Versions Compared

Old Version 5

changes.mady.by.user Douglas Duckworth

Saved on

compared with

New Version 6

changes.mady.by.user Douglas Duckworth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To effectively use the cluster resources, you will need to ensure that all the compute nodes have the ability to authenticate you, without you ever needing to send your password over the network. This is achieved by setting up an ssh key pair, generated using the RSA algorithm. 


Info

Setting up your ssh keys only needs to be done once.


Connect to Gateway Server

...

Warning

While your public key in id_rsa.pub can be shared freely, your private key in id_rsa must be rsa must be kept secret. If another person gains access to this file, they will be able to generate new keys impersonating you, which would grant them access to any system you have access toimpersonate you thereby accessing all of your files.

Authorizing your key

Add SCU has a shared home directory which will allow key-based authentication across all HPC nodes.  For this to work add the public key you just created to the list of public keys that can authenticate you. Usually, this would be done on the server you wish to connect to, but since all servers on SCU infrastructure mount your home directory, you can instead go directly to the directory that stores all the authentication information, and add your key:generated to your authorized_keys file.  

Code Block
languagebash
cd ~/.ssh
cat id_rsa.pub >> authorized_keys

This will create the file if it does not already exist.

Because all the shared SCU servers mount your home directory, this file will be read by any shared SCU machine we want to connect to. Once you are logged onto the SCU infrastructure, you should be able to connect to any other shared SCU server you have access to without ever typing in a password againAfter this step you will be able to access SCU infrastructure without a password.

Avoiding Fail2ban and SSH Proxy

...

When logging into a server if you don't explicitly specify username then the default for ssh is to try username of current user.  So if you your laptop has the username of "joe" then typing "ssh aphrodite.med.cornell.edu" will include "joe" as the user for authentication.  This will trigger a ban.

To avoid avoid this use ~/.ssh/config to specify username that way you cannot type wrong one on your laptop, desktop, etc, and specify username for a given set of hosts.

For example:


Code Block
Host *.pbtech # this will allow connecting to internal HPC network
User scu_ldap_username # change to your user name
ProxyCommand ssh -W %h:%p scu_ldap_username@scuusername@gateway.med.login.nodecornell.edu #allows automatic proxying to HPC network - change to aphrodite, pascal, or aristotle
ControlMaster auto
ControlPersist 60
ServerAliveInterval 120
IdentityFile ~/.ssh/your_private_key # by default ~/.ssh/id_rsa will be tried though use this if you named it something else


Host *.med.cornell.edu # this will allow connecting to gateway servers
User scu_ldap_username # change to your user name
ControlMaster auto
ServerAliveInterval 120
ControlPersist 60
IdentityFile ~/.ssh/your_private_key
If you place this 
 # by default ~/.ssh/id_rsa will be tried though use this if you named it something else


Place these lines at bottom of your ~/.ssh/config file then it will be read last and these .  These settings are applied to any server with "med.cornell.edu" in the hostname.   This will also allow proxying through a login node to reach our internal HPC network.

...