HOWTOs

LaPalma3 (2): Connecting

Please note that all the SIEpedia's articles address specific issues or questions raised by IAC users, so they do not attempt to be rigorous or exhaustive, and may or may not be useful or applicable in different or more general contexts.

Connecting to LaPalma

Before Connecting

Before you can connect to LaPalma, you need to have an account on that machine. Accounts are related to projects, if you are IAC's staff, please, contact us sending an email to res_support@iac.es and we will inform you about how to ask for a project on LaPalma. If you don't belong to IAC, then you should ask for time submitting a proposal in the RES website. Accounts are personal and non-transferrable, once a project is created, new accounts can be added by the project leader (asking for it to res_support@iac.es for IAC's users or through the RES website for other users).

Connecting to LaPalma

You must use Secure Shell (ssh) tools to login into or transfer file into LaPalma. We do not accept incoming connections from protocols as telnet, ftp, rlogin, rcp, or rsh commands. Once you are logged into LaPalma you cannot make outgoing connections for security reasons.

To get more information about the secure shell version supported and how to get ssh for your system (including windows systems) see SSH section.

LaPalma does not support authentication based on user and password, but a key-based authentication mechanism. In order to get access to catLaPalma you have to provide us your public ssh key via email (res_support@iac.es). Take a look at SSH section for generating you own public/private key pair.

Once you have provided your public ssh key you can get into LaPalma system, connecting to the login node: lapalma1.iac.es.

Here you have an example of logging into LaPalma from a UNIX environment:

   [mymachine]$ ssh -l usertest lapalma1.iac.es
  +----------------------------------------------------------------------+ 
  |                                                                      |
  |        Welcome to LaPalma                                            |
  |                                                                      |
  |                                                                      |
  | * Please contact res_support@iac.es for questions at any time        |
  |                                                                      |
  +----------------------------------------------------------------------+
   usertest@login1:~>$ 

If you are on a Windows system, you need to download and install a Secure Shell client to perform the connection to the machine (See SSH section? for more information).

Most of these applications are graphical and you will have to fill some information in some of the fields offered, in the field 'Host name' or 'Remote Host name' you will need to introduce: lapalma1.iac.es. After this procedure you may be logged into LaPalma.

The first time that you connect to the LaPalma system secure shell needs to interchange some initial information to establish the communication. This information consists of the acceptance of the RSA key of the remote host, you must answer 'yes' or 'no' to confirm the acceptance of this key. If you cannot get access to the system after following this procedure, first consult SSH section for an extended information about Secure Shell, or you can contact us.

Login node

Once you are connected into the machine, you will be presented with a UNIX shell prompt and you will normally be in your home ($HOME) directory. If you are new to UNIX, you will have to learn the basics before you could do anything useful.

The machine in which you will be logged in will be LaPalma (login1). This machine acts as front ends, and are used typically for editing, compiling, preparation/submission of batch executions and as a gateway for copying data inside or outside LaPalma.

It is not permitted the execution of cpu-bound programs on this node, if some compilation needs much more cputime than the permitted, this needs to be done through the batch queue system. It is not possible to connect directly to the compute nodes from the login nodes, all resource allocation is done by the batch queue system.

Graphical applications

You could execute graphical applications from the login node, to do that the only way is tunnelling all the graphical traffic through the Secure shell connection established.

You will need to have an Xserver running on your local machine to be able to show the graphical information. Most of the UNIX flavors have an X server installed by default. In a Windows environment, you will probably need to download and install some type of X server emulator (see SSH section).

The second step in order to be able to execute graphical applications is to enable in your secure shell connection the forwarding of the graphical information through the secure channel created. This is normally done adding the -X flag to your normal ssh command used to connect to LaPalma. Here you have an example:

  [mymachine]$ ssh -X usertest@lapalma1.iac.es
  +----------------------------------------------------------------------+ 
  |                                                                      |
  |        Welcome to LaPalma                                            |
  |                                                                      |
  |                                                                      |
  | * Please contact res_support@iac.es for questions at any time        |
  |                                                                      |
  +----------------------------------------------------------------------+
   usertest@login1:~>$

For Windows systems, you will have to enable the 'X11 forwarding', that option normally resides on the 'Tunneling' or 'Connection' menu of the client configuration window (see SSH section for further details).

SSH

ssh is a program that enables secure logins over an insecure network. It encrypts all the data passing both ways, so that if it is intercepted it cannot be read. It also replaces the old an insecure tools like telnet, rlogin, rcp, ftp, etc. ssh is a client-server software. Both machines must have ssh installed for it to work.

We have already installed a ssh server in our machines. You must have installed an ssh client in your local machine. ssh is available without charge for almost all versions of Unix. IAC recommend the use of OpenSSH client that can be downloaded from http://www.openssh.org, but any client compatible with SSH version 2 can be used.

To accomplish a login in LaPalma with ssh you have to provide a public key. If you have not got already one you can generate a public/private key pair with the following instructions.

Generating a ssh key pair on Linux (also for MacOS)

In your private linux workstation execute the command ssh-keygen with next options:

  [mymachine]$ ssh-keygen -b 4096 -t rsa
  Generating public/private rsa key pair.

Accept the default location to store the key (~/.ssh/id_rsa) by pressing Enter (strongly recommended) or enter an alternative location.

  Enter file in which to save the key (/home/myuser/.ssh/id_rsa):
  Created directory '/home/myuser/.ssh'.

Enter a passphrase consisting of 10 to 30 characters. The same rules as for creating safe passwords apply. It is strongly advised to refrain from specifying no passphrase.

