| | 1 | = Transparent multi-hop SSH= |
| | 2 | |
| | 3 | == Connecting from outside/home via a proxy server a.k.a. jump host == |
| | 4 | |
| | 5 | [[TOC()]] |
| | 6 | |
| | 7 | Our servers can only be accessed using a jumphost (a.k.a. proxy) server. This requires port 22 to be open on all machines between your computer and our jumphost server. [[BR]] |
| | 8 | The existing {{{lobby.hpc.rug.nl}}} will shortly be replaced by a new machine with the same name. This new machine currently has no DNS entry yet; the example config below is for the new {{{lobby}}} jumphost and is based on its IP address only. |
| | 9 | |
| | 10 | Note that previously there was also a jumphost named lobby.hpc.rug.nl, but this one has been deprecated. Furthermore there many other machines specified in the example config like {{{flexo}}} and {{{bender}}}. Please remove all entries for these machines from your {{{~/.ssh/config}}} file: |
| | 11 | * The only line that should remain in your ~/.ssh/config for our machines is |
| | 12 | * Additional lines that are required to access our machines are added to a separate {{{~/.ssh/conf.d/calculon}}} file now. |
| | 13 | |
| | 14 | == Users on Linux / Unix / Mac OS X == |
| | 15 | |
| | 16 | To setup transparent multi-hop SSH: |
| | 17 | * On the machine from which you want to connect |
| | 18 | * Make sure you have a **''~/.ssh''** folder with generated SSH keys linked to your account. See [wiki:RequestAccount] for instructions. |
| | 19 | * Create **''~/.ssh/tmp''** and **''~/.ssh/conf.d''** folders. Open a terminal and type the following command: |
| | 20 | {{{ |
| | 21 | mkdir -p ~/.ssh/tmp |
| | 22 | mkdir -p ~/.ssh/conf.d |
| | 23 | }}} |
| | 24 | * Create a **''~/.ssh/config''** file if it does not exist yet. |
| | 25 | * Add to your **''~/.ssh/config''** something like the following: |
| | 26 | {{{ |
| | 27 | # |
| | 28 | # Generic stuff: only for MacOS clients. |
| | 29 | # |
| | 30 | IgnoreUnknown UseKeychain |
| | 31 | UseKeychain yes |
| | 32 | IgnoreUnknown AddKeysToAgent |
| | 33 | AddKeysToAgent yes |
| | 34 | |
| | 35 | # |
| | 36 | # Generic stuff: prevent timeouts |
| | 37 | # |
| | 38 | Host * |
| | 39 | ServerAliveInterval 60 |
| | 40 | ServerAliveCountMax 5 |
| | 41 | |
| | 42 | # |
| | 43 | # Generic stuff: share existing connections to reduce lag when logging into the same host in a second shell |
| | 44 | # |
| | 45 | ControlMaster auto |
| | 46 | ControlPath ~/.ssh/tmp/%h_%p_%r |
| | 47 | |
| | 48 | # |
| | 49 | ## |
| | 50 | ### RUG HPC v2 hosts in *.hpc.rug.nl domain with DNS. |
| | 51 | ## |
| | 52 | # |
| | 53 | Host *peregrine pg-interactive !*.hpc.rug.nl |
| | 54 | HostName %h.hpc.rug.nl |
| | 55 | User prefix-youraccount |
| | 56 | |
| | 57 | # |
| | 58 | ## |
| | 59 | ### UMCG Research IT HPC v2 hosts in *.hpc.rug.nl domain. |
| | 60 | ## |
| | 61 | # |
| | 62 | # A. With DNS entry. |
| | 63 | # |
| | 64 | Host foyer lobby *calculon *cher-ami !*.hpc.rug.nl |
| | 65 | HostName %h.hpc.rug.nl |
| | 66 | User prefix-youraccount |
| | 67 | |
| | 68 | # |
| | 69 | ## |
| | 70 | ### GCC HPC v2 hosts in *.gcc.rug.nl domain. |
| | 71 | ## |
| | 72 | # |
| | 73 | Host *flexo *bender *gattaca* !*.gcc.rug.nl |
| | 74 | HostName %h.gcc.rug.nl |
| | 75 | User prefix-youraccount |
| | 76 | |
| | 77 | # |
| | 78 | ## |
| | 79 | ### Proxy settings for multi-hop SSH. |
| | 80 | ## |
| | 81 | # |
| | 82 | # The syntax in all the ProxyCommand rules below assumes your private key is in the default location. |
| | 83 | # The default location is: |
| | 84 | # ~/.ssh/id_rsa for keys generated with the RSA algorithm. |
| | 85 | # ~/.ssh/id_dsa for keys generated with the DSA algorithm. |
| | 86 | # In case your private key file is NOT in the default location you must: |
| | 87 | # 1. Specify the path to your private key file on the command line when logging in with SSH. |
| | 88 | # For example: |
| | 89 | # $> ssh -i ~/.ssh/some_other_key.file prefix-youraccount@proxy_server+destination_server |
