wiki:MonsoonSshAgent

SSH Setup on MONSooN

In order to submit UM jobs to MONSooN from the UMUI on PUMA you need to have set up ssh-agent and ssh-forwarding correctly.

This page attempts to describe what you need to do to setup ssh-agent. Since instructions will differ depending on your current setup; whether you already have an ssh-agent running on PUMA and if so, where it is initiated from, be that PUMA or forwarded from a localhost, we cannot cover all scenarios and offer this information as advice only.

Determining if you already have an ssh-agent running on PUMA

First we need to determine if you already have an ssh-agent running on PUMA. Login to PUMA and run the command ssh-add -l

Scenario A:

puma$ ssh-add -l
1024 7e:c9:c1:a6:f5:71:e3:bd:d9:84:23:4c:e4:fc:f7:ea /home/ros/.ssh/id_dsa (DSA)

If the result is similar to the above then you already have an ssh-agent running on PUMA. Please go to the setup instructions entitled Setting up your public key PUMA.

Scenario B:

puma$ ssh-add -l
Could not open a connection to your authentication agent.

Output similar to the above indicates that you do not have an ssh-agent running on PUMA. Please follow the instructions entitled Setting up ssh-agent on PUMA.

Setting up ssh-agent on PUMA

Note: The following instructions assume that you haven't already got ssh-agent setup on PUMA.

  1. Generate the authentication key on PUMA:
        puma$ ssh-keygen -f ~/.ssh/id_rsa -C "‹userid›@puma.nerc.ac.uk"
        Generating public/private rsa key pair.
        Enter passphrase(empty for no passphrase): [TYPE_YOUR_PASSPHRASE]
        Enter same passphrase again: [TYPE_YOUR_PASSPHRASE]
        Your identification has been saved in ~/.ssh/id_rsa.
        Your public key has been saved in ~/.ssh/id_rsa.pub.
        The key fingerprint is:
        md5 1024 [String of characters] ‹userid›@puma.nerc.ac.uk
    
    [TYPE-YOUR-PASSPHRASE] is a fairly complicated and unguessable passphrase. You can use spaces in the pass phrase if it helps you to remember it more readily. It is recommended that you don't use your password just in case this is hacked.
  1. Add the public key to the ~/.ssh/authorized_keys file on PUMA:
        puma$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
    
  1. Run ssh-agent on PUMA:

Make the ssh-agent automatically start-up when your session runs.

Copy my setup script to $HOME/.ssh/setup, and ensure it has execute permission:

    puma$ chmod u+x $HOME/.ssh/setup

Call this script from your .kshrc (if you don't have a .kshrc file call it from your .profile) by adding the following line:

    . $HOME/.ssh/setup
  1. Run the following command and type your passphrase (you may need to do this every time a new ssh-agent is started - ie. every time you re-start your local session):
        puma$ ssh-add
        Enter passphrase for ~/.ssh/id_rsa (‹userid›@puma.nerc.ac.uk): [Type Passphrase]
    
  1. Now complete the section entitled Setting up ssh-forwarding

Setting up your public key

The following instructions assume that you already have an ssh-agent running on PUMA

The purpose of this section is to set up your public keys so that you don't need to supply your PUMA password during the job submission process. You need to copy your public key to the ~/.ssh/authorized_keys file on PUMA, but which key this is, depends on how you setup the ssh-agent.

Is the agent running on PUMA or has it been forwarded from a localhost (ie. the machine you logged into PUMA from)?

The easiest way to determine this is to search the processes you have running on PUMA, by issuing the command:

ps -flu | grep ssh-agent

If the search is successful, then you are running the agent on PUMA and you need to run the following command to add your PUMA public key to the ~/.ssh/authorized_keys file on PUMA:

puma$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Otherwise the ssh-agent is being forwarded from another machine. You now need to determine which machine that is, most likely to be the one you logged into PUMA from and copy the public key from that machine to the ~/.ssh/authorized_keys file on PUMA. This can be achieved in a secure manner by running the following command:

puma$ cat ~/.ssh/id_rsa.pub | ssh ‹userid›@puma.nerc.ac.uk 'mkdir -p .ssh ; cat - >> ~/.ssh/authorized_keys'

Note: Depending on the type of public key you have previously generated, you may find it is in a file called ~/.ssh/id_dsa.pub rather than id_rsa.pub

Now complete the section entitled Setting up ssh-forwarding.

Setting up ssh-forwarding

On PUMA:

If you already have the file $HOME/.ssh/config add the following lines to it, otherwise first create the file $HOME/.ssh/config and add the following lines.

Host monsoon lander.monsoon-metoffice.co.uk
ForwardAgent yes

Host *
ForwardAgent no
ForwardX11 yes
ForwardX11Trusted yes

On lander.monsoon-metoffice.co.uk: (Note: This is on the lander NOT the IBM)

Create, or append to, the file $HOME/.ssh/config the following lines.

Host *.*
ForwardAgent no

Host *
ForwardAgent yes
ForwardX11 yes

If all has worked correctly, you should only be required to enter your MONSooN passcode once for each job you submit.

Last modified 2 years ago Last modified on 09/02/15 14:13:27