Enable sshing into a remote Jupyter Server.
Primarily for use with remote JupyterHubs, so users can access them via ssh
. Enables everything
one would normally do with ssh
- copy files, run interactive commands, use the proprietary
VSCode Remote Development functionality, etc!
For this document, we will assume you are running inside a containerized JupyterHub enviornment
(such as kubernetes or docker). jupyter-sshd-proxy
itself does not require
containerization - this is simply to make instructions easier.
The following packages must be present in the container environment:
- openssh. You can install this from
conda-forge
or fromapt
as you desire. jupyter-sshd-proxy
itself must be pre-installed in the container - you can not dynamically install it with!pip
after you start the container.
The docker image quay.io/yuvipanda/pangeo-jupyter-sshd-proxy:latest
can be used
for testing purposes. It it is based on the pangeo-notebook docker image, and has
the pre-requisites required pre-installed. You can find the source Dockerfile
for
it in this repository.
websocat must be installed on the client machine.
brew install websocat
works on Mac OS, and pre-built binaries are available
for all other operating systems.
jupyter-sshd-proxy
only works after you start your JupyterHub server. So, start your server!
We will need to create a JupyterHub token for authentication.
-
Go to the JupyterHub control panel. You can access it via
File -> Hub control panel
in JupyterLab, or directly going tohttps://<your-hub-url>/hub/home
. -
In the top bar, select Token.
-
Create a new Token, and keep it safe. Treat this like you would treat a password to your JupyterHub instance! It is recommended you set an expiry date for this.
We will set up our ssh config file to tell ssh
how to connect to our JupyterHub. Add
an entry that looks like this to the end of your ~/.ssh/config
file (create it if it
does not exist).
Host <YOUR-JUPYTERHUB-DOMAIN>
User <YOUR-JUPYTERHUB-CONTAINER-USER-NAME>
ProxyCommand websocat --binary -H='Authorization: token <YOUR-JUPYTERHUB-TOKEN>' asyncstdio: wss://%h/user/<YOUR-JUPYTERHUB-USERNAME>/sshd/
replace:
<YOUR-JUPYTERHUB-DOMAIN>
with your hub domain (for example,hub.openveda.cloud
)<YOUR-JUPYTERHUB-TOKEN>
with the token you generated earlier<YOUR-JUPYTERHUB-USERNAME>
with your jupyterhub username<YOUR-JUPYTERHUB-CONTAINER-USERNAME>
is the name of the unix user created inside your JupyterHub container. This is most commonlyjovyan
. You can verify this by runningwhoami
orid
in the terminal in your JupyterHub.
Here's an example:
Host hub.openveda.cloud
User jovyan
ProxyCommand websocat --binary -H='Authorization: token a56ff59c93f64fb587f46b06af9422ee' asyncstdio: wss://%h/user/yuvipanda/sshd/
We're almost there!
There are still two levels of authentication - your JupyterHub token, as well as some ssh keys. You need to put some ssh public keys
in ~/.ssh/authorized_keys
after you start your JupyterHub server, and have the private keys available in your ssh client machine.
The simplest way to do this is to rely on your GitHub public keys!
-
After you start your JupyterHub server, open a terminal in JupyterLab
-
Run the following commands:
mkdir -p ~/.ssh wget https://github.com/<YOUR-GITHUB-USERNAME>.keys -O ~/.ssh/authorized_keys chmod 0600 ~/.ssh/authorized_keys
replacing
<YOUR-GITHUB-USERNAME>
with your github username.
With that, we are ready to go!
After all this is setup, you're now able to ssh in! Try:
ssh <YOUR-JUPYTERHUB-DOMAIN>
and it should just work! You can also use this with the proprietary Visual Studio code Remote SSH feature,
use sftp
to copy files over (although it will be slow), create tunnels, etc!