start:mogon_cluster:access

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
start:mogon_cluster:access [2020/07/10 12:09]
jrutte02 [Access]
start:mogon_cluster:access [2021/03/18 14:14] (current)
jrutte02 [Access]
Line 1: Line 1:
-==== Account ====+====== Accessing MOGON ====== 
  
-<grid> 
-<col lg="9" md="9" sm="9" xs="9"> 
-<alert type="danger" dismiss="true" icon="fa fa-warning">**Warning!** Due to changed settings on MOGON as a result of the security incident, this article may need to be revised. 
-</alert> 
-</col> 
-</grid> 
  
 Essentially only accounts of the Johannes Gutenberg University can get access. Essentially only accounts of the Johannes Gutenberg University can get access.
Line 14: Line 9:
 </callout> </callout>
  
-==== Access ====+===== Access =====
  
-Since the MOGON clusters are Linux-based systems, remote access is granted via SSH.+<callout type="tip" title="Remote Access" icon="true"> 
 +Since the MOGON clusters are Linux-based systems, remote access is granted via ''SSH''
 +</callout> 
 +To access MOGON refer to these instructions: 
 +**[[:start:mogon_cluster:access_from_outside_unix|access MOGON using Linux/macOS]] / [[:start:mogon_cluster:access_from_outside_windows|access MOGON using Windows]]**. The latter link contains information for accessing MOGON with ''PuTTY'', ''MobaXterm'' and ''PowerShell''.
  
-The MOGON login nodes are accessible only from the university networkTo access MOGON from the outside (e.gfrom home) you have to use VPN please refer to these instructions: \\ +The login nodes of **MOGON II** are ''miil01.zdv.uni-mainz.de'' to ''miil03.zdv.uni-mainz.de''
-**[[:start:mogon_cluster:access_from_outside_unix|(Outside) access using Unix]] / [[:start:mogon_cluster:access_from_outside_windows|(Outside) access using Windows]]**The latter link also contains information for internal access with Windows.+
  
-Login to the login-nodes is mediated by a jump node: Access is done with direct login (ssh) to "''mogon''". This name implements a 'Round-Robin-DNS' login to both login nodes of MOGON I, mil01.zdv.uni-mainz.de and mil02.zdv.uni-mainz.de. If for some reason you want to login to a specific login node, you can use this names directly. (or if for some other Reason one of the nodes is broken, and the dns always gives you the wrong, broken one to connect to) 
  
-The login nodes of **MOGON II** are ''miil01.zdv.uni-mainz.de'' to ''miil03.zdv.uni-mainz.de''. Projects on MOGON I do not have access to MOGON II automatically. You have to apply for MOGON I and MOGON II separately. Only password-less login is available. You **need to have your ssh-key((A neat overview on ssh-keys and how to generate and copy them can be found [[https://www.ssh.com/ssh/copy-id|here]].))** on MOGON I to be able to log in to MOGON II+<grid> 
 +<col lg="6" md="6" sm="6" xs="12"> 
 +<callout type="danger" title="Login" icon="true"> 
 +Only password-less login is available. 
 +</callout> 
 +</col> 
 +<col lg="6" md="6" sm="6" xs="12"> 
 +<callout type="warning" icon="true" title="SSH-Key"> 
 +You **need to have your SSH-Key** uploaded on [[https://account.uni-mainz.de/sshkey|account.uni-mainz.de/sshkey]] to be able to log in to MOGON((A neat overview on ssh-keys and how to generate and copy them can be found [[https://www.ssh.com/ssh/copy-id|here]]. Or you can follow our [[start:mogon_cluster:access#how_to_set_up_ssh-keys_for_mogon|guideline]])).
  
-The **accelerators (GPUs) of MOGON II reside within MOGON I** infrastructure that is to say you have to login to MOGON I but use your MOGON II account (-A m2_*) to have access to those accelerators. +Your SSH-Key is automatically added to the MOGON clusterWould You Like To Know More? Read this [[start:mogon_cluster:basic_authentication#add_ssh-key_to_mogon|Article]]!
- +
-<callout type="warning" icon="true"> +
-You **need to have your ssh-key** on MOGON I to be able to log in to MOGON II. (RSA authentication) +
- +
-Your home directory is on the same file system on both clusters. In order to access MOGON II, you need to copy your ssh-key once to your home directory on MOGON I (''~/.ssh'').+
 </callout> </callout>
 +</col>
  
