SSH Connection Management
Overview
The SSH connection is used to establish a remote login session between MindStudio and a remote server. SSH connections are highly secure and can be used for data transmission. When using some functions with heavy computing workloads, MindStudio can share compute resources of the remote server through an SSH connection.
Restrictions
For security considerations, you are advised to perform the following security hardening operations on the server connected in SSH mode:
- The SHA-256 or SHA-512 algorithm is recommended for encrypting the passwords of Linux system users.
- In the configuration file of the SSH server, harden the following configuration options:
- MACs: selects the message digest algorithm (or algorithms separated by commas) for data verification in SSH-2. Currently, algorithms hmac-sha2-256, hmac-sha2-512, hmac-sha2-256-etm@openssh.com, and hmac-sha2-512-etm@openssh.com are supported.
- Ciphers: selects the encryption algorithm (or algorithms separated by commas) of SSH-2. Do not use CBC encryption algorithms (such as AES128-CBC and AES256-CBC) in the SSH2.0 protocol. Currently, algorithms aes128-gcm@openssh.com and aes256-gcm@openssh.com are supported.
- HostkeyAlgorithms: selects the public key authentication algorithm (or algorithms separated by commas) of SSH-2. Currently, algorithms ssh-ed25519 (for OpenSSH 6.5 or later), rsa-sha2-512, and rsa-sha2-256 are supported. The length of RSA must be greater than or equal to 3,072 bits.
- KexAlgorithms: selects the key encryption algorithm (or algorithms separated by commas) of SSH-2. Currently, algorithms curve25519-sha256, curve25519-sha256@libssh.org, and diffie-hellman-group-exchange-sha256 are supported. OpenSSH 6.7 and later versions support the Curve25519 key exchange algorithm.
- PermitRootLogin: allows root login. You are advised not to allow root login.
- MindStudio does not verify the file type in the project. You need to ensure that the type of the file to be uploaded is correct.
- To ensure that the MindStudio client can be connected, configure the following algorithms on the server:
ciphers aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
hostkeyalgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
The modification method on the server is as follows:
- Run the following command to edit the configuration file:
vi /etc/ssh/sshd_config
Modify the corresponding lines in the file. If a line cannot be found, add it.
- Restart the SSH service.
- For Red Hat and openEuler OSs:
service sshd restart
- For Ubuntu OSs:
service ssh restart
- For Red Hat and openEuler OSs:
- Run the following command to edit the configuration file:
- Keep the SSH username and password secure. Do not share them with untrusted users to avoid environment damage.
- To prevent brute force cracking of SSH, you are advised to set a login control policy on the SSH client.
SSH Configuration Entry
You can access the SSH configuration page in either of the following ways. Figure 1 shows the SSH configuration page. Table 1 describes the parameters on the page.
- Choose from the menu bar to access the SSH connection configuration page.
- On the welcome page, choose to access the SSH connection configuration page.
The aliases of the SSH connections are displayed on the navigation pane on the left of the configuration window. If no alias is set, each SSH connection is displayed as <username>@<host>:<port>. You can right-click to change the alias. Click the alias to view the parameter settings in the detailed panel on the right.
Parameter/Icon |
Description |
|---|---|
Lock the current connection |
The option is dimmed and cannot be operated. If an SSH connection is added to the cluster management, this option is automatically selected. In this case, the SSH connection is locked and cannot be modified and deleted. |
Host |
Destination address of the connection (IP address or domain name) The IP address can be an IPv4 or IPv6 address.
NOTE:
An IPv6 address starting with fe80 is not supported, as it is a link-local address that can only be used within a subnet. To log in to a device using this address, you need to enter the corresponding network port name, which is not in line with the input format on the SSH connection page in MindStudio. |
Port |
Port number of the destination address of the connection. The default value is 22. |
User name |
Username for logging in to the destination address. |
Authentication type |
Authentication method. Two methods are available:
|
Password |
Available when Authentication type is set to Password. Enter the correct password. You can select Save password to save the password.
NOTE:
If Save password is not selected, the password will be automatically cleared after 24 hours. When you use SSH next time, the password text box is displayed. You need to enter the password again to execute the SSH task. |
Private key file |
Available when Authentication type is set to Key pair. Select a local private key file. |
Passphrase |
Available when Authentication type is set to Key pair. Enter the correct passphrase. You can select Save password to save the passphrase. |
Test Connection |
Checks whether the connection is successful. |
|
Adds a new SSH connection. |
|
Deletes an SSH connection. Select an SSH connection to be deleted and click this icon. |
Requesting a Key Pair
You can request a key pair on the local server or the target server. Herein, the request on the local server is used as an example.
- Log in to the local server and run the following command to request a key pair:
ssh-keygen -m PEM
or
ssh-keygen -t rsa -m PEM
- Set the path for storing the key pair, as shown in Figure 2.
If you press Enter without setting the storage path, the key pair is stored in the default path ($home/.ssh/).
- Set and confirm the passphrase, as shown in Figure 3.
It is recommended that the passphrase be not empty and contain at least five characters.
After the setting is complete, press Enter. The private key file id_rsa and public key file id_rsa.pub are generated in the default path ($home/.ssh/).
- Run the following command to copy the public key to the target server for login without password verification:
ssh-copy-id -i ~/.ssh/id_rsa.pub -p 22 username of the target server@IP address of the target server
Copy the public key to the $home/.ssh/authorized_keys file on the target server.
Adding a New SSH Connection
- Open the SSH connection configuration page. For details, see SSH Configuration Entry.
- Click
in the upper part of the navigation bar on the left. - Refer to Table 1 to set parameters and click OK or Apply.
Deleting an SSH Connection
- Open the SSH connection configuration page. For details, see SSH Configuration Entry.
- Select the SSH connection to be deleted, and click
in the upper part of the navigation bar on the left. - Click OK or Apply.
Saving the SSH Password
- Open the SSH connection configuration page. For details, see SSH Configuration Entry.
- You can open the Save passwords window in either of the following ways:
- On the navigation pane, choose .
- Enter Passwords in the search box.
Figure 4 Save passwords window
- Select a password saving mode.
- In KeePass
- Do not save, forget passwords after restart
- Click OK or Apply.
Opening the SSH Remote Terminal Window
By enabling the SSH Remote Terminal window, you can run commands in the SSH connection environment in the MindStudio IDE.
- Choose from the menu bar.
The Select Host to Connect dialog box is displayed.
- Click the SSH connection for which you want to open the SSH Remote Terminal window.
The remote window is displayed in the lower part of the MindStudio IDE page. You can directly run commands in this window.
Figure 5 Remote Terminal
To prevent security risks caused by long-time SSH sessions, you are advised to set the SSH session timeout duration on the server.