Logging into MOGON

How to set up SSH on your machine

Background Information #

To establish a secure connection through which we can access MOGON on our local computer, the Secure Shell (SSH) protocol comes into play. The central aspect of SSH is a pair of cryptographically generated keys—a public and a private key.

As the name suggests, you can share your public key without concern—feel free to tell it to your neighbor. On the other hand, you should always keep your private key secret! While the public key can be transferred to MOGON through a potentially unsafe network, the private key will never leave its place. Even during authentication it stays on your local machine.

How do these keys help with authentication? Well, the public key can encrypt a message that only your matching private key can decrypt. So, imagine MOGON sends you a message that has been encrypted using your own public key. You can now prove your identity just by decrypting it! After all, you are the only person in the world that has the matching private key.

You can connect to MOGON without studying cryptography, though. Just follow the steps described below.

Generating SSH Keys on Linux/macOS #

Generating an SSH key pair can be as easy as executing the following command in your terminal:

ssh-keygen -t rsa -b 4096 -C "HPCGATE,HPCLOGIN"

This generates a new key pair of type RSA and 4096 bit key size. The comment "HPCGATE,HPCLOGIN" is mandatory and lets our webtool in a later step know where to put your public key.

Next, ssh-keygen prompts you to enter a name for the key files.

Enter a file in which to save the key (/home/you/.ssh/id_rsa): [Press enter]

You can press enter to confirm the default or provide an alternative. A meaningful name might be /home/<user>/.ssh/id_rsa_mogon_laptop.

After that you have to specify a passphrase—use a passphrase! An empty passphrase is a serious security concern.

Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]

In case you deviate from the default name, you need to make your ssh-agent aware of it by executing:

ssh-add ~/Path/To/Your/PrivateKey

Modifying existing SSH Keys #

If you already have an SSH key pair, you can change the comment as follows, for example, to add the HPCGATE,HPCLOGIN string if you have forgotten to append it:

ssh-keygen -c -C "HPCGATE,HPCLOGIN" -f ~/Path/To/Your/PrivateKey

Generating SSH Keys on Windows #

Here we provide information on how to create SSH keys on Windows with different tools.

PuTTY

MobaXterm

PowerShell

Prev

1 2 3 4

Next

1. Press the -Key to open the start menu and type PuTTYgen. Then, click on the app to open it. Now, the PuTTY Key Generator window should be displayed.

2. To create a new key pair, first, select the type of the key to generate at the bottom. We recommend the RSA algorithm and 4096 bit key size.
3. Next, click on Generate and start moving the mouse within the window to let PuTTY collect some randomness for the key. Once the progress bar is full, the actual key generation takes place.

4. Once the computation has been completed successfully, your public key will be displayed at the top.
5. Now, you have to specify a Passphrase and add a Comment for your SSH-Key. Make sure you add the HPCGATE,HPCLOGIN string to specify the purpose of your key.
6. Click on the Save private key button to store your private key. You must explicitly save your keys!

7. Copy the key from the topmost window for the next step: uploading the public key.

Prev

1 2

Next

1. Start MobaXterm and click on Tools in the menu. From there, select MobaKeyGen (SSH key generator).

2. A window identical in appearance to that of PuTTYgen will open. Follow the instructions for PuTTY to create an SSH key pair.

1. Launch a new PowerShell, preferably with admin privileges.

2. Check if OpenSSH is installed on your system.

   ssh -v
   

   Follow this guide to install OpenSSH on Windows if it is not installed.

3. Start the ssh-agent if it is not running already:

   Start-Service ssh-agent
   

4. Go to the .ssh directory of your user:

   cd ~\.ssh\
   

5. Generate a new SSH key pair with the ECDSA algorithm:

   ssh-keygen -t ecdsa -b 521 -C "HPCGATE,HPCLOGIN"
   

   For compatibility reasons make sure to use the ECDSA algorithm. The RSA algorithm used by Windows is old compared to the RSA algorithm used on MOGON. This causes conflicts and prevents a connection from being established.

6. Then ssh-keygen asks for a name for the key.

   Enter a file in which to save the key (/home/you/.ssh/id_rsa): [Press enter]
   

7. After that you have to specify a passphrase. Do not use an empty passphrase!

   Enter passphrase (empty for no passphrase): [Type a passphrase]
   Enter same passphrase again: [Type passphrase again]
   

8. Done. You have created an SSH key that will allow you to access MOGON using PowerShell. Upload you public SSH key to your JGU account

Uploading the Public Key #

1. Browse to account.uni-mainz.de and use your JGU credentials for login.
2. Paste the contents of your public SSH key into the SSH public key field.
3. You can add further comments in the Comment or key name field to help you identify this key again at a later point in time.
4. Please select HPCLOGIN as the key usage.
5. Feel free to leave the duplicate HPCLOGIN as is, or delete it from the public key field.
6. At last, please click on Save.
7. The newly added SSH key should be displayed in the SSH key overview.

