Guides_SSH - ACCESS-NRI/accessdev-Trac-archive GitHub Wiki
SSH connections on accessdev
Connections to NCI machines must always be secured so that an unauthorised person is not able to gain access to everything by compromising a single system. We recommend that SSH connections be secured with passphrase secured ssh-agents run from your local machine. A ssh-agent is a mechanism to securely store authentication information so that you don't have to enter a password everytime you connect to another machine, which is necessary for some of the UIs to submit jobs to the supercomputer.
Windows
To set up Windows to use SSH, follow the SSH setup instructions. Alternatives to the built-in SSH are Putty and Windows Subsystem for Linux.
In addition to SSH you will need an X11 program, e.g. VcXsrv. This will need to be running for windows on remote computers to show on your desktop.
Creating a SSH Key
The first thing you will need is a ssh-key, which is what secures the authentication. There are two parts to the key - a private key, which remains on your own computer, and a public key which is sent to all the computers you wish to gain access to. Create a key by running:
$ ssh-keygen -t rsa
Use the default key location. You MUST enter a passphrase when prompted, this shouldn't be the same as your NCI password. If you don't enter a passphrase then the key is completely unprotected and anyone can use it to access computers you send the public key to.
Distributing the SSH Key
To enable access to another computer using your key the public key must first be sent to it. The easiest way to do this is to use ssh-copy-id, unfortunately it isn't available on all systems. If it is, you can use the following commands to copy your key to accessdev and gadi:
$ ssh-copy-id [email protected]
$ ssh-copy-id [email protected]
You will be prompted for your NCI password on each copy.
If it is not available, or fails for any reason, you will have to manually add the public key to the file ~/.ssh/authorized_keys on the remote machine, for example like this:
$ cat ~/.ssh/id_rsa.pub | ssh [email protected] "mkdir -p ~/.ssh/; cat >> ~/.ssh/authorized_keys"
$ cat ~/.ssh/id_rsa.pub | ssh [email protected] "mkdir -p ~/.ssh/; cat >> ~/.ssh/authorized_keys"
You could also open both files in a text editor and copy and paste, but you have to be careful to not accidentally add any newline characters while doing so.
If for any reason you want to revoke access using the key go to this file and delete the corresponding line (each has a comment saying what machine the key originated on).
You should now try connecting to accessdev using ssh:
$ ssh [email protected]
Most popular Linux distributions as well as OS X come with a built in ssh-agent system that takes care of passphrases. When you first try to log onto one of the NCI systems a window will come up asking for the key's passphrase. Once you've entered it the key will be remembered until you log out of your local computer.
If this isn't handled by your operating system you can manually start up a program called ssh-agent to handle your key by running (on your local computer):
$ eval `ssh-agent`
$ ssh-add
Configuring SSH
It is helpful to set up some options in ssh's config file. This allows you to specify shortcuts to machines you use often, as well as specify the default username and X forwarding. Add the following to the file ~/.ssh/config on your own computer (substitute USER for your NCI username):
Host access
HostName accessdev.nci.org.au
User USER
ForwardX11 true
ForwardAgent true
Host gadi
HostName gadi.nci.org.au
User USER
ForwardX11 true
This defines two shortcuts, access and gadi, so you can use e.g. 'ssh gadi' instead of 'ssh -X [email protected]'.
The access shortcut also forwards the ssh-agent. This means that when you're logged onto accessdev from your local computer you don't need to enter a password to continue along to gadi. This is ideal for when you're submitting jobs from the UIs, however agent forwarding should be used sparingly as it does come with some risks.
Automated Access
Some programs (like Rose & Cylc) need to use ssh from the supercomputer compute nodes. Since you don't directly log onto the compute nodes you can't provide a password, so we use technique called restricted ssh keys to allow for secure password-free access.
Setting this up is simple - on Accessdev just run the command
$ accessdev-gadi-setup
and all the necessary config settings will be set up for you. You may need to enter your NCI password a couple times if you don't have a ssh-agent already running so that the remote computers can be set up.
