Page Comparison

To effectively use the cluster resources, you will need to ensure that all the compute nodes have the ability to authenticate you, without you ever needing to send your password over the network. This is achieved by setting up an ssh key pair, generated using the RSA algorithm. Running HPC jobs on SCU resources requires passwordless key-based authentication. In this article we explain how to configure key-based authentication as well as setup your SSH client for proxying and avoiding Fail2Ban.

Info
Setting up your ssh keys only needs to be done once.

...

Connect to Gateway Server

Connect Once you have a new SCU account, connect to one of our gateway nodes using the username and password provided to you by the SCU. In In this example, we are using pascal:

Code Block

language	bash

ssh <your-scu-username>@pascal.med.cornell.edu

Create your Key pairPair

First, check to see if you don't already have ssh keys set up:

Code Block

language	bash

ls -ltr ~/.ssh

If the output shows the files id_rsa and id_rsa.pub,you already have keys in place. Skip Skip the following command and continue to authorizing your key.

If the output did does not show those files, then generate them with the following command:

Code Block

language	bash

ssh-keygen -t rsa -b 4096

Follow the instructions on screen. Accept the default location. This will create two new files: id_rsa and id_rsa.pub, which are your private and public keys, respectively.

...

Warning

While your public key in id_rsa.pub can be shared freely, your private key in id_rsa must be kept secret. If another person gains access to this file, they will be able to impersonate you thereby accessing all of your files.

Do not ever copy or move your private key from your ~/.ssh folder or set permissions so that other users can access this file. Permissions on this file should always be "chmod 600," set my ssh-keygen, which means only accessible by the owner. Do not change permissions on the private key.

Authorizing your key

SCU has a shared home directory which will allow key-based authentication across all HPC nodes. For this to work add the public key you generated to your authorized_keys file.

Code Block

language	bash

cd ~/.ssh
cat id_rsa.pub >> authorized_keys

...

After this step you will be able to access SCU infrastructure without a password.

Avoiding Fail2ban and SSH Proxy

Fail2ban will block invalid connection attempts when users attempt multiple logins with wrong username.

...

For example:

Code Block

Host *.pbtech # this will allow connecting to internal HPC network
User scu_ldap_username # change to your user name
ProxyCommand ssh -W %h:%p scu_ldap_username@gateway.med.cornell.edu #allows automatic proxying to HPC network - change to aphrodite, pascal, or aristotle
ControlMaster auto
ControlPersist 60
ServerAliveInterval 120
IdentityFile ~/.ssh/your_private_key # by default ~/.ssh/id_rsa will be tried though use this if you named it something else


Host *.med.cornell.edu # this will allow connecting to gateway servers
User scu_ldap_username # change to your user name
ControlMaster auto
ServerAliveInterval 120
ControlPersist 60
IdentityFile ~/.ssh/your_private_key # by default ~/.ssh/id_rsa will be tried though use this if you named it something else

Place these lines at bottom of your ~/.ssh/config file. Follow and remove the instructions shown after "#."

These settings are applied to any server with "med.cornell.edu" in the hostname. This will also allow proxying through a login node to reach our internal HPC network.

Then you can just do "ssh aphrodite" and the user name will never be incorrect.

Versions Compared

Old Version 6

New Version Current

Key

Authorizing your key

Avoiding Fail2ban and SSH Proxy

Related articles