To effectively use the cluster resources, you will need to ensure that all the compute nodes have the ability to authenticate you, without you ever needing to send your password over the network. This is achieved by setting up an ssh key pair, generated using the RSA algorithm. Running HPC jobs on SCU resources requires passwordless key-based authentication. In this article we explain how to configure key-based authentication as well as setup your SSH client for proxying and avoiding Fail2Ban.
Info |
---|
Setting up your ssh keys only needs to be done once. |
Connect to Gateway Server
Connect Once you have a new SCU account, connect to one of our gateway nodes using the username and password provided to you by the SCU. In In this example, we are using pascal:
Code Block | ||
---|---|---|
| ||
ssh <your-scu-username>@pascal.med.cornell.edu |
Create your Key pairPair
First, check to see if you don't already have ssh keys set up:
Code Block | ||
---|---|---|
| ||
ls -ltr ~/.ssh |
If the output shows the files id_rsa
and id_rsa.pub
,
you already have keys in place. Skip Skip the following command and continue to authorizing your key.
If the output did does not show those files, then generate them with the following command:
Code Block | ||
---|---|---|
| ||
ssh-keygen -t rsa -b 4096 |
Follow the instructions on screen. Accept the default location. This will create two new files: id_rsa
and id_rsa.pub
, which are your private and public keys, respectively.
...
Warning |
---|
While your public key in id_rsa.pub can be shared freely, your private key in id_rsa must be rsa must be kept secret. If another person gains access to this file, they will be able to generate new keys impersonating you, which would grant them access to any system you have access to. |
Authorizing your key
...
impersonate you thereby accessing all of your files. |
Authorizing your key
SCU has a shared home directory which will allow key-based authentication across all HPC nodes. For this to work add the public key you generated to your authorized_keys file.
Code Block | ||
---|---|---|
| ||
cd ~/.ssh cat id_rsa.pub >> authorized_keys |
This will create the file if it does not already exist.
Because all the shared SCU servers mount your home directory, this file will be read by any shared SCU machine we want to connect to. Once you are logged onto the SCU infrastructure, you should be able to connect to any other shared SCU server you have access to without ever typing in a password againAfter this step you will be able to access SCU infrastructure without a password.
Avoiding Fail2ban and SSH Proxy
Code Block |
---|
Host *.pbtech # this will allow connecting to internal HPC network User scu_ldap_username # change to your user name ProxyCommand ssh -W %h:%p scu_ldap_username@scuusername@gateway.med.login.nodecornell.edu #allows automatic proxying to HPC network - change to aphrodite, pascal, or aristotle ControlMaster auto ControlPersist 60 ServerAliveInterval 120 IdentityFile ~/.ssh/your_private_key # by default ~/.ssh/id_rsa will be tried though use this if you named it something else Host *.med.cornell.edu # this will allow connecting to gateway servers User scu_ldap_username # change to your user name ControlMaster auto ServerAliveInterval 120 ControlPersist 60 IdentityFile ~/.ssh/your_private_key |
# by default ~/.ssh/id_rsa will be tried though use this if you named it something else |
Then you can just do "ssh aphrodite" and the user name will never be incorrect.
Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...