| | 90 | # 2. Add the path to your private key file in the ProxyCommand rules below. |
| | 91 | # For example: |
| | 92 | # Host proxy_server+* |
| | 93 | # PasswordAuthentication No |
| | 94 | # ProxyCommand ssh -X -q -i ~/.ssh/some_other_key.file prefix-youraccount@$(echo %h | sed 's/+[^+]*$//').some.sub.domain -W $(echo %h | sed 's/^[^+]*+//'):%p |
| | 95 | # |
| | 96 | |
| | 97 | # |
| | 98 | # Universal proxy settings for triple-hop SSH. |
| | 99 | # |
| | 100 | Host *+*+* |
| | 101 | ProxyCommand ssh -X -q $(echo %h | sed 's/+[^+]*$//') -W $(echo %h | sed 's/^[^+]*+[^+]*+//'):%p |
| | 102 | |
| | 103 | # |
| | 104 | # Double-hop proxy settings for HPC V2 & V3 environment servers in *.hpc.rug.nl or *.umcg.nl domain. |
| | 105 | # |
| | 106 | Host lobby+* foyer+* |
| | 107 | PasswordAuthentication No |
| | 108 | ProxyCommand ssh -X -q prefix-youraccount@$(echo %h | sed 's/+[^+]*$//').hpc.rug.nl -W $(echo %h | sed 's/^[^+]*+//'):%p |
| | 109 | Host passage+* gate+* |
| | 110 | PasswordAuthentication No |
| | 111 | ProxyCommand ssh -X -q prefix-youraccount@$(echo %h | sed 's/+[^+]*$//').umcg.nl -W $(echo %h | sed 's/^[^+]*+//'):%p |
| | 112 | # |
| | 113 | # Sometimes port 22 for the SSH protocol is blocked by firewalls; in that case you can try to use SSH on port 80 as fall-back. |
| | 114 | # Do not use port 80 by default for SSH as it officially assigned to HTTP traffic and some firewalls will cause problems when trying to route SSH over port 80. |
| | 115 | # |
| | 116 | Host lobby80+* foyer80+* |
| | 117 | PasswordAuthentication No |
| | 118 | ProxyCommand ssh -X -q prefix-youraccount@$(echo %h | sed 's/+[^+]*$//').hpc.rug.nl -W $(echo %h | sed 's/^[^+]*+//'):%p -p 80 |
| | 119 | |
| | 120 | }}} |
| | 121 | Replace all occurences of '''prefix-youraccount''' with:[[BR]] |
| | 122 | '''prefix''' = based on your organization. Usually either '''umcg''' or '''lifelines''' [[BR]] |
| | 123 | '''youraccount''' = your account on calculon.hpc.rug.nl = your account on umcg.hpc.rug.nl = etc.[[BR]][[BR]] |
| | 124 | If you are **not** on a Mac or on a very old one you may have to comment the ''# Generic stuff: only for MacOS clients'' section at the top of example **''~/.ssh/config''**[[BR]][[BR]] |
| | 125 | * Make sure you are the only one who can access your ~/.ssh folder. Type the following command in a terminal: |
| | 126 | {{{ |
| | 127 | chmod -R go-rwx ~/.ssh |
| | 128 | }}} |
| | 129 | * You can now for example connect to ''calculon.hpc.rug.nl'' with the account as specified by ''User'' via for example proxy server ''lobby.hpc.rug.nl'' using the alias lobby+calculon. Type the following command in a terminal: |
| | 130 | {{{ |
| | 131 | ssh lobby+calculon |
| | 132 | }}} |
| | 133 | In order to override the accountname specified in your ''~/.ssh/config'' you can use: |
| | 134 | {{{ |
| | 135 | ssh prefix-youraccount@lobby+calculon |
| | 136 | }}} |
| | 137 | You can also transfer data with scp (secure copy) to copy files to your home dir on the cluster like this: |
| | 138 | {{{ |
| | 139 | scp some_file lobby+calculon: |
| | 140 | }}} |
| | 141 | or even better use rsync to copy data to your home dir on the cluster like this: |
| | 142 | {{{ |
| | 143 | rsync -av some_directory lobby+calculon: |
| | 144 | }}} |
| | 145 | Note the colon at the end of the ''scp'' and ''rsync'' commands. Without the colon you would copy to a local file named ''lobby+calculon''. |
| | 146 | You can add additional ''proxy+*'' aliases for other User Interface (UI) servers and other proxy servers depending on your computing preferences or authorization. If you also added the {{{Host *+*+*}}} code block you can do tripple hops starting with a proxy like this: |
| | 147 | {{{ |
| | 148 | ssh proxy+intermediate_server+destination_server |
| | 149 | }}} |
| | 150 | In case you are on a network where the default port for SSH (22) is blocked by a firewall you can try to setup SSH over port 80 using an alias like this: |
| | 151 | {{{ |
| | 152 | ssh lobby80+calculon |