  Enter passphrase (empty for no passphrase):
  Enter same passphrase again:
  Your identification has been saved in /home/myuser/.ssh/id_rsa.
  Your public key has been saved in /home/myuser/.ssh/id_rsa.pub.
  The key fingerprint is:  
  SHA256:9HoaWWfUmiM+uk1l9VrAX5cxR2CKd5YPqGvpOpCu5bY  myuser@mymachine
  The key's randomart image is:
  +---[RSA 4096]----+
  |     o=o         |
  |      . * .=     |
  |    . . X S.o    |
  |   . . + * *o    |
  |   .F = O =      |
  |   o = O . o     |
  |   ...o O .      |
  |   oo .X .       |
  | .oE..+o         |
  +----[SHA256]-----+

You should make absolutely sure that the private key (~/.ssh/id_rsa) is not accessible by anyone other than yourself (always set its permissions to 0600). The private key must never fall into the hands of another person.

To change the password of an existing key pair, use the command:

  [mymachine]$ ssh-keygen -p

Once the public/private key pair is generated, you have to send the public key file ~/.ssh/id_rsa.pub to res_support@iac.es (please, make sure you send us only the public key, while the private key must be kept safe on your computer).

Using the ssh-agent in Linux

When doing lots of secure shell operations it is cumbersome to type the SSH passphrase for each such operation. Therefore, the SSH package provides another tool, ssh-agent, which retains the private keys for the duration of an X or terminal session. All other windows or programs are started as clients to the ssh-agent. By starting the agent, a set of environment variables is set, which will be used by ssh, scp, or sftp to locate the agent for automatic login. See the ssh-agent man page for details.

After the ssh-agent is started, you need to add your keys by using ssh-add. It will prompt for the passphrase. After the password has been provided once, you can use the secure shell commands within the running session without having to authenticate again.

Using the ssh-agent in a Terminal Session

In a terminal session you need to manually start the ssh-agent and then call ssh-add afterward. There are two ways to start the agent. The first example given below starts a new Bash shell on top of your existing shell. The second example starts the agent in the existing shell and modifies the environment as needed.

  [mymachine]$ ssh-agent -s /bin/bash
  [mymachine]$ eval $(ssh-agent)

After the agent has been started, run ssh-add to provide the agent with your keys.

Using ssh-agent in an X Session

To invoke ssh-add to add your keys to the agent at the beginning of an X session, do the following:

  • Log in as the desired user and check whether the file ~/.xinitrc exists.
  • If it does not exist, use an existing template or copy it from /etc/skel:
   if [ -f ~/.xinitrc.template ]; then mv ~/.xinitrc.template ~/.xinitrc; \
   else cp /etc/skel/.xinitrc.template ~/.xinitrc; fi
  • If you have copied the template, search for the following lines and uncomment them. If ~/.xinitrc already existed, add the following lines (without comment signs).
    # if test -S "$SSH_AUTH_SOCK" -a -x "$SSH_ASKPASS"; then  
    # ssh-add < /dev/null
    # fi
  • When starting a new X session, you will be prompted for your SSH passphrase.

Generating a ssh key pair on Windows

In windows systems IAC recommend the use of putty. It is a free SSH client that you can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html, but any other client compatible with SSH version 2 could be used. In the next lines we will describe how to install, configure and use a ssh client under Windows systems.

Once the client has been installed, try next steps if you are using putty (other clients have similar instructions):

  1. Download putty and follow instructions on the web to install it (we recommend you install the full package that includes putty and also other useful tools like puttygen, pageant, pscp, pftp, etc.)
  2. Launch PuTTygen in order to generate the ssh key
  3. Select RSA as Type of key and introduce 4096 in the field of number of bits and click on Generate
  4. Move your mouse randomly since it is needed to generate strong keys
  5. Click on Save public key to store the public key into a file. Send this file containing the public key to res_support@iac.es
  6. Enter a passphrase consisting of 10 to 30 characters. The same rules as for creating safe passwords apply. It is strongly advised to refrain from specifying no passphrase
  7. After introducing the key passphrase click on Save private key
  8. Keep the private key file in a safe location and do not share with anyone

Connecting to LaPalma using your private key

The private/public key pair must be generated only once (as it was described above), and then you will need to specify the very same private key file every time you use putty to connect LaPalma (lapalma1.iac.es). To do so, go to putty menu, choose SSH and then click on Auth, there you will find the place where you can specify the file where your private key is stored. You can avoid specifying the private key every time you want to connect LaPalma if you use a ssh-agent, as described below.

Using the ssh-agent in Windows

As in the case of Linux, the package Putty provides a tool to avoid typing the SSH passphrase for each connection. The name of the tool is Pageant. You can use it following next steps;

  1. If Pageant is not currently running (an icon is displayed in the taskbar), launch it
  2. Double-click on the icon in the taskbar an the list of keys will be shown
  3. Push Add Key and select the private key previously generated
  4. Enter the passphrase
  5. The list is now updated and you can click on Close
  6. Now it is possible to connect to lapalma1.iac.es with Putty. Launch the application and specify the remote machine and click on Open (*)
  7. Finally, a new window will appear asking for your username, specify it and you will connect LaPalma (no password is required)

(*) If it is your first connection to the machine, your will get a Warning telling you that the hostkey from the server is unknown, and will ask you if you are agree to cache the new host key, press Yes. IMPORTANT: If you see this warning another time and you haven't modified or reinstalled the ssh client, please, don't log in and contact with LaPalma support.