Context Navigation

Changes between Version 1 and Version 2 of TransparentMultiHopSSHNewLobby

Timestamp:: 2021-07-07T14:40:25+02:00 (3 years ago)
Author:: Pieter Neerincx
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

TransparentMultiHopSSHNewLobby

-                      v1
+                      v2
 The existing {{{lobby.hpc.rug.nl}}} will shortly be replaced by a new machine with the same name. This new machine currently has no DNS entry yet; the example config below is for the new {{{lobby}}} jumphost and is based on its IP address only.
+Note that previously there was also a jumphost named lobby.hpc.rug.nl, but this one has been deprecated. Furthermore there many other machines specified in the example config like {{{flexo}}} and {{{bender}}}. Please remove all entries for these machines from your {{{~/.ssh/config}}} file:
+ * The only line that should remain in your ~/.ssh/config for our machines is
+Note that previously there was also a jumphost named {{{lobby.hpc.rug.nl}}}, but this one has been deprecated. Furthermore there many other machines specified in the example config like {{{flexo}}} and {{{bender}}}. Please remove all entries for these machines from your {{{~/.ssh/config}}} file:
+ * The only line that should remain in your ~/.ssh/config for the UMCG Research HPC machines is:
+   {{{
+   Include conf.d/*
+   }}}
  * Additional lines that are required to access our machines are added to a separate {{{~/.ssh/conf.d/calculon}}} file now.
 …
  * On the machine from which you want to connect
    * Make sure you have a **''~/.ssh''** folder with generated SSH keys linked to your account. See [wiki:RequestAccount] for instructions.
    * Create **''~/.ssh/tmp''** and **''~/.ssh/conf.d''** folders. Open a terminal and type the following command:
+   * Create **''~/.ssh/tmp''** and **''~/.ssh/conf.d''** subfolders and configuration files if they did not already exist and make sure they have the right permissions. Open a terminal and type the following command:
 {{{
+mkdir -p ~/.ssh/tmp
+mkdir -p ~/.ssh/conf.d
+mkdir -p -m 700 "${HOME}/.ssh/"
+mkdir -p -m 700 "${HOME}/.ssh/tmp/"
+mkdir -p -m 700 "${HOME}/.ssh/conf.d/"
+touch "${HOME}/.ssh/config"
+touch "${HOME}/.ssh/conf.d/lobby"
+chmod -R go-rwx "${HOME}/.ssh"
 }}}
+   * Create a **''~/.ssh/config''** file if it does not exist yet.
+   * Add to your **''~/.ssh/config''** something like the following:
+   * Add the following line to your **''~/.ssh/config''**:
+{{{
+Include conf.d/*
+}}}
+     Important: this **''Include''** directive must precede any lines containing **''Host''** or **''Match''** directives, otherwise the **''Include''** will only apply to a specific set of hosts.
 {{{
+#
 …
+#
 # Generic stuff: prevent timeouts
+# Host settings.
+#
+Host *
+        ServerAliveInterval 60
+        ServerAliveCountMax 5
+Host lobby*
+    #
+    # Default account name when not specified explicitly.
+    #
+    User youraccount
+    #
+    # Prevent timeouts
+    #
+    ServerAliveInterval 60
+    ServerAliveCountMax 5
+    #
+    # We use public-private key pairs for authentication.
+    # Optionally: specify the path to your RSA private key it is not in the default location.
+    # Do not use password based authentication as fallback,
+    # which may be confusing and won't work anyway.
+    #
+    #IdentityFile "~/.ssh/id_rsa"
+    PasswordAuthentication No
+    #
+    # Multiplex connections to
+    #   * reduce lag when logging in to the same host in a second terminal
+    #   * reduce the amount of connections that are made to prevent excessive DNS lookups
+    #     and to prevent getting blocked by a firewall, because it thinks we are executing a DoS attack.
+    #
+    # Name/location of sockets for connection multiplexing are configured using the ControlPath directive.
+    # In the ControlPath directive %C expands to a hashed value of %l_%h_%p_%r, where:
+    #    %l = local hostname
+    #    %h = remote hostname
+    #    %p = remote port
+    #    %r = remote username
+    # This makes sure that the ControlPath is
+    #   * a unique socket that is local to machine on which the sessions are created,
+    #     which means it works with home dirs from a shared network file system.
+    #     (as sockets cannot be shared by servers.)
+    #   * not getting to long as the hash has a fixed size not matter how long %l_%h_%p_%r was.
+    #
+    ControlMaster auto
+    ControlPath ~/.ssh/tmp/%C
+    ControlPersist 1m
+#
 # Generic stuff: share existing connections to reduce lag when logging into the same host in a second shell
+# Expand short jumphost names to FQDN or IP address.
+#
+ControlMaster auto
+ControlPath ~/.ssh/tmp/%h_%p_%r
+Host lobby
+    HostName 195.169.22.135
+#
+##
+### RUG HPC v2 hosts in *.hpc.rug.nl domain with DNS.
+##
+#
+Host *peregrine pg-interactive !*.hpc.rug.nl
+        HostName %h.hpc.rug.nl
+        User prefix-youraccount
+#
+##
+### UMCG Research IT HPC v2 hosts in *.hpc.rug.nl domain.
+##
+#
+#  A. With DNS entry.
+#
+Host foyer lobby *calculon *cher-ami !*.hpc.rug.nl
+        HostName %h.hpc.rug.nl
+        User prefix-youraccount
+#
+##