 +</grid>
  
-==== SSH Access from outside of the university network ==== 
  
-From hosts **outside of the university network**, **only** a special **[[https://en.wikipedia.org/wiki/Jump_host|jump host]]** named ''mogon-login'' is accessible via SSH on port ''22022''.\\ +=== MOGON Service Nodes Overiew === 
-Be aware that ''mogon-login'' is **not** configured to be //inside// of the MOGON cluster so you won't have access to the GPFS filesystems and all available tools there.\\ +<datatable info="false" paging="false" searching="false"> 
-From this host on, the **only** thing you can and need to do is to futher login to the real MOGON login nodes. +^ Service Node ^ FQDN ^ Description^ Fingerprint ^ 
-<panel type="default" title="MOGON I Login-Nodes" icon="fa fa-server"> +| ''login21'' | ''miil01.zdv.uni-mainz.de'' | Login Node | MD5:''a6:a1:d2:13:df:2b:59:91:2f:e1:a5:50:1c:f1:b0:b4'' \\ SHA256:''eu8N17/EHw0pwvUVT6Htm7yek54t8s8QdRN+A92sjek''   | 
-To access MOGON I cluster use +| ''login22'' | ''miil02.zdv.uni-mainz.de'' | Login Node | MD5:''3d:90:0e:fa:ce:b1:db:6d:22:ff:6c:94:d0:fe:2d:34'' \\ SHA256:''WcJllAYU8qNcm31WLeg892JHbuczesfWVM5bTmtaisA'' | 
-  * hostname: ''mogon''  +''login23'' | ''miil03.zdv.uni-mainz.de'' | Login Node | MD5:''dc:e7:9f:c9:3b:13:cc:3a:65:ce:15:5d:8d:b1:9b:71'' \\ SHA256:''v5wiJI/jBTqpYF/g07VMH7WVesbVaovYTcT/MpgcWhc'' | 
-Login is possible via password authentication or RSA authentication. +| ''hpcgate'' | ''hpcgate.zdv.uni-mainz.de'' | Jump Host | MD5:''63:67:65:76:5f:ad:fb:20:f2:68:92:cf:d5:49:2c:dc'' \\ SHA256:''CNbkj04hEuJ9IwgGkTBXbF1WtE/Nb46kPVSejKUGfRU'' | 
-</panel> +</datatable
- +<callout type="infoicon="truetitle="Service-Node FQDN"> 
-<panel type="defaulttitle="MOGON II Login-Nodesicon="fa fa-server"> +If you access MOGON Service-Nodes through the ''HPCGATE'' you can omit ''zdv.uni-mainz.de'', e.g.: for ''login21'' ''miil01'' is sufficient.
-There are four different login-nodes to access MOGON II cluster. +
-  * hostname: ''miil01'' ''miil04''  +
-<callout type="warning" title="Login to MOGON II" icon="true"> +
- is possible **with ssh-key only** (RSA authentication)!  +
-Your home directory is on the same file system on both clustersIn order to access MOGON II, you need to copy your ssh-key once to your home directory on MOGON I (''~/.ssh'').+
 </callout> </callout>
-</panel> 
  
-----+===== How to set up SSH-Keys for MOGON =====
  
-If you need to login from the outside more often, you can configure your SSH client to perform these steps automagically below you find instructions for [[#linux|OpenSSH under Linux]] and [[#windows|Putty under Windows]].+SSH-Keys for MOGON require certain information in the comment of the SSH-Key that describes the purpose of the Key. The information is catched by a script and ensures that you can access MOGON correctly.
  
-<tabs> +<callout type="tip" icon="true" title="MOGON SSH-Key comment additions"> 
-  * [[#tab-linux|using Linux]] +Make sure you add the following strings to your SSH-Key as part of your comment, to specify the purpose:\\
-  * [[#tab-windows|using Windows]] +
-  +
-<pane id="tab-linux"> +
-===== Linux =====+
  
-If you only need to do this occasionally, you can simply use these two commands after each other: +^ Purpose ^ Comment String related to MOGON Access ^ 
-<code bash> +| Using the jump host ''hpcgate'' | ''HPCGATE'' | 
-ssh -A -p 22022 -l <user> mogon-login.zdv.uni-mainz.de +| Log in to MOGON service nodes | ''HPCLOGIN'' | 
-# for MOGON I +</callout>
-ssh mogon +
-# for MOGON II +
-ssh miil01 # or miil02 - miil04 +
-</code>+
  
