---
layout: default
navsection: userguide
title: Accessing an Arvados VM with SSH - Unix Environments
...
{% comment %}
Copyright (C) The Arvados Authors. All rights reserved.
SPDX-License-Identifier: CC-BY-SA-3.0
{% endcomment %}
This document is for accessing an Arvados VM using SSH keys in Unix-like environments (Linux, macOS, Cygwin, Windows Subsystem for Linux). If you would like to access VM through your browser, please visit the "Accessing an Arvados VM with Webshell":vm-login-with-webshell.html page. If you are using a Windows environment, please visit the "Accessing an Arvados VM with SSH - Windows Environments":ssh-access-windows.html page.
{% include 'ssh_intro' %}
h1(#gettingkey). Getting your SSH key
h3(#unix). Generate a key using ssh-keygen
Start by opening a terminal window. Check if you have an existing public key:
notextile. $ ls ~/.ssh/id_rsa.pub
If the file @id_rsa.pub@ exists, then you may use your existing key. Copy the contents of @~/.ssh/id_rsa.pub@ onto the clipboard (this is your public key). You can skip the rest of this section and proceed by "adding your key to the Arvados Workbench.":#workbench
If there is no file @~/.ssh/id_rsa.pub@, you must generate a new key. Use @ssh-keygen@ to do this:
$ ssh-keygen -t rsa -C "you@example.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/example/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
* @-t@ specifies the key type (must be "rsa")
* @-C@ specifies a comment (to remember which account the key is associated with)
We strongly recommend that you protect your key with a passphrase. This means that when the key is used, you will be required to enter the passphrase. However, unlike logging into remote system using a password, the passphrase is never sent over the network; it is only used to decrypt your private key locally.
Display the contents of @~/.ssh/id_rsa.pub@ (this is your public key) using @cat@, and then copy it onto the clipboard. The content of the public key may look similar to the following example:
$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1ycEDoNotUseExampleKeyDoNotUseExampleKeyDoNotUseExampleKeyDoNotUse9lmzkpBq983bQradKGT3LuKda9QOGe8MatI6wzSrJLSGhHm3hk6D8OWWUG4SneuCtKIk2bH0pgBj1G29+uzDIez90WzfCTZKbz4RcVQmPkowSSUAQDwb0ffwvRDhCgcJ1loT1wQAJzqJmljQ7xEYaCOIMqnfYE0lX7B3MSvCV6Ie2rWL33YecLp48LVtqiCOZU4XRyO8RSDFRFLVW+mjkLirwtDHZCRtORScaIEN0jw51p+T+9X5iA9QH/Mn+xlgk7fCgH+JtpBj808N/Qds2Gpff+Kb6ulUrVVfMK6L you@example.com
* The above is a specimen that cannot be used as a valid public key.
Now you can set up @ssh-agent@ (next) or proceed with "adding your key to the Arvados Workbench.":#workbench
h3. Set up ssh-agent (optional)
If you find you are entering your passphrase frequently, you can use @ssh-agent@ to manage your credentials. Use @ssh-add -l@ to test if you already have ssh-agent running:
notextile. $ ssh-add -l
If you get the error "_Could not open a connection to your authentication agent_", you will need to run @ssh-agent@ with the following command:
notextile. $ eval "$(ssh-agent -s)"
@ssh-agent -s@ runs an agent process in the background to hold your SSH credentials, and it prints out the values of environment variables @SSH_AUTH_SOCK@ and @SSH_AGENT_PID@. By applying the shell builtin @eval@ to this output, as we show here using the shell command-substitution syntax, we set those variables in the current shell environment. In this way, subsequent invocations of @ssh@ in this shell session will be able to access the agent process for the credentials without asking you each time.
After running @ssh-agent@, or if @ssh-add -l@ prints "_The agent has no identities_", add your private key to the SSH agent using the following command. The passphrase to decrypt the key is the same one used to protect the key when it was created with @ssh-keygen@:
$ ssh-add
Enter passphrase for /home/example/.ssh/id_rsa:
Identity added: /home/example/.ssh/id_rsa (/home/example/.ssh/id_rsa)
When everything is set up, @ssh-add -l@ should yield output that looks like this:
$ ssh-add -l
2048 eb:fa:15:f2:44:26:95:58:37:37:f4:aa:ff:ee:c2:85 you@example.com (RSA)
{% include 'ssh_addkey' %}
h3. Connecting directly
If the VM is available on the public Internet (or you are on the same private network as the VM), you can connect directly with @ssh@. You can copy-and-paste the text from the *Command line* column (see the screenshot above) directly into a shell session.
Use the following example command to connect, as the user "_you_" to the VM instance at the hostname "_shell.ClusterID.example.com_". Replace *you@shell.ClusterID.example.com* at the end of the following command with your actual *login* and *hostname* from Workbench.
notextile. $ ssh you@shell.ClusterID.example.com
h3. Connecting through switchyard
Some Arvados installations use "switchyard" to isolate shell VMs from the public Internet. In such cases, you cannot log in directly to virtual machines over the public Internet. Instead, you log into a "switchyard" server and then tell the switchyard which virtual machine you want to connect to.
Use the following example command to connect to the _shell_ VM instance as _you_. Replace *you@shell* at the end of the following command with your *login* and *hostname* from Workbench:
notextile. $ ssh -o "ProxyCommand ssh -p2222 turnout@switchyard.ClusterID.example.com -x -a shell" -x you@shell
This command does several things at once.
* @-o "ProxyCommand ..."@ configures SSH to run the specified command to create a proxy and route your connection through it.
* @-p2222@ specifies that the switchyard is running on non-standard port 2222.
* turnout@switchyard.{{ site.arvados_api_host }} specifies the user (@turnout@) and hostname (@switchyard.{{ site.arvados_api_host }}@) of the switchyard server that will proxy our connection to the VM.
* @-x@ tells SSH not to forward your X session to the switchyard.
* @-a@ tells SSH not to forward your ssh-agent credentials to the switchyard.
* *@shell@* is the host name of the VM that we want to connect to. In summary, the string inside the quotation marks is sent to the switchyard server, as if it were an SSH command, and the switchyard server connects to the VM on our behalf.
* After the @ProxyCommand@ section, we repeat @-x@ to disable X session forwarding to the virtual machine.
* Finally, *you@shell* specifies your login name and repeats the hostname of the VM. The username can be found in the *logins* column in the VMs Workbench page, discussed in the previous section.
You should now be able to log into the Arvados VM and "check your environment.":check-environment.html
h4. Configuration (recommended)
The command line above is cumbersome, but you can configure SSH to remember many of these settings. Add this text to the file @.ssh/config@ in your home directory (create a new file if @.ssh/config@ doesn't exist):
Host *.{{ site.arvados_cluster_uuid }}
TCPKeepAlive yes
ServerAliveInterval 60
ProxyCommand ssh -p2222 turnout@switchyard.{{ site.arvados_api_host }} -x -a $SSH_PROXY_FLAGS %h
User you
This will recognize any host ending in ".{{ site.arvados_cluster_uuid }}" and automatically apply the proxy, user and forwarding settings from the configuration file, allowing you to log in with a much simpler command:
notextile. $ ssh shell.{{ site.arvados_cluster_uuid }}
You should now be able to log into the Arvados VM and "check your environment.":check-environment.html