Hi Fritz,
I got this to work on my notebook and desktop. I'll probably get rid of
the need for "pdac-" addition to the pdac script, but at least this works.
*Connecting with Scripts Once*
*
*End result is you can ssh into any machine in the pdac without
re-entering passwords*
o
*ssh pdac (enter passode etc)
ssh lsst-bastion (enter password, this is intentionally not
lsst-bastion01)*
o
*Open another terminal
*
o
***pdac pdac-qserv-master01
pdac **pdac-qserv-dax01
**pdac **pdac-qserv-db[01-30]
**pdac **pdac-sui-proxy01
**pdac **pdac-sui-tomcat[01-02] *
o
*Once on pdac, you can ssh around as needed. No need for "pdac-''
*
*To get it to work:**
# Add the following to .ssh/config
############# BEGIN ##############
Host pdac
HostName cerberus1.ncsa.illinois.edu
User <ncsa username>
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist yes
############END##################
# Execute these commands:
mkdir -p ~/.ssh/cm_socket/ *
*If (like me) you're on afs, make ~/.ssh/cm_socket/ a link to a
directory on your computer**, not afs.
# Create ~/**bin/pdac**with this content:
############# BEGIN ##############
#!/bin/bash
TTY_CMD=
REMOTE_NODE=$1
shift
if [ $# -eq 0 ]
then
TTY_CMD="-t -t"
fi
case $REMOTE_NODE in
pdac-*)
BASTION="pdac"
REMOTE_CMD="ssh -Y $TTY_CMD lsst-bastion ssh -Y $TTY_CMD -q
${REMOTE_NODE:5} $@"
;;
esac
if [ "$REMOTE_CMD" ]
then
exec $SSH -Y $TTY_CMD $BASTION $REMOTE_CMD
else
exec $SSH -Y $@ $REMOTE_NODE
fi
############END#################
# SSH to 'pdac' using 2 factor and add this on that machine:
# Add the following to .ssh/config:
############ BEGIN ###############
Host lsst-bastion
HostName lsst-bastion01.ncsa.illinois.edu
User <ncsa username>
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist yes
##############END############### *
On 10/19/16 14:46, Fritz Mueller wrote:
>
>
>
> -------- Forwarded Message --------
> Subject: RE: Easy SSH for PDAC
> Date: Wed, 21 Sep 2016 19:27:54 +0000
> From: Alt, Jason <[log in to unmask]>
> To: [log in to unmask] <[log in to unmask]>,
> [log in to unmask] <[log in to unmask]>,
> [log in to unmask] <[log in to unmask]>, [log in to unmask]
> <[log in to unmask]>
>
> Your access is slowly coming online. I verified that the easy access
> works. Here's some cleanup to make your lives simpler:
>
> On your desktop:
>
> # Add the following to .ssh/config
> ############# BEGIN ##############
> Host pdac
> HostName cerberus1.ncsa.illinois.edu
> User <ncsa username>
> ControlMaster auto
> ControlPath ~/.ssh/cm_socket/%r@%h:%p
> ControlPersist yes
>
> ############END##################
>
> # Execute these commands:
> mkdir -p ~/.ssh/cm_sockets/
> mkdir ~/.ssh/script/
>
> # Create ~/.ssh/script/ssh with this content:
> ############# BEGIN ##############
> #!/bin/bash
>
> TTY_CMD=
> REMOTE_NODE=$1
> shift
> if [ $# -eq 0 ]
> then
> TTY_CMD="-t -t"
> fi
>
> case $REMOTE_NODE in
> pdac-*)
> BASTION="pdac"
> REMOTE_CMD="ssh -Y $TTY_CMD lsst-bastion ssh -Y $TTY_CMD -q
> ${REMOTE_NODE:5} $@"
> ;;
> esac
>
> if [ "$REMOTE_CMD" ]
> then
> exec $SSH -Y $TTY_CMD $BASTION $REMOTE_CMD
> else
> exec $SSH -Y $@ $REMOTE_NODE
> fi
> ############END#################
>
> # SSH to 'pdac' using 2 factor and add this on that machine:
>
> # Add the following to .ssh/config:
> ############ BEGIN ###############
> Host lsst-bastion
> HostName lsst-bastion01.ncsa.illinois.edu
> User <ncsa username>
> ControlMaster auto
> ControlPath ~/.ssh/cm_socket/%r@%h:%p
> ControlPersist yes
> ##############END###############
>
> # Now exit back to your desktop and you should be able to SSH
> 'directly' to the end nodes; you'll only be asked for the passphrase
> and kerberos passwords on the first connection
>
> # SSH to any of:
> pdac-qserv-master01
> pdac-qserv-dax01
> pdac-qserv-db[01-30]
> pdac-sui-proxy01
> pdac-sui-tomcat[01-02]
>
> Once connected, you can 'sudo su' and move between nodes (drop the
> 'pdac-' prefix once you are in the PDAC environment.
>
> Jason
> ________________________________________
> From: Alt, Jason
> Sent: Monday, September 19, 2016 8:50 AM
> To: [log in to unmask]; [log in to unmask];
> [log in to unmask]
> Subject: Easy SSH for PDAC
>
> Since the final security tidbits are not in place, I can not supply a
> working script yet, but I can give you something to get started. This
> is taken from:
> https://wiki.ncsa.illinois.edu/display/BWDOC/Simplifying+SSH+Access+to+Nodes+Behind+the+Bastion+Hosts?src=search
> (not sure if you can access no not).
>
> You must use openssh 5.x or newer. 5.x does not support
> "ControlPersist" so you'll need to remove it from the config below.
>
> On your desktop/laptop:
> mkdir -p ~/.ssh/cm_sockets/
>
> Add this to ~/.ssh/config:
>
> ###### BEGIN #######
> Host pdac
> HostName cerberus1.ncsa.illinois.edu
> User <username>
> ControlMaster auto
> ControlPath ~/.ssh/cm_socket/%r@%h:%p
> # If using 5.x, remove this next line
> ControlPersist yes
> ForwardX11 yes
> ##### END #########
>
> Then just "ssh pdac".
>
> If you use ControlPersist, you can exit ALL SSH connections and
> reconnect without authenticating because the system maintains a
> background connection. To kill it, do "ssh pdac -O exit".
>
> If you forward X11, you must be over the original connection. I'm not
> sure X11 forwarding is enabled.
>
> You could add a pdac[0-4] pointing to cerberus[0-4]. These are
> redundant for times of maintenance, etc.
>
> On cerberus you should create the same SSH config:
>
> mkdir -p ~/.ssh/cm_sockets/
>
> Add this to ~/.ssh/config:
>
> ###### BEGIN #######
> Host bastion
> HostName lsst-bastion01.ncsa.illinois.edu
> User <username>
> ControlMaster auto
> ControlPath ~/.ssh/cm_socket/%r@%h:%p
> # If using 5.x, remove this next line
> ControlPersist yes
> ForwardX11 yes
> ##### END #########
>
> Then from your laptop you should be able to (once bastion01 is
> configured) "ssh -t pdac ssh bastion". This is the essence of the
> script shown on the wiki page. I can't tune it for this env until the
> configs are done.
>
> You can chain port forwarding this way. More on that once the security
> configs are in place.
>
> Jason
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the QSERV-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=QSERV-L&A=1