-If you need to login from the outside more often, you can configure your SSH client to perform these steps "automagically":+==== Generating a new SSH-Key using Linux or macOS ==== 
 +In case you not yet have an SSH-Key pair on your computer, you can use the following command to create a new pair:
  
-First edit your local ssh config (''~/.ssh/config'') and add the following lines: +<code bash>ssh-keygen -t rsa -b 4096 -C "HPCGATE,HPCLOGIN"</code>
-<code bash> +
-Host mogon-login mogon-login.zdv.uni-mainz.de +
-    HostName mogon-login.zdv.uni-mainz.de +
-    User <your_mogon_username> +
-    ForwardAgent yes +
-    ForwardX11 yes +
-    Port 22022+
  
-# for access to MOGON I: +This generates a new private/public ''RSA'' key pair with ''4096 bit'' key size\\ {{fa>hand-o-right?fw}} Please note: The part ''-C "HPCGATE,HPCLOGIN"'' creates the mandatory commentwhich can be pasted into the web form. {{fa>hand-o-left?fw}} \\ Then ''ssh-keygen'' asks for a name for the key. 
-Host mogon mogon.zdv.uni-mainz.de +
-    HostName mogon.zdv.uni-mainz.de +
-    User <your_mogon_username> +
-    ForwardAgent yes +
-    ForwardX11 yes +
-    ProxyCommand ssh mogon-login -l %r -W %h:%p +
-    # If connecting fails using the above ProxyCommanduse the one below instead +
-    #ProxyCommand ssh -l %r -q mogon-login nc -q0 %h %p+
  
-# for access to MOGON II: 
-Host mogonII miil01.zdv.uni-mainz.de # or another hostname from miil02 - miil04 
-    HostName miil01.zdv.uni-mainz.de 
-    User <your_mogon_username> 
-    ForwardAgent yes 
-    ForwardX11 yes 
-    ProxyCommand ssh mogon-login -l %r -W %h:%p 
-    # If connecting fails using the above ProxyCommand, use the one below instead 
-    #ProxyCommand ssh -l %r -q mogon-login nc -q0 %h %p 
-</code> 
- 
-([[http://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Jump_Hosts_--_Passing_through_a_gateway_or_two|More information on the jumphost technique with ProxyCommand]]) 
- 
-**In case you don't have** a ssh key yet you have to generate one.  
- 
-<code bash>ssh-keygen -t rsa -b 4096</code> 
- 
-This generates a new private/public RSA key pair with 4096 bits. Then ssh-keygen asks for a name for the key (stay with the default if you don't have a good reason) 
 <code>Enter a file in which to save the key (/home/you/.ssh/id_rsa): [Press enter] </code> <code>Enter a file in which to save the key (/home/you/.ssh/id_rsa): [Press enter] </code>
  
-After that you have to specify a passphrase - **Do not** use an empty passphrase!+After that you have to specify a passphrase - {{fa>warning?fw}} **use a passphrase!** {{fa>warning?fw}}. An empty passphrase is a serious security concern. 
  
 <code bash>Enter passphrase (empty for no passphrase): [Type a passphrase] <code bash>Enter passphrase (empty for no passphrase): [Type a passphrase]
 Enter same passphrase again: [Type passphrase again] </code> Enter same passphrase again: [Type passphrase again] </code>
  
-**In case you already have** a ssh key you can skip the last part and just **copy your SSH public key** to **mogon-login**.zdv.uni-mainz.de\\ +In this case you deviate from the default names and you ought make your ''ssh-agent'' aware of it
-<code bash>ssh-copy-id mogon-login.zdv.uni-mainz.de</code>+<code bash> 
 +ssh-add ~/Path/To/Your/PrivateKey 
 +</code>
  
-Finally you have to **copy your SSH public key** to host(s) you want to connect to: +=== Modify existing SSH-Keys === 
-  * for MOGON I this is **mogon**.zdv.uni-mainz.de, hence: \\ +If you already have an SSH-Key pair, you can change the comment as follows, for example to add the ''HPCGATE,HPCLOGIN'' string if you have forgotten to append it:
-<code bash>ssh-copy-id mogon.zdv.uni-mainz.de</code>+
  
