Hi Fritz, I got this to work on my notebook and desktop. I'll probably get rid of the need for "pdac-" addition to the pdac script, but at least this works. *Connecting with Scripts Once* * *End result is you can ssh into any machine in the pdac without re-entering passwords* o *ssh pdac (enter passode etc) ssh lsst-bastion (enter password, this is intentionally not lsst-bastion01)* o *Open another terminal * o ***pdac pdac-qserv-master01 pdac **pdac-qserv-dax01 **pdac **pdac-qserv-db[01-30] **pdac **pdac-sui-proxy01 **pdac **pdac-sui-tomcat[01-02] * o *Once on pdac, you can ssh around as needed. No need for "pdac-'' * *To get it to work:** # Add the following to .ssh/config ############# BEGIN ############## Host pdac HostName cerberus1.ncsa.illinois.edu User <ncsa username> ControlMaster auto ControlPath ~/.ssh/cm_socket/%r@%h:%p ControlPersist yes ############END################## # Execute these commands: mkdir -p ~/.ssh/cm_socket/ * *If (like me) you're on afs, make ~/.ssh/cm_socket/ a link to a directory on your computer**, not afs. # Create ~/**bin/pdac**with this content: ############# BEGIN ############## #!/bin/bash TTY_CMD= REMOTE_NODE=$1 shift if [ $# -eq 0 ] then TTY_CMD="-t -t" fi case $REMOTE_NODE in pdac-*) BASTION="pdac" REMOTE_CMD="ssh -Y $TTY_CMD lsst-bastion ssh -Y $TTY_CMD -q ${REMOTE_NODE:5} $@" ;; esac if [ "$REMOTE_CMD" ] then exec $SSH -Y $TTY_CMD $BASTION $REMOTE_CMD else exec $SSH -Y $@ $REMOTE_NODE fi ############END################# # SSH to 'pdac' using 2 factor and add this on that machine: # Add the following to .ssh/config: ############ BEGIN ############### Host lsst-bastion HostName lsst-bastion01.ncsa.illinois.edu User <ncsa username> ControlMaster auto ControlPath ~/.ssh/cm_socket/%r@%h:%p ControlPersist yes ##############END############### * On 10/19/16 14:46, Fritz Mueller wrote: > > > > -------- Forwarded Message -------- > Subject: RE: Easy SSH for PDAC > Date: Wed, 21 Sep 2016 19:27:54 +0000 > From: Alt, Jason <[log in to unmask]> > To: [log in to unmask] <[log in to unmask]>, > [log in to unmask] <[log in to unmask]>, > [log in to unmask] <[log in to unmask]>, [log in to unmask] > <[log in to unmask]> > > Your access is slowly coming online. I verified that the easy access > works. Here's some cleanup to make your lives simpler: > > On your desktop: > > # Add the following to .ssh/config > ############# BEGIN ############## > Host pdac > HostName cerberus1.ncsa.illinois.edu > User <ncsa username> > ControlMaster auto > ControlPath ~/.ssh/cm_socket/%r@%h:%p > ControlPersist yes > > ############END################## > > # Execute these commands: > mkdir -p ~/.ssh/cm_sockets/ > mkdir ~/.ssh/script/ > > # Create ~/.ssh/script/ssh with this content: > ############# BEGIN ############## > #!/bin/bash > > TTY_CMD= > REMOTE_NODE=$1 > shift > if [ $# -eq 0 ] > then > TTY_CMD="-t -t" > fi > > case $REMOTE_NODE in > pdac-*) > BASTION="pdac" > REMOTE_CMD="ssh -Y $TTY_CMD lsst-bastion ssh -Y $TTY_CMD -q > ${REMOTE_NODE:5} $@" > ;; > esac > > if [ "$REMOTE_CMD" ] > then > exec $SSH -Y $TTY_CMD $BASTION $REMOTE_CMD > else > exec $SSH -Y $@ $REMOTE_NODE > fi > ############END################# > > # SSH to 'pdac' using 2 factor and add this on that machine: > > # Add the following to .ssh/config: > ############ BEGIN ############### > Host lsst-bastion > HostName lsst-bastion01.ncsa.illinois.edu > User <ncsa username> > ControlMaster auto > ControlPath ~/.ssh/cm_socket/%r@%h:%p > ControlPersist yes > ##############END############### > > # Now exit back to your desktop and you should be able to SSH > 'directly' to the end nodes; you'll only be asked for the passphrase > and kerberos passwords on the first connection > > # SSH to any of: > pdac-qserv-master01 > pdac-qserv-dax01 > pdac-qserv-db[01-30] > pdac-sui-proxy01 > pdac-sui-tomcat[01-02] > > Once connected, you can 'sudo su' and move between nodes (drop the > 'pdac-' prefix once you are in the PDAC environment. > > Jason > ________________________________________ > From: Alt, Jason > Sent: Monday, September 19, 2016 8:50 AM > To: [log in to unmask]; [log in to unmask]; > [log in to unmask] > Subject: Easy SSH for PDAC > > Since the final security tidbits are not in place, I can not supply a > working script yet, but I can give you something to get started. This > is taken from: > https://wiki.ncsa.illinois.edu/display/BWDOC/Simplifying+SSH+Access+to+Nodes+Behind+the+Bastion+Hosts?src=search > (not sure if you can access no not). > > You must use openssh 5.x or newer. 5.x does not support > "ControlPersist" so you'll need to remove it from the config below. > > On your desktop/laptop: > mkdir -p ~/.ssh/cm_sockets/ > > Add this to ~/.ssh/config: > > ###### BEGIN ####### > Host pdac > HostName cerberus1.ncsa.illinois.edu > User <username> > ControlMaster auto > ControlPath ~/.ssh/cm_socket/%r@%h:%p > # If using 5.x, remove this next line > ControlPersist yes > ForwardX11 yes > ##### END ######### > > Then just "ssh pdac". > > If you use ControlPersist, you can exit ALL SSH connections and > reconnect without authenticating because the system maintains a > background connection. To kill it, do "ssh pdac -O exit". > > If you forward X11, you must be over the original connection. I'm not > sure X11 forwarding is enabled. > > You could add a pdac[0-4] pointing to cerberus[0-4]. These are > redundant for times of maintenance, etc. > > On cerberus you should create the same SSH config: > > mkdir -p ~/.ssh/cm_sockets/ > > Add this to ~/.ssh/config: > > ###### BEGIN ####### > Host bastion > HostName lsst-bastion01.ncsa.illinois.edu > User <username> > ControlMaster auto > ControlPath ~/.ssh/cm_socket/%r@%h:%p > # If using 5.x, remove this next line > ControlPersist yes > ForwardX11 yes > ##### END ######### > > Then from your laptop you should be able to (once bastion01 is > configured) "ssh -t pdac ssh bastion". This is the essence of the > script shown on the wiki page. I can't tune it for this env until the > configs are done. > > You can chain port forwarding this way. More on that once the security > configs are in place. > > Jason ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the QSERV-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=QSERV-L&A=1