Connecting on Linux/macOS #

For testing purposes, or if you only need to do this occasionally, you could use this command to connect to the MOGON NHR cluster:

ssh -J <username>@hpcgate.zdv.uni-mainz.de <username>@mogon-nhr-02

or in case you want to access MOGON II:

ssh -J <username>@hpcgate.zdv.uni-mainz.de <username>@mogon

Simply replace <username> with your JGU-username. Instead of mogon, which will distribute users amongst login nodes, you could also supply the MOGON service-node directly, if you want to access a specific login node. An overview of the MOGON service nodes is given here.

You can also explicitly specify the SSH key for the connection:

ssh -i ~/Path/To/Private/Key -J <username>@hpcgate.zdv.uni-mainz.de -i ~/Path/To/Private/Key <username>@mogon

The SSH key for the jump host and the MOGON service node do not necessarily need to be identical. However, the SSH keys must have been added to your JGU account and have the correct properties.

ssh -o ProxyCommand="ssh -W %h:%p <username>@hpcgate.zdv.uni-mainz.de" <username>@mogon

If you connect to a new remote location for the first time, you will be asked to confirm the identity of the server you are communicating with.

The authenticity of host 'hpcgate.zdv.uni-mainz.de (2001:4c80:40:63c:4:86ff:fe5d:b22d)' can't be established.
ECDSA key fingerprint is SHA256:pzKsg8DkGkzAxDw2n8Uggk/jbboSpNYi5w47LcXjTxk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? █

You can check the SSH Fingerprints of our service nodes here. Confirm by typing yes or pasting the relevant fingerprint for an automatic verification.

Creating an SSH Configuration File #

If you need to login from the outside more often, you can configure your SSH client to perform these steps automagically.

For this purpose, edit your local SSH config (~/.ssh/config) to include the following lines, where the setting ForwardX11 yes is optional:

# MOGON jump host
Host hpcgate
    HostName hpcgate.zdv.uni-mainz.de
    User <username>    
    ForwardX11 yes    
    IdentityFile ~/Path/To/Private/Key

# for access to MOGON II:
Host mogon
    HostName mogon
    User <username>
    ProxyJump hpcgate    
    ForwardX11 yes    
    IdentityFile ~/Path/To/Private/Key

# for access to MOGON NHR:
Host mogon-nhr
    HostName mogon-nhr-02
    User <username>
    ProxyJump hpcgate    
    ForwardX11 yes    
    IdentityFile ~/Path/To/Private/Key

ssh mogon

for access to a service node on MOGON II, or:

ssh mogon-nhr

to connect with MOGON NHR.

(More information on the jumphost technique with ProxyCommand here)

# MOGON jump host
Host hpcgate
    HostName hpcgate.zdv.uni-mainz.de
    User <username>
    IdentityFile ~/Path/To/Private/Key

# for access to MOGON:
Host mogon
    HostName mogon
    User <username>
    IdentityFile ~/Path/To/Private/Key
    ProxyCommand ssh -W %h:%p hpcgate

Using X11-forwarding on MacOS #

In order to use the X11-forwarding, an X11-server should be installed on your system.

Successful Connection Attempt #

If your SSH setup is correct and enough time has passed for your uploaded public key to be spread throughout our system, a successful connection attempt is going to end with the prompt for your privacyIDEA password.

ssh mogon
6-digit-Verification-Code: █

You have to complete the next step of the onboarding procedure first before you can proceed (setup of a mobile authenticator).

Connecting on Windows #

Putty

MobaXterm

PowerShell

Prev

1 2 3 4 5 6 7 8

Next

1. Before being able to transparently proxy your connection to MOGON service nodes through the HPCGATE, you need to connect to the host manually once and accept the SSH host key:

   Open PuTTY and enter <username>@hpcgate.zdv.uni-mainz.de in the Host Name field and use Port 22. Click on Open afterwards. When PuTTY prompts you for host key validation, accept it. Then close the window again.

2. Start a new PuTTY Session and enter the HostName of the MOGON service node you want to access. You can find an overview of the MOGON service nodes here. If you have no reason for connecting to a specific node, just enter mogon for MOGON II or mogon-nhr-02 for MOGON NHR.

3. In the menu on the left side, in the category Connection, select the subcategory Data. Fill in your <username> in the field Auto-login username.

