Computational Cluster Programs

Setting up an ATS-Hosted Cluster for Passwordless SSH/SCP

Motivation

The standard way to login to an ATS-Hosted cluster is to use ssh. From Unix, or Linux or a Mac Terminal window, you can access the cluster using your local ssh client. For example:

ssh -l loginid cluster-loginnode-address
Similarly, you can use the related scp command to transfer files to or from your machine to the ATS-Hosted cluster.

Normally both the ssh and scp client commands will prompt for your ATS-Hosted Cluster password. If desired, follow the instructions here to ssh and scp without being asked for your password when you are coming from a specific desktop or laptop system that you normally use. For example, you can make it so that you can always login without a password from your personal workstation.

SSH Configuration Files

The ssh/scp commands use files in the .ssh subdirectory of your home directory for configuration purposes. There are two ways the .ssh subdirectory and the files in it can be created:

  • The ssh/scp commands will create them for you as required.
  • You can create them yourself.
For example, the first time you ssh from an ATS-Hosted cluster login node to an interactive node on the same cluster, the ssh command will create .ssh/known_hosts for you. Note that according to the ATS Security Policy you should NEVER ssh from an ATS-Hosted Cluster to another system (outside of the cluster) because the ATS-Hosted clusters are NOT behind fire walls and could be compromised.

The .ssh/authorized_keys file may contain a list of public keys. By placing the public key for your login id on your personal machine in your authorized_keys file on the ATS-Hosted Cluster, you allow your login id on your personal machine to ssh or scp to your cluster login id on the ATS-Hosted cluster without being asked for your cluster password.

Dangers Inherit in Passwordless Access

As noted in the Security Policy for ATS-Hosted Clusters, UCLA Policy 401 specifies the minimum security standards for all electronic devices connected to the UCLA Campus Network. If you allow passwordless access from your desktop workstation or from your laptop to an ATS-Hosted Cluster and that machine does not meet those minimum standards, you could compromise your login id on the ATS-Hosted cluster. Moreover, you could compromise the entire cluster, not just for you but for everyone else as well.

Steps to take to Enable Passwordless Access from Specific Machines

  1. On the ATS-Hosted Cluster, check to see if you have a .ssh subdirectory in your home directory:
    cd
    ls -a
    If you don't see .ssh in the list, make a subdirectory named .ssh:
    mkdir .ssh
  2. Perform the following on each local machine you will use (i.e., each machine from which passwordless access is to be allowed). We will assume that the local machine is running Unix, Linux, or that you can get a Mac Terminal window.
    • If you do not have a .ssh subdirectory of your home directory, create one and go there:
      mkdir .ssh
      cd .ssh
    • Enter the following command:
      ssh-keygen -t rsa
      Do not enter a passphrase; just press the enter key. This will create the files id_rsa and id_rsa.pub on your local machine in the .ssh directory.
    • Copy the public key to your .ssh subdirectory on the ATS-Hosted Cluster:
      scp id_rsa.pub loginid@cluster-address:.ssh/id_rsa.name.pub
      Replace loginid with your cluster login id, cluster-address with the address of the ATS-Hosted Cluster and name with a name you will use for this local machine.
  3. On the ATS-Hosted Cluster, in the .ssh subdirectory, IF YOU DO NOT ALREADY HAVE AN authorized_keys FILE, make one.
    • To enable passwordless access from a single local machine:
      cp id_rsa.name.pub authorized_keys
    • To enable passwordless access from a more than one local machine:
      cat id_rsa.name1.pub id_rsa.name2.pub > authorized_keys
    If you already have an authorized_keys file, concatenate to it as follows:
    mv authorized_keys authorized_keys_orig
    cat authorized_keys_orig id_rsa.name1.pub id_rsa.name2.pub > authorized_keys
  4. Make sure that you as owner have write access to the authorized_keys file, the .ssh subdirectory and your home directory, and that no one else can write to the authorized_keys file, the .ssh subdirectory or your home directory:
    chmod u+w authorized_keys
    chmod go-w authorized_keys
    cd
    chmod u+w .ssh
    chmod go-w .ssh
    chmod go-w .
    If your home directory, .ssh subdirectory or authorized_keys file are writable by other than you as owner, ssh and scp will continue to ask for a password each time you access the cluster. There will not be any error message telling you what the problem is.