wiki:Guides/SSH

Version 8 (modified by Holger Wolff, 7 months ago) (diff)

--

SSH connections on accessdev

Connections to NCI machines must always be secured so that an unauthorised person is not able to gain access to everything by compromising a single system. We recommend that SSH connections be secured with passphrase secured ssh-agents run from your local machine. A ssh-agent is a mechanism to securely store authentication information so that you don't have to enter a password everytime you connect to another machine, which is neccessary for some of the UIs to submit jobs to the supercomputer.

Windows

The below instructions are for Linux and Mac desktops. If you are using Windows on your desktop [???] http://www.ualberta.ca/CNS/RESEARCH/LinuxClusters/pka-putty.html

Creating a SSH Key

The first thing you will need is a ssh-key, which is what secures the authentication. There are two parts to the key - a private key, which remains on your own computer, and a public key which is sent to all the computers you wish to gain access to. Create a key by running:

$ ssh-keygen -t rsa

Use the default key location. You MUST enter a passphrase when prompted, this shouldn't be the same as your NCI password. If you don't enter a passphrase then the key is completely unprotected and anyone can use it to access computers you send the public key to.

Distributing the SSH Key

To enable access to another computer using your key the public key must first be sent to it. The easiest way to do this is to use ssh-copy-id, unfortunately it isn't available on all systems. If it is, you can use the following commands to copy your key to accessdev and raijin:

$ ssh-copy-id USER@accessdev.nci.org.au
$ ssh-copy-id USER@raijin.nci.org.au

You will be prompted for your NCI password on each copy.

If it is not available, or fails for any reason, you will have to manually add the public key to the file ~/.ssh/authorized_keys on the remote machine, for example like this:

$ cat ~/.ssh/id_rsa.pub | ssh USER@raijin.nci.org.au "mkdir -p ~/.ssh/; cat >> ~/.ssh/authorized_keys"
$ cat ~/.ssh/id_rsa.pub | ssh USER@accessdev.nci.org.au "mkdir -p ~/.ssh/; cat >> ~/.ssh/authorized_keys"

You could also open both files in a text editor and copy and paste, but you have to be careful to not accidentally add any newline characters while doing so.

If for any reason you want to revoke access using the key go to this file and delete the corresponding line (each has a comment saying what machine the key originated on).

You should now try connecting to accessdev using ssh:

$ ssh USER@accessdev.nci.org.au

Most popular Linux distributions as well as OS X come with a built in ssh-agent system that takes care of passphrases. When you first try to log onto one of the NCI systems a window will come up asking for the key's passphrase. Once you've entered it the key will be remembered until you log out of your local computer.

If this isn't handled by your operating system you can manually start up a program called ssh-agent to handle your key by running (on your local computer):

$ eval `ssh-agent`
$ ssh-add

Configuring SSH

It is helpful to set up some options in ssh's config file. This allows you to specify shortcuts to machines you use often, as well as specify the default username and X forwarding. Add the following to the file ~/.ssh/config on your own computer (substitute USER for your NCI username):

Host         access
    HostName     accessdev.nci.org.au
    User         USER
    ForwardX11   true
    ForwardAgent true
Host         raijin
    HostName     raijin.nci.org.au
    User         USER
    ForwardX11   true

This defines two shortcuts, access and raijin, so you can use e.g. 'ssh raijin' instead of 'ssh -X USER@raijin.nci.org.au'.

The access shortcut also forwards the ssh-agent. This means that when you're logged onto accessdev from your local computer you don't need to enter a password to continue along to raijin. This is ideal for when you're submitting jobs from the UIs, however agent forwarding should be used sparingly as it does come with some risks.

Automated Access

Some programs (like Rose & Cylc) need to use ssh from the supercomputer compute nodes. Since you don't directly log onto the compute nodes you can't provide a password, so we use technique called restricted ssh keys to allow for secure password-free access.

Setting this up is simple - on Accessdev just run the command

$ remote-job-submission

and all the neccessary config settings will be set up for you. You may need to enter your NCI password a couple times if you don't have a ssh-agent already running so that the remote computers can be set up.

Attachments (1)

Download all attachments as: .zip