Differenze

Queste sono le differenze tra la revisione selezionata e la versione attuale della pagina.

--- oph:cluster:access [2024/06/19 09:27] – carlo.cintolesi@unibo.it
+++ oph:cluster:access [2025/02/20 11:31] (versione attuale) – Rimosso ophfe3 dall'esempio di configurazione di ~/.ssh/config mario.petroli@unibo.it
@@ Linea 30: / Linea 30: @@
 ===== Step 1: Connecting to the cluster =====
-The cluster can be **accessed remotely through a Frontend Login node**, through the ''ssh'' secure connection protocol, using UniBo institutional credentials (i.e. username and password used for all UniBo IT services).
+The cluster can be **accessed remotely through a Frontend Login node via a bastion host**, through the ''ssh'' secure connection protocol, using UniBo institutional credentials (i.e. username and password used for all UniBo IT services).
 There are **multiple independent Frontend Login Nodes:**
-  * ''137.204.50.71'' (ophfe1)
+  * ophfe1 (137.204.165.41)
-  * ''137.204.50.72'' (ophfe2)
+  * ophfe2 (137.204.165.42)
-  * ''137.204.50.73'' (ophfe3)
+  * ophfe3 (137.204.165.43) **reserved -- VM for some special tasks**
-The **connection procedure** requires the use of the [[https://fisica-astronomia.unibo.it/it/dipartimento/servizi-tecnici-e-amministrativi/servizi-tecnici-informatici/servizi-informatici/servizio_bastion|Bastion's SSH host service]], that allows 'mediated' ssh access to resources on the department's network, avoiding direct external exposure of services and drastically improving network security. To connect from the terminal use the following syntax:
+The **connection procedure** requires the use of the bastion, that allows 'mediated' ssh access to resources on the department's network, avoiding direct external exposure of services and drastically improving network security. To connect from the terminal use the following syntax:
   *** STAFF MEMBERS** with e.g. UniBo email address ''donald.duck7@unibo.it'' can connect to the cluster with the command:<code>
-  ssh -J donald.duck7@137.204.50.15 donald.duck7@137.204.50.71
+  ssh -J donald.duck7@bastion-nav.difa.unibo.it donald.duck7@ophfe1
 </code>
   *** STUDENTS** with e.g. UniBo email address ''mickey.mouse4@studio.unibo.it'' can connect to the cluster with the **same command**:<code>
-  ssh -J mickey.mouse4@137.204.50.15 mickey.mouse4@137.204.50.71
+  ssh -J mickey.mouse4@bastion-nav.difa.unibo.it mickey.mouse4@ophfe1
 </code>
 followed by their UniBo institutional password (twice).
-This will do a two-step connection, first to 137.204.50.15 which is the **bastion host**, then to the cluster frontend. To avoid specifying it every time, you can simply add the following lines to ''~/.ssh/config'':
+This will do a two-step connection, first to bastion-nav.difa.unibo.it (137.204.165.34) which is the **bastion host**, then to the specified cluster frontend. To avoid specifying it every time, you can simply add the following lines to ''~/.ssh/config'':
-  Host bastion
+  Host bastion-nav
-    Hostname 137.204.50.15
+    Hostname bastion-nav.difa.unibo.it
     User     your.loginname
-  Host 137.204.50.71 137.204.50.72 137.204.50.73
+  Host ophfe1 ophfe2
     User      your.loginname
-    ProxyJump bastion
+    ProxyJump bastion-nav
-After having added such lines, you can simply use ''ssh 137.204.50.71'' as usual.
+After having added such lines, you can simply use ''ssh ophfe1''.
 <WRAP round important 100%>For some users in PERSONALE their account does not match the mail address (so called "cambio UPN"). It's always possible to use:
-  ssh -l mail.address@unibo.it 137.204.50.71
+  ssh -l mail.address@unibo.it ophfe1
 or even:
-  ssh mail.address@unibo.it@137.204.50.71
+  ssh mail.address@unibo.it@ophfe1
 </WRAP>
 'User' line in ''~/.ssh/config'' also accepts the mail address.
 Graphic windows require a connection with X11 forwarding, which can be established with the ''ssh'' options ''-X'' and/or ''-Y'' (rarely needed, **might expose your client to attacks**:!:). In general, connecting with:
-<WRAP center 40%>''ssh -X albert.einstein9@137.204.50.71''</WRAP>
+<WRAP center 40%>''ssh -X albert.einstein9@ophfe1''</WRAP>
 is enough to use graphical tools.
@@ Linea 79: / Linea 79: @@
   It is also possible that a host key has just been changed.
   The fingerprint for the ECDSA key sent by the remote host is
-  SHA256:aoqtNWk0OvSDuWAMV1y7l3E9ofdI6TKBEJxpGpPoYH4.
+  SHA256:uR0mI0jPbLhSd/1HISczCCpoK9OZLOs+uqQx9b1CDjU.
-it's probably because you connected to the old Str957-cluster (replaced by ophfe1) and server's ssh key have been changed.
+it's probably because you connected to the old Str957-cluster (replaced by ophfe1) and server's ssh key have been changed (or you connected to the old bastion and are now connecting to bastion-nav).
-**CHECK** that the displayed key is one of these:
+**CHECK** that the displayed key **for bastion-nav** is one of these:
-  * **DSA**: mDCpmJK4A3UqYjVRZzjpItpYehaFxSNYTLRYxRywIYw
+  * **ECDSA**: D5hNeP9NbU/OFjPyxlp7nsryHq9Sl9WKC3ef7rUaQg4
-  * **ECDSA**: aoqtNWk0OvSDuWAMV1y7l3E9ofdI6TKBEJxpGpPoYH4
+  * **ED25519**: uR0mI0jPbLhSd/1HISczCCpoK9OZLOs+uqQx9b1CDjU
-  * **ED25519**: J7k3kS0BWspWcPNdq0Dkyuhoj3z1gnrZOCT0r+BWx2Q
+  * **RSA**: NUJz6tcBoz+xxOroOUeQnqQrvH99RpmS5e9io/KwYm4
-  * **RSA**: bgydnQeWV3puQNHJ9hjEKo2ziLriWC/ypVWNTp1C6/k
 then
-  ssh-keygen -R 137.204.50.71
+  ssh-keygen -R bastion-nav.difa.unibo.it
 to remove old fingerprint from your PC.
+Keys for ophfe1 and ophfe2 have not been changed and their hashes are:
+  * ophfe1:
+    * **ECDSA**: aoqtNWk0OvSDuWAMV1y7l3E9ofdI6TKBEJxpGpPoYH4
+    * **ED25519**: J7k3kS0BWspWcPNdq0Dkyuhoj3z1gnrZOCT0r+BWx2Q
+    * **RSA**: bgydnQeWV3puQNHJ9hjEKo2ziLriWC/ypVWNTp1C6/k
+  * ophfe2:
+    * **ECDSA**: aoqtNWk0OvSDuWAMV1y7l3E9ofdI6TKBEJxpGpPoYH4
+    * **ED25519**: J7k3kS0BWspWcPNdq0Dkyuhoj3z1gnrZOCT0r+BWx2Q
+    * **RSA**: bgydnQeWV3puQNHJ9hjEKo2ziLriWC/ypVWNTp1C6/k
 Now you can retry the ssh connection: it will tell you that it can't verify server's identity and show key hash. **Verify (again)** that the key hash is from the list above, and accept it (iif it matches).
 </WRAP>