User Tools

Site Tools


ssh_from_outside

This is an old revision of the document!


SSH Access from outside of the university network

From hosts outside of the university network, only a special jump host named mogon-login is accessible via SSH on port 22022.
Be aware that mogon-login is not configured to be inside of the Mogon cluster so you won't have access to the GPFS filesystems and all available tools there.
From this host on, the only thing you can and need to do is to futher login to the real Mogon login nodes.

Mogon I Login-Nodes

To access MogonI cluster use

  • hostname: mogon

Login is possible via password authentication or RSA authentication.

Mogon II Login-Nodes

There are four different login-nodes to access MogonII cluster.

  • hostname: miil01 - miil04

Login is possible with ssh-key only (RSA authentication)!


If you need to login from the outside more often, you can configure your SSH client to perform these steps automagically - below you find instructions for OpenSSH under Linux and Putty under Windows.

Linux

If you only need to do this occasionally, you can simply use these two commands after each other:

ssh -A -p 22022 -l <user> mogon-login.zdv.uni-mainz.de
# for Mogon I
ssh mogon
# for Mogon II
ssh miil01 # or miil02 - miil04

If you need to login from the outside more often, you can configure your SSH client to perform these steps “automagically”:

First edit your local ssh config (~/.ssh/config) and add the following lines:

Host mogon-login mogon-login.zdv.uni-mainz.de
    HostName mogon-login.zdv.uni-mainz.de
    User <your_mogon_username>
    ForwardAgent yes
    ForwardX11 yes
    Port 22022
 
# for access to Mogon I:
Host mogon mogon.zdv.uni-mainz.de
    HostName mogon.zdv.uni-mainz.de
    User <your_mogon_username>
    ForwardAgent yes
    ForwardX11 yes
    ProxyCommand ssh mogon-login -l %r -W %h:%p
    # If connecting fails using the above ProxyCommand, use the one below instead
    #ProxyCommand ssh -l %r -q mogon-login nc -q0 %h %p
 
# for access to Mogon II:
Host mogonII miil01.zdv.uni-mainz.de # or another hostname from miil02 - miil04
    HostName miil01.zdv.uni-mainz.de
    User <your_mogon_username>
    ForwardAgent yes
    ForwardX11 yes
    ProxyCommand ssh mogon-login -l %r -W %h:%p
    # If connecting fails using the above ProxyCommand, use the one below instead
    #ProxyCommand ssh -l %r -q mogon-login nc -q0 %h %p

(More information on the jumphost technique with ProxyCommand)

In case you don't have a ssh key yet you have to generate one.

ssh-keygen -t rsa -b 4096

This generates a new private/public RSA key pair with 4096 bits. Then ssh-keygen asks for a name for the key (stay with the default if you don't have a good reason)

Enter a file in which to save the key (/home/you/.ssh/id_rsa): [Press enter] 

After that you have to specify a passphrase - Do not use an empty passphrase!

Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again] 

In case you already have a ssh key you can skip the last part and just copy your SSH public key to mogon-login.zdv.uni-mainz.de:

ssh-copy-id mogon-login.zdv.uni-mainz.de

Finally you have to copy your SSH public key to host(s) you want to connect to:

  • for Mogon I this is mogon.zdv.uni-mainz.de, hence:
ssh-copy-id mogon.zdv.uni-mainz.de
  • for Mogon II this becomes miil01.zdv.uni-mainz.de (or miil02 to miil04, hence:
ssh-copy-id miil01.zdv.uni-mainz.de

Now you are able to just use ssh mogon (ssh mogonII) to log in to the real MogonI (MogonII) login-nodes.

Windows

Download PuTTY (preferrably use the MSI installer package1)) and install it on your computer. The following steps will show you how to configure the PuTTY terminal.

Download putty and install

Access to Mogon I - Password Authentication

Before being able to transparently proxy your connection to mogon through the mogon-login host, you need to connect to the host manually once and accept the SSH host key. So first open Putty and enter mogon-login.zdv.uni-mainz.de in the Host Name field and use the Port 22022. When Putty prompts you for host key validation, accept it. Then close the window again.

