Hi Fritz,
I got this to work on my notebook and desktop. I'll probably get
rid of the need for "pdac-" addition to the pdac script, but at
least this works.
Connecting with Scripts Once
End result is you can ssh into any machine in the pdac without re-entering passwords
ssh pdac
(enter passode etc)
ssh lsst-bastion (enter password, this
is intentionally not lsst-bastion01)
Open another
terminal
pdac
pdac-qserv-master01
pdac pdac-qserv-dax01
pdac pdac-qserv-db[01-30]
pdac pdac-sui-proxy01
pdac pdac-sui-tomcat[01-02]
Once on
pdac, you can ssh around as needed. No
need for "pdac-''
To
get it to work:
# Add the following to .ssh/config
############# BEGIN ##############
Host pdac
HostName cerberus1.ncsa.illinois.edu
User
<ncsa username>
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist yes
############END##################
#
Execute these commands:
mkdir -p ~/.ssh/cm_socket/
If
(like me) you're on afs, make ~/.ssh/cm_socket/
a link to a directory
on your computer, not afs.
#
Create ~/bin/pdac
with this content:
############# BEGIN ##############
#!/bin/bash
TTY_CMD=
REMOTE_NODE=$1
shift
if
[ $# -eq 0 ]
then
TTY_CMD="-t -t"
fi
case $REMOTE_NODE in
pdac-*)
BASTION="pdac"
REMOTE_CMD="ssh
-Y $TTY_CMD lsst-bastion ssh -Y $TTY_CMD -q
${REMOTE_NODE:5} $@"
;;
esac
if [ "$REMOTE_CMD"
]
then
exec $SSH -Y $TTY_CMD $BASTION
$REMOTE_CMD
else
exec $SSH -Y $@
$REMOTE_NODE
fi
############END#################
#
SSH to 'pdac' using 2 factor and add this on
that machine:
#
Add the following to .ssh/config:
############ BEGIN
###############
Host lsst-bastion
HostName
lsst-bastion01.ncsa.illinois.edu
User <ncsa
username>
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist yes
##############END###############
[log in to unmask]" type="cite">
-------- Forwarded Message --------
Subject: RE: Easy SSH for PDAC
Date: Wed, 21 Sep 2016 19:27:54 +0000
From: Alt, Jason <[log in to unmask]>
To: [log in to unmask] <[log in to unmask]>, [log in to unmask] <[log in to unmask]>, [log in to unmask] <[log in to unmask]>, [log in to unmask] <[log in to unmask]>
Your access is slowly coming online. I verified that the easy access works. Here's some cleanup to make your lives simpler:
On your desktop:
# Add the following to .ssh/config
############# BEGIN ##############
Host pdac
HostName cerberus1.ncsa.illinois.edu
User <ncsa username>
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist yes
############END##################
# Execute these commands:
mkdir -p ~/.ssh/cm_sockets/
mkdir ~/.ssh/script/
# Create ~/.ssh/script/ssh with this content:
############# BEGIN ##############
#!/bin/bash
TTY_CMD=
REMOTE_NODE=$1
shift
if [ $# -eq 0 ]
then
TTY_CMD="-t -t"
fi
case $REMOTE_NODE in
pdac-*)
BASTION="pdac"
REMOTE_CMD="ssh -Y $TTY_CMD lsst-bastion ssh -Y $TTY_CMD -q ${REMOTE_NODE:5} $@"
;;
esac
if [ "$REMOTE_CMD" ]
then
exec $SSH -Y $TTY_CMD $BASTION $REMOTE_CMD
else
exec $SSH -Y $@ $REMOTE_NODE
fi
############END#################
# SSH to 'pdac' using 2 factor and add this on that machine:
# Add the following to .ssh/config:
############ BEGIN ###############
Host lsst-bastion
HostName lsst-bastion01.ncsa.illinois.edu
User <ncsa username>
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist yes
##############END###############
# Now exit back to your desktop and you should be able to SSH 'directly' to the end nodes; you'll only be asked for the passphrase and kerberos passwords on the first connection
# SSH to any of:
pdac-qserv-master01
pdac-qserv-dax01
pdac-qserv-db[01-30]
pdac-sui-proxy01
pdac-sui-tomcat[01-02]
Once connected, you can 'sudo su' and move between nodes (drop the 'pdac-' prefix once you are in the PDAC environment.
Jason
________________________________________
From: Alt, Jason
Sent: Monday, September 19, 2016 8:50 AM
To: [log in to unmask]; [log in to unmask]; [log in to unmask]
Subject: Easy SSH for PDAC
Since the final security tidbits are not in place, I can not supply a working script yet, but I can give you something to get started. This is taken from: https://wiki.ncsa.illinois.edu/display/BWDOC/Simplifying+SSH+Access+to+Nodes+Behind+the+Bastion+Hosts?src=search (not sure if you can access no not).
You must use openssh 5.x or newer. 5.x does not support "ControlPersist" so you'll need to remove it from the config below.
On your desktop/laptop:
mkdir -p ~/.ssh/cm_sockets/
Add this to ~/.ssh/config:
###### BEGIN #######
Host pdac
HostName cerberus1.ncsa.illinois.edu
User <username>
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
# If using 5.x, remove this next line
ControlPersist yes
ForwardX11 yes
##### END #########
Then just "ssh pdac".
If you use ControlPersist, you can exit ALL SSH connections and reconnect without authenticating because the system maintains a background connection. To kill it, do "ssh pdac -O exit".
If you forward X11, you must be over the original connection. I'm not sure X11 forwarding is enabled.
You could add a pdac[0-4] pointing to cerberus[0-4]. These are redundant for times of maintenance, etc.
On cerberus you should create the same SSH config:
mkdir -p ~/.ssh/cm_sockets/
Add this to ~/.ssh/config:
###### BEGIN #######
Host bastion
HostName lsst-bastion01.ncsa.illinois.edu
User <username>
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
# If using 5.x, remove this next line
ControlPersist yes
ForwardX11 yes
##### END #########
Then from your laptop you should be able to (once bastion01 is configured) "ssh -t pdac ssh bastion". This is the essence of the script shown on the wiki page. I can't tune it for this env until the configs are done.
You can chain port forwarding this way. More on that once the security configs are in place.
Jason