-  * for MOGON II this becomes **miil01**.zdv.uni-mainz.de (or ''miil02'' to ''miil04'', hence: \\ +<code bash>  
-<code bash>ssh-copy-id miil01.zdv.uni-mainz.de</code> +ssh-keygen --"HPCGATE,HPCLOGIN" -~/Path/To/Your/PrivateKey 
- +</code>
-Now you are able to just use ''ssh mogon'' (''ssh mogonII'') to log in to the real MOGON I (MOGON II) login-nodes. +
-</pane> +
-  +
-<pane id="tab-windows"> +
-===== Windows ===== +
- +
- +
-Download [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|PuTTY]] (preferrably use the MSI installer package((because in addition to the plain ''putty.exe'' you will most definitely need ''plink.exe'' for proxy connection, ''puttygen.exe'' for  key generation and ''pageant.exe'' for key-based authentication))) and install it on your computer. The following steps will show you how to configure the PuTTY terminal. +
- +
- +
-^ Download putty and install ^ +
-| {{ ::putty_directory.png?direct&512 |}} | +
- +
- +
-==== Access to MOGON I - Password Authentication ==== +
- +
- +
-Before being able to transparently proxy your connection to ''mogon'' through the ''mogon-login'' host, you need to connect to the host manually once and accept the SSH host key. So first open Putty and enter ''mogon-login.zdv.uni-mainz.de'' in the Host Name field and use the Port ''22022''. When Putty prompts you for host key validation, accept it. Then close the window again. +
- +
-^ Accepting the host key for ''mogon-login'' ^^^ +
-| {{ ::putty_login.png?direct&320 |}} | {{ ::putty_login_host_key.png?direct&320|}} | {{ ::putty_login_close.png?direct&320|}} | +
- +
-  * Start a new Putty Session. On the left side, select the category "Connection".  +
-  * Click on "Data" and type in your username. +
-  * Now choose the category "Proxy" and set the Proxy type to local.  +
-  * Change the Proxy Hostname and Port to ''mogon-login.zdv.uni-mainz.de'' and ''22022''+
-  * Type in your MOGON username again and also enter your password((You really need to store the password in this dialog. If you are security-aware and are hesitant to store your passworduse the key-based authentication method.)). +
-  * Enter ''plink.exe -nc %host:%port  -l %user -pw %pass -P %proxyport %proxyhost'' as the local proxy command. +
-  * On the "Session" page, select the connection type SSH, enter ''<username>@mogon.zdv.uni-mainz.de'' in the Host Name field and use the Port ''22''.\\ +
-  * Finally, choose a name for the Session (e.g. ''mogon.zdv.uni-mainz.de'') and save the session profile for further use.\\ +
-When you now click on "Open", you connect directly to one of the MogonI login nodes. You might have to accept another host key for them, but that's fine. +
- +
-^ Example configuration with the username ''schlarbm'' ^^^ +
-| {{ ::putty_data.png?direct&320 |}} | {{ ::putty_proxy.png?direct&320 |}} | {{ ::putty_save_session.png?direct&320 |}} | +
- +
-==== Access to MOGON II - RSA Authentication ==== +
- +
-Authentication on MogonII is done via a RSA key pair. +
- +
-If **you don't have a RSA key** saved in a directory on your computer, doubleclick ''puttygen.exe'', generate your key and save it into your favourite directory on your computer. +
- +
-If **you already have a RSA key** saved in a directory on your computer proceed as follows:  +
- +
-**First step** is to deploy your RSA public key on the ''mogon-login''-host. ''mogon-login''-host is part of the demilitarized zone that allows access to MOGON I/MOGON II cluster from outside the university network. +
-  * Before being able to transparently proxy your connection to ''MogonII'' through the ''mogon-login'' host, you need to connect to the host manually once and accept the SSH host key.  +
-  * Open Putty, enter ''mogon-login.zdv.uni-mainz.de'' in the Host Name field, use the Port ''22022'' and click ''Open''. When Putty prompts you for host key validation, accept it.  +
-  * Authenticate yourself with your <zdv_account> and your password.  +
-  * Deploy your public key on mogon-login host in <code bash>~/.ssh/authorized_keys</code> +
- +
-^ Accepting the host key for ''mogon-login'' ^^ +
-| {{ ::putty_login.png?direct&512 |}} | {{ ::putty_login_host_key.png?direct&512|}} | +
- +
-^ Copy your public key from .ppk-file^^ +
-| {{ ::open_my_private_key.png?direct&512 |}} | {{ ::copy_public_key.png?direct&512 |}} | +
- +
-^ paste with Shift+Insert^^ +
-| {{ ::mogon_login_vim_aut.png?direct&512 |}} | {{ ::mogonII_authorized_keys.png?direct&512 |}} | +
- +
-**Second step** is to deploy your RSA public key on the ''mogon''-host. The ''mogon''-host is a reference to the actual MogonI-login-nodes that allocate resources from the compute-nodes of MOGON I. +
- +
-  * Deploy your public key on MOGON I. Because your home directory is the same on MOGON I and MOGON II clusters, it is sufficient to deploy your public key on either one of them. Because MOGON II only allows access with RSA authentication, you [[#access_to_mogon_i_-_password_authentication | access MOGON I via password authentication]], **deploy your public key again** in <code bash>~/.ssh/authorized_keys</code> and close the connection again.   +
- +
- +
-**Third step** is to open the ssh-connection to MOGON II with RSA authentication. +
-  * Start ''pageant.exe'' and load your RSA key. +
- +
-^ Load RSA key in SSH authentication agent for PuTTY, PSCP, PSFTP, and Plink ^^ +
-| {{ ::pageant_view_keys.png?direct&512 |}} | {{ ::pageant_add_key.png?direct&512 |}} |  +
-| {{ ::pageant_select_private_key.png?direct&512 |}} | {{ ::pageant_enter_pw.png?direct&512 |}} | +
- +
-  * Start ''putty.exe'' and load default settings. +
-  * Go to //Connection->SSH->Auth// and choose //"Allow agent forwarding"// +
-  * Go to //Connection->Proxy// and set the Proxy type to local. Change the Proxy Hostname and Port to ''mogon-login.zdv.uni-mainz.de'' and ''22022''. Type in your MOGON username. Enter ''plink.exe -A -agent -nc %host:%port -l %user -P %proxyport %proxyhost'' as the local proxy command +
-  * Go to //Connection->Data// and enter <your_username> again as //"Auto-login username"// +
-  * Go to //Session//, select the connection type SSH, enter ''<username>@miil01.zdv.uni-mainz.de'' in the Host Name field and use the Port ''22''+
- +
-  * Finally, choose a name for the Session (e.g. ''mogon2'') and save the session profile for further use. +
-When you now click on "Open", you connect directly to one of the MOGON II login nodes. You might have to accept another host key for them, but that's fine. +
- +
-^ Example configuration^^ +
-| {{ ::putty_auth_mII.png?direct&512 |}} | {{ ::putty_data_mII.png?direct&512 |}} | +
-| {{ ::putty_proxy_mII.png?direct&512 |}} | {{ ::putty_session.png?direct&512 |}} | +
- +
- +
-==== Access to MOGON I - RSA Authentication ==== +
- +
-The only difference in the connection to MOGON I via RSA authentication is the hostname. Follow exactly the same steps as for MOGON II but instead of ''miil02'', use ''mogon'' as hostname (the MOGON I Login-Node) in your configuration.  +
-  * Replace the hostname <zdv_account>@miil02.zdv.uni-mainz.de with <zdv_account>@mogon.zdv.uni-mainz.de. +
  