| | 153 | }}} |
| | 154 | |
| | 155 | Frequent Asked Questions: |
| | 156 | * Q: Why do I get the error {{{muxserver_listen bind(): No such file or directory.}}}? [[BR]] |
| | 157 | A: You may have failed to create the **''~/.ssh/tmp''** folder in the first step or the permissions on this folder are wrong. [[BR]][[BR]] |
| | 158 | * Q: Why do I get the error {{{ControlPath too long}}}? [[BR]] |
| | 159 | A: The {{{ControlPath ~/.ssh/tmp/%h_%p_%r}}} line in your ''~/.ssh/config'' file expands to a path that is too long. Change the ''!ControlPath'' line in your ''~/.ssh/config'' file to create a shorter path for the automagically created sockets. You can use for example {{{ControlPath /tmp/%h_%p_%r}}} to create sockets in /tmp. [[BR]][[BR]] |
| | 160 | * Q: Why do I get the error {{{nc: getaddrinfo: Name or service not known. ssh_exchange_identification: Connection closed by remote host}}}? [[BR]] |
| | 161 | A: This server does not exist (anymore); You have a typo in the name of the server you are trying to connect to. Check both the command you typed as well as your ''~/.ssh/config'' for typos in server names. [[BR]][[BR]] |
| | 162 | * Q: Why do I get the error {{{Permission denied (publickey).}}}? [[BR]] |
| | 163 | A: This error can be caused by various configuration issues: [[BR]] |
| | 164 | Either you are using the wrong account name [[BR]] |
| | 165 | or you are using the wrong private key file [[BR]] |
| | 166 | or the permissions on your home **''~/.ssh/''** dir and/or on its content are wrong [[BR]] |
| | 167 | or your account is misconfigured on our account server. [[BR]] |
| | 168 | Check your account name, private key and permissions. If that did not resolve the issue, then increase the verbosity to debug connection problems (see below). [[BR]][[BR]] |
| | 169 | * Q: Can I increase the verbosity to debug connection problems? [[BR]] |
| | 170 | A: Yes try adding ''-vvv'' like this |
| | 171 | {{{ssh -vvv prefix-youraccount@lobby+calculon}}} [[BR]][[BR]] |
| | 172 | If that does not help to figure out what is wrong please [wiki:Contact send an email to the HPC helpdesk] and include: [[BR]] |
| | 173 | 1 The command you used for your failed login attempt [[BR]] |
| | 174 | 2 The output of that failed login attempt with ''-vvv'' debugging enabled [[BR]] |
| | 175 | 3 A copy of your ~/.ssh/config file. [[BR]] |
| | 176 | (Never ever send us your private key; It does not help to debug your connection problems, but will render the key useless as it is no longer private.) |
| | 177 | |
| | 178 | == Users on Windows == |
| | 179 | |
| | 180 | * On the machine from which you want to connect |
| | 181 | 1. Make sure you have generated SSH keys linked to your account. See [wiki:RequestAccount RequestAccount] for instructions. |
| | 182 | 1. Download and install **''[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Putty]''**. Make sure to also download the key manager **''Pageant''**. |
| | 183 | 1. Start **''Pageant''** |
| | 184 | 1. Load your private key into **''Pageant''** |
| | 185 | 1. Start **''Putty''** |
| | 186 | 1. Go to **''Connection''** -> **''Ssh''** -> **''Auth''** and select **''Allow agent forwarding''** |
| | 187 | 1. Go to **''Connection''** -> **''Data''** and fill in your user name in the **auto-login username''** option |
| | 188 | |
| | 189 | * You can now connect to for example ''calculon.hpc.rug.nl'' via for example proxy server ''lobby.hpc.rug.nl'' using a double hop like this |
| | 190 | * In **''Putty''** connect to **''lobby.hpc.rug.nl''** (or choose another proxy from the list) |
| | 191 | * Once the connection is established type the following command in a terminal: |
| | 192 | {{{ |
| | 193 | ssh prefix-youraccount@calculon.hpc.rug.nl |
| | 194 | }}} |
| | 195 | Change the name of the destination host to connect to other User Interface (UI) servers. |
| | 196 | On order to automate this double hop on Windows please have a look at these instructions: http://mikelococo.com/2008/01/multihop-ssh/ |
