Skip to content
Snippets Groups Projects
Commit 48dc2a49 authored by Michael Blaschek's avatar Michael Blaschek :bicyclist:
Browse files

ectrans add ssh-key

parent 798a41b4
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 76 additions and 8 deletions
ECMWF/README.md
+ 76
8
View file @ 48dc2a49
......@@ -61,6 +61,8 @@ module load teleport
# Activate the ssh-agent (required to store the key/certificate)
ssh-agentstart
# or
ssh-agentreconnect
# Check if it is running
ssh-add -l
```
......@@ -266,8 +268,8 @@ if you encounter a STOP or ERROR, then you can also check the gateway ([boaccess
There are two ways to create these associations:
1. via the web interface:
- [boaccess](https://boaccess.ecmwf.int)
- [imgaccess](https://ecaccess.wolke.img.univie.ac.at)
- using [boaccess](https://boaccess.ecmwf.int)
- using [imgaccess](https://ecaccess.wolke.img.univie.ac.at)
2. via the ecaccess-webtoolkit
After creating **new associations** it takes a while before they actually work (about 10min).
......@@ -285,12 +287,12 @@ Steps:
2. Go to **ECtrans setup**
3. Click **add association** (at bottom)
4. Fill in the association
- `name`
- `hostname` (login.img.univie.ac.at or jet01 or jet02)
- `directory` (`/srvfs/scratch/[USERNAME]` or something else)
- `comment` (giving you a hint where it drops the file sto)
- `login` (this is your imgw server username)
- `password` (this is your imgw server password)
- `name`
- `hostname` (login.img.univie.ac.at or jet01 or jet02)
- `directory` (`/srvfs/scratch/[USERNAME]` or something else)
- `comment` (giving you a hint where it drops the file sto)
- `login` (this is your imgw server username)
- `password` (this is your imgw server password)
5. Click on _Create_
Later you can also change the password for your associations.
......@@ -353,9 +355,75 @@ aurora login.img.univie.ac.at active scratch
$ ecaccess-association-list -gateway ecaccess.img.univie.ac.at
jet jet01.img.univie.ac.at active scratch
# send a file to both
```
### using ssh-keys
There is another way to overcome the need to continuously changing the password in the association. It is possible to add a ssh-key to the ectrans association.
Steps:
1. Create a compatible ssh-key
2. Add ssh public key (e.g. `ecmwf.pub`) to [IPA](../SSH-VPN-VNC/IPA.md#add-ssh-key)
3. Modify the association
```sh title="Create an ectrans ssh-key"
# generate a ssh-key using the PEM format
ssh-keygen -t rsa -m PEM -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): ecmwf
Enter passphrase for "test" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test
Your public key has been saved in test.pub
The key fingerprint is:
SHA256:2FIvXhZASKo/b565cUiWQsImKV63YZhhnx0ySb3Rak8 user@notebook
The key's randomart image is:
+---[RSA 4096]----+
| o.=+++ |
| o. =o*o.o |
|+ ++o* .= . |
|oo.+o oO E . |
| .. ..B S + |
| . + + = |
| o o o |
| o.= |
| o*. |
+----[SHA256]-----+
#
```
Add the public key to the IPA. It might take up to 10 min, before the new key is registered by the system. You can check on aurora by running: `sss_ssh_authorizedkeys $USER`
Now you can modify the association by adding your generated **private key**:
``` title="Modified association"
...
sftp.port = "22"
sftp.prefix = ""
sftp.privateKey = "
-----BEGIN RSA PRIVATE KEY-----
eJaBR2f80p2qlgapAku1z+PsnY2gjdL7y6iqxnrR19L8/CnM+A2OdU+lSnBv1PS7
VU2/nY4Al6xSJTJOrZ+k9dkyWjbixF1FCpVeNOxqJdqjtcFw/2nX8Mtp+5BOrCxg
rTkoW31foJQL+FNf/VelOPO1xf+YSfKIUmZ7OU3LHrzDm07p0pd/Aclj7Qqf89mp
pjqDXe7/00OuRuda6gu2Sbd4Oro+5ha9jkvfDQpV8Xj5QsLbjnxjp5+J9yUDoujq
...
vlN5kEeFbyB22H5QCkCF4RWVOUfudCTcPNC2DMeR7gtFwlWmxzizZuaVi5v48vP3
8/zt0udPyCyPP2B0NOyJzrDejcvfVQ76SmLGgArjQN3jJDF7p7UausliO2R1SD/p
jJNEf9KEDEeO3COLZrT0tcfTmAEd7OVSURdZKJTXQCPai2LTevTBYJxXHgFFly4Z
-----END RSA PRIVATE KEY-----
"
sftp.sessionTimeOut = "60000"
sftp.suffix = ".tmp"
sftp.usetmp = "yes"
sftp.wmoLikeFormat = "no"
###### END-OF-PROPERTIES ######
';
```
to either the association file or via the web interface. Then you can remove the password, but leave the `login=[USERNAME]`.
More information on these details can be found [here](https://confluence.ecmwf.int/display/ECAC/Unattended+file+transfer+-+ectrans)
## ECaccess Gateway
The department is running a member state ecaccess gateway service. **The purpose of an individual access server is to bridge ECMWF's network with IMGW's network.** Hence, protecting these networks. For example, you can access the JET cluster from the department ecaccess server, but not from boaccess server, but from boaccess you can accesss aurora.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment