SSH Multiplexing: Difference between revisions

From UFRC
Jump to navigation Jump to search
Created page with "If your workflow involves making a lot of connections to HiPerGator you may want to use SSH Multiplexing to avoid having to go through MFA for every connection. In a nutshel..."
 
No edit summary
 
(22 intermediate revisions by 6 users not shown)
Line 1: Line 1:
If your workflow involves making a lot of connections to HiPerGator you may want to use SSH Multiplexing to avoid having to go through MFA for every connection.  
If you use a Linux or MacOS computer and your workflow involves making
a lot of connections to HiPerGator you may want to use SSH
Multiplexing to avoid having to go through MFA for every
connection. Again, this does not work for Windows computers natively!
The [https://www.bitvise.com/ BitVise] and [https://tabby.sh/ Tabby] clients are the only SFTP/ssh
client we are aware of that support ssh multiplexing.


In a nutshell, ssh multiplexing works by creating a TCP socket the first time a connection is made. That socket can be used by subsequent connections within the idle timeout period to create new connections without triggering MFA.
In a nutshell, ssh multiplexing works by creating a TCP socket the
first time a connection is made. That socket can be used by subsequent
connections within the idle timeout period to create new connections
without triggering MFA.


See [https://blog.scottlowe.org/2015/12/11/using-ssh-multiplexing/] for reference.
See [https://blog.scottlowe.org/2015/12/11/using-ssh-multiplexing/ Using SSH Multiplexing]
for reference.
 
==Multiplexing with username and password==
To use SSH multiplexing with your username and password (without SSH key authentication).
edit the ssh configuration file on your local computer (typically
<code>~/.ssh/config</code>) and add or modify the following entry.  Be
sure to change the 'albertgator' <code>User</code> to your username:
 
<pre>
Host hpg
    User albertgator
    HostName hpg.rc.ufl.edu
    ControlPath ~/.ssh/cm-%r@%l-%h:%p
    ControlMaster auto
    ControlPersist 8h
</pre>
 
Note: On a MacOS system, if you see a 'unix listener too long' error, you may have to create a ~/.ssh/control directory and use
  ControlPath ~/.ssh/control/%C
in the ~/.ssh/config
 
After the <code>~/.ssh/config</code> changes, use this ssh command:
$ ssh hpg
 
NOTE: The "hpg" hostname is not a real hostname, instead it's a virtual hostname that you defined in the above configuration.
 
==Multiplexing with SSH keys==
See also [[Using SSH Keys To Access HPG]].
{{Note|'''Never share your private ssh keys''' even with Support staff. Your private ssh key works as your password and it must be kept in a non-shareable space with r/w permissions at the owner level (-rw------- or 600).|warn}}
If you are using SSH key-based authentication, add this block instead.  This configures the connection to go to a different port (2222) which is expecting ssh keys:


Example with SSH key authentication that enables SSH multiplexing. Each subsequent connection resets the idle timeout countdown:
<pre>
<pre>
Host hpg
Host hpg
Line 11: Line 48:
     HostName hpg.rc.ufl.edu
     HostName hpg.rc.ufl.edu
     Port 2222
     Port 2222
    ForwardAgent yes
     ControlPath ~/.ssh/cm-%r@%l-%h:%p
     ControlPath ~/.ssh/cm-%r@%h:%p
     ControlMaster auto
     ControlMaster auto
     ControlPersist 8h
     ControlPersist 8h
 
</pre>
If you use username and password remove the 'Port 2222' line from configuration.

Latest revision as of 15:49, 1 August 2024

If you use a Linux or MacOS computer and your workflow involves making a lot of connections to HiPerGator you may want to use SSH Multiplexing to avoid having to go through MFA for every connection. Again, this does not work for Windows computers natively! The BitVise and Tabby clients are the only SFTP/ssh client we are aware of that support ssh multiplexing.

In a nutshell, ssh multiplexing works by creating a TCP socket the first time a connection is made. That socket can be used by subsequent connections within the idle timeout period to create new connections without triggering MFA.

See Using SSH Multiplexing for reference.

Multiplexing with username and password

To use SSH multiplexing with your username and password (without SSH key authentication). edit the ssh configuration file on your local computer (typically ~/.ssh/config) and add or modify the following entry. Be sure to change the 'albertgator' User to your username: 

Host hpg
    User albertgator
    HostName hpg.rc.ufl.edu
    ControlPath ~/.ssh/cm-%r@%l-%h:%p
    ControlMaster auto
    ControlPersist 8h

Note: On a MacOS system, if you see a 'unix listener too long' error, you may have to create a ~/.ssh/control directory and use 

  ControlPath ~/.ssh/control/%C

in the ~/.ssh/config

After the ~/.ssh/config changes, use this ssh command: 

$ ssh hpg

NOTE: The "hpg" hostname is not a real hostname, instead it's a virtual hostname that you defined in the above configuration.

Multiplexing with SSH keys

See also Using SSH Keys To Access HPG.

Never share your private ssh keys even with Support staff. Your private ssh key works as your password and it must be kept in a non-shareable space with r/w permissions at the owner level (-rw------- or 600).

If you are using SSH key-based authentication, add this block instead. This configures the connection to go to a different port (2222) which is expecting ssh keys: 

Host hpg
    User albertgator
    HostName hpg.rc.ufl.edu
    Port 2222
    ControlPath ~/.ssh/cm-%r@%l-%h:%p
    ControlMaster auto
    ControlPersist 8h
Retrieved from "https://help.rc.ufl.edu/mediawiki/index.php?title=SSH_Multiplexing&oldid=28974"