scp ~/id_rsa_bama.pub columbia:.
...and then from sfe1 to columbia:
user@sfe1 $ scp ~/id_rsa.pub columbia:.
	
---------------------------------------------------------------               
* * *  W A R N I N G     W A R N I N G * * *         
U.S. GOVERNMENT COMPUTER   
---------------------------------------------------------------

user@columbia's password: 

id_rsa_bama.pub           100%  223     0.2KB/s   00:00 
Append the public key to your authorized_keys file on columbia:
user@sfe1 $ ssh columbia "touch ~/.ssh/authorized_keys;\cat id_rsa.pub >> ~/.ssh/authorized_keys"
     Permission on authorized_keys should be 600.

     If you receive an error that there is no such file or directory, it probably means the .ssh directory does not yet exist
     on columbia. So create it, and then re-execute the above command:
user@sfe1 $ ssh columbia "mkdir ~/.ssh"
NOTE: If there are multiple machines from which you are accessing Columbia, your OpenSSH key file should already include your hostname. So the above command would be:

user@sfe1 $ ssh columbia "touch ~/.ssh/authorized_keys;\cat id_rsa_bama.pub
>> ~/.ssh/authorized_keys
Public Key Authentication should now be set up from bama to sfe1 to columbia; so we just need to define the proxy
command to establish the passthrough.
Add the below proxy command to ~/.ssh/config on your localhost. Use an editor, or simply paste this block on the command line:
bama> cat <<CONFIG > ~/.ssh/config

Host columbia.nas.nasa.gov cfe1.nas.nasa.gov cfe2.nas.nasa.gov cfe3.nas.nasa.gov

ProxyCommand ssh -p 24 sfe1.nas.nasa.gov ssh-proxy %h
NOTE: When NAS login is different from that on the local machine, replace 'sfe1.nas.nasa.gov' with 'user@sfe1.nas.nasa.gov', where 'user' is your NAS username.

Verify that SSH Passthrough has been setup correctly by logging in to columbia. It is helpful to first invoke an ssh authentication agent and add your private key to it, allowing you to enter your password only once during the session.
bama> ssh-agent csh
	
bama% ssh-add
	
Enter passphrase for /export/home/username/.ssh/id_rsa: 
	
Identity added: /export/home/username/.ssh/id_rsa (/export/home/username/.ssh/id_rsa)
	
bama% ssh columbia.nas.nasa.gov
	
---------------------------------------------------------------- 
WARNING! This is a US Government computer. This system is for 
----------------------------------------------------------------
	
Authenticated with partial success.Plugin authentication
	
Enter PASSCODE: 
	
----------------------------------------------------------------------               
* * *  W A R N I N G     W A R N I N G * * *                         
		U.S. GOVERNMENT COMPUTER   
----------------------------------------------------------------------  
	
Last login: Wed Sep 20 10:44:00 2006 from sfe1.nas.nasa.gov

More NASA on the Web:

+ NASA Privacy Statement, Disclaimer,

and Accessibility Certification
+ Copyright/Image Use Policy

Webmaster: NREN
NASA Official: Ken Freeman
Last Updated: May 4, 2007
+ Contact NREN