4. Within the Proxy subcategory of Connection set Proxy type to local.
5. Fill in hpcgate.zdv.uni-mainz.de for the Proxy hostname and 22 for the Port.
6. Enter your <username> in the field Username.
7. Enter the following as your local proxy command:

   "C:\Program Files\PuTTY\plink.exe" -4 -P %proxyport -l %user %proxyhost -nc %host:%port
   

   Maybe the path to plink.exe is different on your system.

8. Within the Connection category select SSH and then the subcategory Auth. Make sure that Attempt authentication using Peagant is enabled and Allow agent forwarding is disabled.

9. Now go back to the Session category and enter a name for your session in the field under Saved Sessions. Click on Save to save the session profile for further use.

10. You will be asked to confirm the SSH Fingerprint again. Continue by clicking on Accept once you verified that the fingerprint matches.

11. A successful connection attempt is going to end with the prompt for your privacyIDEA password. You have to complete the next step of the onboarding procedure first before you can proceed (setup of a mobile authenticator).

Prev

1 2 3 4 5 6 7

Next

1. Start the application and click on the Session button to start a new session.

2. Choose SSH to start a new SSH session. The session you create is automatically saved.

3. Fill in the fields Remote Host and specify your <username>. Afterwards, go to the Advanced SSH setting tab.

4. Provide the path to your private SSH key. Then, click on the Network settings tab.

5. Click on the SSH gateway (jump host) button.

6. Use hpcgate.zdv.uni-mainz.de as the Gateway host and enter your <username>. Port is 22. Add the same SSH key as before and click on OK.

7. The configuration is now complete and you can click on OK.

Using the MobaXterm SSH agent

Prev

1 2 3 4

Next

1. Start MobaXterm and click on Settings

2. Now go to the SSH tab

3. Deactivate Use external Pageant and add your SSH key (*.ppk) by clicking on the plus sign. Once you are finished, click on OK

4. A window will now open and you will be asked to restart MobaXterm. You will then be asked for the passphrase once every time you start MobaXterm but can use the key in different sessions.

1. Open Windows PowerShell. Press the key, type PowerShell and hit enter.

2. Check if OpenSSH is installed on your system:

   ssh -V
   

3. You should get an output similar to that shown below

   OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
   

   This tutorial was created with the OpenSSH version shown above and PowerShell 7.0.2.

4. Verify that the ssh-agent is running:

   Get-Service ssh-agent
   

   If the shh-agent is not running, start it with:

   Start-Service ssh-agent
   

   To have ssh-agent automatically start with windows, you can execute (from elevated prompt):

   Set-Service ssh-agent -StartupType Automatic
   

5. Go to .ssh in your home directory:

   cd ~/.ssh
   

6. Generate a new SSH key pair with the ECDSA algorithm:

   ssh-keygen -t ecdsa -b 521 -C "HPCGATE,HPCLOGIN"
   

   For compatibility reasons make sure to use the ECDSA algorithm. The RSA algorithm used by Windows is old compared to the RSA algorithm used on MOGON. This causes conflicts and prevents a connection from being established.

7. Then ssh-keygen asks for a name for the key.

   Enter a file in which to save the key (/home/you/.ssh/id_rsa): [Press enter]
   

8. After that you have to specify a passphrase - Do not use an empty passphrase!

   Enter passphrase (empty for no passphrase): [Type a passphrase]
   Enter same passphrase again: [Type passphrase again]
   

   Upload your public SSH-Key to account.uni-mainz.de

9. Add your new SSH key to the ssh-agent.

   ssh-add <YourNewPrivateKey>
   

   Be sure to specify the correct path to the SSH key or go to the directory of the key before executing the command.

10. Verify that the ssh-agent utilizes the SSH key

    ssh-add -l
    

11. Create the following file .ssh/config with an editor and add the following lines:

    Host hpcgate
      User <username>
      Hostname hpcgate.zdv.uni-mainz.de
      Port 22
      IdentityFile C:/Users/<username>/.ssh/<YourNewPrivateKey>
    
    Host mogon
      HostName miil03.zdv.uni-mainz.de
      User <username>
      Port 22
      IdentityFile C:/Users/<username>/.ssh/<YourNewPrivateKey>
      ProxyCommand ssh.exe -W %h:%p -q hpcgate
    

    The path to your IdentitiyFile may be different. Please make sure the path is correct before you save the file.

12. Start a new Session to a MOGON service node. For example, you can now simply use:

    ssh mogon
    

13. Done. You should now be able to log in to the various MOGON service nodes. You can add each login node to your ~/.ssh/config file. A list of MOGON Service Nodes can be found here.

SSH Fingerprints #

On establishing a connection for the first time, you will be asked to confirm the identity of the server you are communicating with. Please compare indicated fingerprints to the ones listed below.