Versions Compared

Old Version 7

changes.mady.by.user Douglas Duckworth (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Meghan Netterville

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

While your public key in id_rsa.pub can be shared freely, your private key in id_rsa must be kept secret. If another person gains access to this file, they will be able to impersonate you thereby accessing all of your files.

Do not ever copy or move your private key from your ~/.ssh folder or set permissions so that other users can access this file.  Permissions on this file should always be "chmod 600," set my ssh-keygen, which means only accessible by the owner.  Do not change permissions on the private key.

Authorizing your key

SCU has a shared home directory which will allow key-based authentication across all HPC nodes.  For this to work add the public key you generated to your authorized_keys file.  

Code Block
languagebash
cd ~/.ssh
cat id_rsa.pub >> authorized_keys

...

After this step you will be able to access SCU infrastructure without a password.

Avoiding Fail2ban and SSH Proxy


Fail2ban will block invalid connection attempts when users attempt multiple logins with wrong username.

...

For example:


Code Block
Host *.pbtech # this will allow connecting to internal HPC network
User scu_ldap_username # change to your user name
ProxyCommand ssh -W %h:%p scu_ldap_username@gateway.med.cornell.edu #allows automatic proxying to HPC network - change to aphrodite, pascal, or aristotle
ControlMaster auto
ControlPersist 60
ServerAliveInterval 120
IdentityFile ~/.ssh/your_private_key # by default ~/.ssh/id_rsa will be tried though use this if you named it something else


Host *.med.cornell.edu # this will allow connecting to gateway servers
User scu_ldap_username # change to your user name
ControlMaster auto
ServerAliveInterval 120
ControlPersist 60
IdentityFile ~/.ssh/your_private_key # by default ~/.ssh/id_rsa will be tried though use this if you named it something else


Place these lines at bottom of your ~/.ssh/config file.  Follow and remove the instructions shown after "#."
These settings are applied to any server with "med.cornell.edu" in the hostname.   This will also allow proxying through a login node to reach our internal HPC network.

Then you can just do "ssh aphrodite" and the user name will never be incorrect.

Filter by label (Content by label)
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@28a7b0
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel = "kb-how-to-article" and type = "page" and space = "WIKI"
labelskb-how-to-article

...