UserGuide Home NCI-NF BoM SUN Altix Data Store Clusters Condor BoM SamFS Software Map FAQ

ssh

In general, you need to use ssh to access ASC systems. For general information about ssh and how to use it, there is much information available on the internet and in books. We recommend our partner's NCI pages on ssh.

High-performance ssh

High Performance SSH/SCP - HPN-SSH is a set of patches to openssh to improve the buffering and make encryption of the data stream optional (authentication is still encrypted). It is available on cherax and the NCI, iVEC and TPAC systems, with some-what different setups. On cherax, a hpn-ssh server is run on port 22000 and only accepts key-based authentication.

To use hpn-ssh from cherax, load the module to get the patched ssh/scp/sftp client commands in your path: 

cherax> module load hpn-ssh
(you might want to put that into your .login or .profile file to save typing it each session).

To use hpn-ssh when accessing cherax from other hosts, you need to connect to port 22000 rather than the normal ssh port (22). This can be done with the ssh -p 22000 option or the scp -P 22000 option. You can keep the commands simpler by configuring this in your .ssh/config file, but being explicit has benefits too (for understandability).

You must use key-based (passwordless) access when accessing cherax on port 22000 from other hosts. You will not be prompted for a password.

Passwordless ssh and keys

On some systems your newly-created account will come with an ssh key. This is common for communication within a cluster where the nodes all share a common home file system. To see ssh keys, type: 

prompt> ls -l ~/.ssh

If you see something like: 

-rw------- 1 lea097 root  1675 2009-05-21 10:14 id_rsa
-rw------- 1 lea097 root   397 2009-05-21 10:14 id_rsa.pub

then you already have a key, otherwise you should create one: 

prompt> cd $HOME
prompt> ssh-keygen -t rsa -N ""
prompt> cd .ssh
prompt> ls -l
-rw------- 1 lea097 csssg 1675 2009-06-23 12:22 id_rsa
-rw-r--r-- 1 lea097 csssg  395 2009-06-23 12:22 id_rsa.pub

Note:the -N option makes the private key have an empty passphrase (and be unencrypted on disk). Private keys can be protected by a passphrase, but working with passhphrase protected keys is not described further here.

The id_rsa is your private key - don't give it to anyone! and id_rsa.pub is your public key. You should generate a new key pair for each host you want to run ssh from and leave the private key where it was created. The public key can be added to systems that you want to access using the private key. A password is no longer needed for authentication as they key-pair system ensures that access can only be from a client that has the private key (keep it secure!).

For arguments sake, let's say we are setting up ssh between cherax and burnet. Having ensured we have a public and private key on each, give the public key a meaningful name and start to distribute it to hosts that you want to access using the matching private key: 

cherax> cd $HOME/.ssh
cherax> ls -l 
-rw------- 1 lea097 csssg 1675 2009-06-23 12:22 id_rsa
-rw-r--r-- 1 lea097 csssg  395 2009-06-23 12:22 id_rsa.pub
cherax> cp id_rsa.pub my_cherax_public_key
cherax> scp ./my_cherax_public_key burnet:.ssh/
(you will need to enter your burnet password)

Now, on burnet, we add our cherax public key to our authorized_keys file: 

burnet> cd .ssh
burnet> cat my_cherax_public_key >> authorized_keys

The ">>" appends the key to your authorized_keys file. Make sure you use ">>" and not ">" as a single arrow would overwrite the file!

If authorized_keys has any permissions other than "-rw-------" it won't work, so you might need to use: 

burnet> chmod 600 authorized_keys

Now you should be able to ssh from cherax to burnet without being prompted for a password. You can add more keys from other systems to your authorized_keys file in the same way (Don't forget: use ">>" and not ">")

ssh config file

On some systems - most notably those at NCI - your username will be different to your CSIRO NEXUS id. On other systems - again, most notably those at NCI - you may need to use a full domain name or IP address to connect to a specific host. For example, to login to cherax from burnet you can use: 

burnet> ssh cherax

but to get from cherax to the Sun constellation at NCI you need: 

cherax> ssh -l $my_nci_id vayu.nci.org.au

and to get to cherax from the NCI vayu you need: 

vayu> ssh -l $my_nexus_id cherax.hpsc.csiro.au

You can simplify this significantly by setting up an ssh config file detailing the login details of certain computers. For example, assuming your CSIRO/NEXUS username is 'lea097' and your NCI username is 'sjl599' (like mine), you can refer to the computers as 'cherax' and 'vayu' by putting the following into your ~/.ssh/config files on each machine: 

lea097@cherax> cat ~/.ssh/config
# vayu login node for interactive sessions
host vayu
   HostName	vayu.nci.org.au
   User		sjl599
# vayu data mover node for transferring files
host vu-dm
   HostName	vu-dm.nci.org.au
   User		sjl599

sjl599@vayu> cat ~/.ssh/config
host cherax
   HostName cherax.hpsc.csiro.au
   Port 22000
   User lea097

The "Port 22000" in the cherax entry of the vayu config file is for accessing the hpn-ssh service on cherax for better file transfer speeds. This will simplify using scp, sftp, GridFTP (with sshftp), bbcp and rsync with hpn-ssh. NCI would prefer all transfers to/from vayu to be done via data mover nodes. This can be done using the batch queue 'copyq' if the transfer is controlled from the NCI end, or by connecting to vu-dm.nci.org.au if the transfer is controlled from a CSIRO host. See also: File I/O and transfer.

Last updated: 31 Jan, 2012
Email problems, suggestions, questions to hpchelp@csiro.au
Thanks to NCI-NF for the userguide structure.