+### GCC HPC v2 hosts in *.gcc.rug.nl domain.
+##
+#
+Host *flexo *bender *gattaca* !*.gcc.rug.nl
+        HostName %h.gcc.rug.nl
+        User prefix-youraccount
+#
+##
+### Proxy settings for multi-hop SSH.
+##
+#
+# The syntax in all the ProxyCommand rules below assumes your private key is in the default location.
+# The default location is:
+#  ~/.ssh/id_rsa for keys generated with the RSA algorithm.
+#  ~/.ssh/id_dsa for keys generated with the DSA algorithm.
+# In case your private key file is NOT in the default location you must:
+#  1. Specify the path to your private key file on the command line when logging in with SSH.
+#     For example:
+#         $> ssh -i ~/.ssh/some_other_key.file prefix-youraccount@proxy_server+destination_server
+#  2. Add the path to your private key file in the ProxyCommand rules below.
+#     For example:
+#         Host proxy_server+*
+#             PasswordAuthentication No
+#             ProxyCommand ssh -X -q -i ~/.ssh/some_other_key.file prefix-youraccount@$(echo %h | sed 's/+[^+]*$//').some.sub.domain -W $(echo %h | sed 's/^[^+]*+//'):%p
+#
+#
+# Universal proxy settings for triple-hop SSH.
+# Universal jumphost settings for triple-hop SSH.
+#
 Host *+*+*
+        ProxyCommand ssh -X -q $(echo %h | sed 's/+[^+]*$//') -W $(echo %h | sed 's/^[^+]*+[^+]*+//'):%p
+    ProxyCommand ssh -x -q $(echo %h | sed 's/+[^+]*$//') -W $(echo %h | sed 's/^[^+]*+[^+]*+//'):%p
+#
 # Double-hop proxy settings for HPC V2 & V3 environment servers in *.hpc.rug.nl or *.umcg.nl domain.
+# Double-hop SSH settings to connect via specific jumphosts.
+#
+Host lobby+* foyer+*
+        PasswordAuthentication No
+        ProxyCommand ssh -X -q prefix-youraccount@$(echo %h | sed 's/+[^+]*$//').hpc.rug.nl -W $(echo %h | sed 's/^[^+]*+//'):%p
+Host passage+* gate+*
+        PasswordAuthentication No
+        ProxyCommand ssh -X -q prefix-youraccount@$(echo %h | sed 's/+[^+]*$//').umcg.nl -W $(echo %h | sed 's/^[^+]*+//'):%p
+Host lobby+*
+    ProxyCommand ssh -x -q $(echo "${JUMPHOST_USER:-%r}")@$(echo %h | sed 's/+[^+]*$//') -W $(echo %h | sed 's/^[^+]*+//'):%p
+#
+# Sometimes port 22 for the SSH protocol is blocked by firewalls; in that case you can try to use SSH on port 80 as fall-back.
+# Do not use port 80 by default for SSH as it officially assigned to HTTP traffic and some firewalls will cause problems when trying to route SSH over port 80.
+# Sometimes port 22 for the SSH protocol is blocked by firewalls; in that case you can try to use SSH on port 443 as fall-back.
+# Do not use port 443 by default for SSH as it is officially assigned to HTTPS traffic
+# and some firewalls will cause problems with SSH traffic over port 443.
+#
+Host lobby80+* foyer80+*
+        PasswordAuthentication No
+        ProxyCommand ssh -X -q prefix-youraccount@$(echo %h | sed 's/+[^+]*$//').hpc.rug.nl -W $(echo %h | sed 's/^[^+]*+//'):%p -p 80
+Host lobby443+*
+    ProxyCommand ssh -x -q $(echo "${JUMPHOST_USER:-%r}")@$(echo %h | sed 's/443+[^+]*$//') -W $(echo %h | sed 's/^[^+]*+//'):%p -p 443
 }}}
+   Replace all occurences of '''prefix-youraccount''' with:[[BR]]
+   '''prefix''' = based on your organization. Usually either '''umcg''' or '''lifelines''' [[BR]]
+   '''youraccount''' = your account on calculon.hpc.rug.nl = your account on umcg.hpc.rug.nl = etc.[[BR]][[BR]]
+   Replace all occurences of '''youraccount''' with the accountname you received from the UMCG HPC helpdesk.[[BR]][[BR]]
    If you are **not** on a Mac or on a very old one you may have to comment the ''# Generic stuff: only for MacOS clients'' section at the top of example **''~/.ssh/config''**[[BR]][[BR]]
+   * Make sure you are the only one who can access your ~/.ssh folder. Type the following command in a terminal:
+{{{
+chmod -R go-rwx ~/.ssh
+}}}
+ * You can now for example connect to ''calculon.hpc.rug.nl'' with the account as specified by ''User'' via for example proxy server ''lobby.hpc.rug.nl'' using the alias lobby+calculon. Type the following command in a terminal:
+ * You can now for example connect to the User Interface of the Calculon cluster named ''calculon'' with the account as specified in the ''User'' directive of your ''~/.ssh/config'' via the ''lobby'' jumphost using the alias ''lobby+calculon''. Type the following command in a terminal:
 {{{
 ssh lobby+calculon
 }}}
    In order to override the accountname specified in your ''~/.ssh/config'' you can use:
+   In order to override the account name specified in your ''~/.ssh/config'' you can use:
 {{{
 ssh prefix-youraccount@lobby+calculon
+ssh youraccount@lobby+calculon
 }}}
    You can also transfer data with scp (secure copy) to copy files to your home dir on the cluster like this:
 …
 ssh proxy+intermediate_server+destination_server
 }}}
    In case you are on a network where the default port for SSH (22) is blocked by a firewall you can try to setup SSH over port 80 using an alias like this:
+   In case you are on a network where the default port for SSH (22) is blocked by a firewall you can try to setup SSH over port 443 using an alias like this:
 {{{
 ssh lobby80+calculon
+ssh lobby443+calculon
 }}}