Accepting the host key for mogon-login
  • Start a new Putty Session. On the left side, select the category “Connection”.
  • Click on “Data” and type in your username.
  • Now choose the category “Proxy” and set the Proxy type to local.
  • Change the Proxy Hostname and Port to mogon-login.zdv.uni-mainz.de and 22022.
  • Type in your Mogon username again and also enter your password2).
  • Enter plink.exe -nc %host:%port -l %user -pw %pass -P %proxyport %proxyhost as the local proxy command.
  • On the “Session” page, select the connection type SSH, enter <username>@mogon.zdv.uni-mainz.de in the Host Name field and use the Port 22.
  • Finally, choose a name for the Session (e.g. mogon.zdv.uni-mainz.de) and save the session profile for further use.

When you now click on “Open”, you connect directly to one of the MogonI login nodes. You might have to accept another host key for them, but that's fine.

Example configuration with the username schlarbm

Access to MogonII - RSA Authentication

Authentication on MogonII is done via a RSA key pair.

If you don't have a RSA key saved in a directory on your computer, doubleclick puttygen.exe, generate your key and save it into your favourite directory on your computer.

If you already have a RSA key saved in a directory on your computer proceed as follows:

First step is to deploy your RSA public key on the mogon-login-host. mogon-login-host is part of the demilitarized zone that allows access to MogonI/MogonII cluster from outside the university network.

  • Before being able to transparently proxy your connection to MogonII through the mogon-login host, you need to connect to the host manually once and accept the SSH host key.
  • Open Putty, enter mogon-login.zdv.uni-mainz.de in the Host Name field, use the Port 22022 and click Open. When Putty prompts you for host key validation, accept it.
  • Authenticate yourself with your <zdv_account> and your password.
  • Deploy your public key on mogon-login host in
    ~/.ssh/authorized_keys
Accepting the host key for mogon-login
Copy your public key from .ppk-file
paste with Shift+Insert

Second step is to deploy your RSA public key on the mogon-host. The mogon-host is a reference to the actual MogonI-login-nodes that allocate resources from the compute-nodes of MogonI.

  • Deploy your public key on MogonI. Because your home directory is the same on MogonI and MogonII clusters, it is sufficient to deploy your public key on either one of them. Because MogonII only allows access with RSA authentication, you access MogonI via password authentication, deploy your public key again in
    ~/.ssh/authorized_keys

    and close the connection again.

Third step is to open the ssh-connection to MogonII with RSA authentication.

  • Start pageant.exe and load your RSA key.
Load RSA key in SSH authentication agent for PuTTY, PSCP, PSFTP, and Plink
  • Start putty.exe and load default settings.
  • Go to Connection→SSH→Auth and choose “Allow agent forwarding”
  • Go to Connection→Proxy and set the Proxy type to local. Change the Proxy Hostname and Port to mogon-login.zdv.uni-mainz.de and 22022. Type in your Mogon username. Enter agent -nc %host:%port -l %user -P %proxyport %proxyhost as the local proxy command
  • Go to Connection→Data and enter <your_username> again as “Auto-login username”
  • Go to Session, select the connection type SSH, enter <username>@miil01.zdv.uni-mainz.de in the Host Name field and use the Port 22.
  • Finally, choose a name for the Session (e.g. mogon2) and save the session profile for further use.

When you now click on “Open”, you connect directly to one of the MogonII login nodes. You might have to accept another host key for them, but that's fine.

Example configuration

Access to MogonI - RSA Authentication

The only difference in the connection to MogonI via RSA authentication is the hostname. Follow exactly the same steps as for MogonII but instead of miil02, use mogon as hostname (the MogonI login-node) in your configuration.

  • Replace the hostname <zdv_account>@miil02.zdv.uni-mainz.de with <zdv_account>@mogon.zdv.uni-mainz.de.

X11 Forwarding

To enable X11 forwarding click on “X11” in the “SSH” subcategory, and click on the “Enable X11 forwarding” option. Make sure that the remote X11 authentication protocol is set to “MIT-Magic-Cookie-1”.

Be sure to add -X to the local Proxy command line.

X11 forwarding requires either X-Win32 or Xming to be installed on your computer.

Copying files from/to Mogon

The most recommended way to access the filesystem on Mogon is using FTPS, as described on that page.

If you must use WinSCP, configure it according to these screenshots (the Proxy configuration from PuTTY does not seem to work):

Example configuration with the username schlarbm
1)
because in addition to the plain putty.exe you will most definitely need plink.exe for proxy connection, puttygen.exe for key generation and pageant.exe for key-based authentication
2)
You really need to store the password in this dialog. If you are security-aware and are hesitant to store your password, use the key-based authentication method.
ssh_from_outside.1513180502.txt.gz · Last modified: 2017/12/13 16:55 by nietocp1