wiki:ArcherSshAgent

Version 14 (modified by ros, 7 months ago) (diff)

SSH setup for submission of UM suites/UMUI jobs from PUMA to Archer

1. Set up PUMA environment

If this is the first time you have used your PUMA account, you will need to create a .profile. Copy our standard one:

puma$ cd ~
puma$ cp ~um/um-training/setup/.profile .

(If you already have a .profile, make sure it includes the lines from the standard file.)

2. Generate the authentication key for use with Rose/Cylc suites

Run the following command to generate your archerum ssh key.

puma$ ssh-keygen -t rsa -b 4096 -C "me@somewhere.ac.uk" -f ~/.ssh/id_rsa_archerum

When prompted to "Enter passphrase", this should be a fairly complicated and unguessable passphrase. You can use spaces in the passphrase if it helps you to remember it more readily. It is recommended that you don’t use your password in case it is hacked.

Important:

  • DO NOT use an empty passphrase as this presents a security issue.
  • It will take up to 24 hours for your new key to be installed on ARCHER.

3. Update ssh config file

In your PUMA ~/.ssh/config file add the following section:

Host login7.archer.ac.uk
User <archer_username>
IdentityFile ~/.ssh/id_rsa_archerum
ForwardX11 no
ForwardX11Trusted no
Setup ssh-agent

4. Set up ssh-agent

Setting up ssh-agent will allow you to cache your archerum key passphrase for a period of time.

puma$ cp ~um/um-training/setup/ssh-setup ~/.ssh

Logout of PUMA and then back in again.

Add your archerum key to your ssh-agent by running:

puma$ ssh-add ~/.ssh/id_rsa_archerum
Enter passphrase for /home/<puma-username>/.ssh/id_rsa:
[TYPE_YOUR_PASSPHRASE]

You will be prompted for your passphrase.

The ssh agent should keep running even when you log out of puma, however it may stop from time to time, for example if PUMA is rebooted.

5. Verify the setup is correct

Note: Only proceed to this step once your archerum key has been installed on ARCHER.

Try logging into ARCHER with:

puma$ ssh login7.archer.ac.uk

You should not be prompted for your passphrase. The response from ARCHER should be:

--------------------------------------------------------------------------------
This is a private computing facility. Access to this service is limited to those
who have been granted access by the operating service provider on behalf of the
contracting authority and use is restricted to the purposes for which access was
granted. All access and usage are governed by the terms and conditions of access
agreed to by all registered users and are thus subject to the provisions of the
Computer Misuse Act, 1990 under which unauthorised use is a criminal offence.
If you are not authorised to use this service you must disconnect immediately.
--------------------------------------------------------------------------------
PTY allocation request failed on channel 0
Comand rejected by policy. Not in authorised list
Connection to login7.archer.ac.uk closed.

6. Specify login7 as the ARCHER host

As at August 2020 this mechanism only works for login7.archer.ac.uk, this means that all suites must be modified to submit to this login node. Specify login7.archer.ac.uk as the host in the appropriate .rc file (suite.rc or archer.rc). For example; host = login7.archer.ac.uk.

You should then be able to submit suites to ARCHER.

The submission mechanism will be rolled out to all ARCHER login nodes in the coming weeks.