-==== X11 Forwarding ==== 
  
-To enable X11 forwarding click on "X11" in the "SSH" subcategory, and click on the "Enable X11 forwarding" option. Make sure that the remote X11 authentication protocol is set to "MIT-Magic-Cookie-1". 
  
-Be sure to add ''-X'' to the local Proxy command line. 
  
-X11 forwarding requires either X-Win32 or [[http://www.zdv.uni-mainz.de/4534.php|Xming]] to be installed on your computer. 
  
-==== Copying files from/to Mogon ==== 
  
-The most recommended way to access the filesystem on Mogon is using **[[filesystems#ftp|FTPS]]**, as described on that page.+==== Generating a new SSH-Key using Windows ====
  
-If you //must// use WinSCP, configure it according to these screenshots (the Proxy configuration from PuTTY does not seem to work):+<callout type="tip" icon="true" title="Set up SSH-Keys for MOGON using Windows"> We have created an article for you <button type="info" icon="fa fa-key" size="xs">[[start:mogon_cluster:access_from_outside_windows:creating_sshkeys_on_windows|here]]</button> that explains various ways to create new SSH-Keys using Windows, including ''PuTTY'', ''MobaXterm'' and ''PowerShell''. </callout>
  
-^ Example configuration with the username ''schlarbm'' ^^ 
-| {{ ::winscp1.png?direct&512 |}} | {{ ::winscp2.png?direct&512 |}} |  
-| {{ ::winscp3.png?direct&512 |}} | {{ ::winscp4.png?direct&512 |}} | 
  
-</pane> 
-</tabs> 
-~~NOTOC~~ 
  • start/mogon_cluster/access.1594375797.txt.gz
  • Last modified: 2020/07/10 12:09
  • by jrutte02