Skip to content
Snippets Groups Projects
Commit 48dc2a49 authored by Michael Blaschek's avatar Michael Blaschek :bicyclist:
Browse files

ectrans add ssh-key

parent 798a41b4
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 76 additions and 8 deletions
ECMWF/README.md
+ 76
8
View file @ 48dc2a49
...@@ -61,6 +61,8 @@ module load teleport ...@@ -61,6 +61,8 @@ module load teleport
# Activate the ssh-agent (required to store the key/certificate) # Activate the ssh-agent (required to store the key/certificate)
ssh-agentstart ssh-agentstart
# or
ssh-agentreconnect
# Check if it is running # Check if it is running
ssh-add -l ssh-add -l
``` ```
...@@ -266,8 +268,8 @@ if you encounter a STOP or ERROR, then you can also check the gateway ([boaccess ...@@ -266,8 +268,8 @@ if you encounter a STOP or ERROR, then you can also check the gateway ([boaccess
There are two ways to create these associations: There are two ways to create these associations:
1. via the web interface: 1. via the web interface:
- [boaccess](https://boaccess.ecmwf.int) - using [boaccess](https://boaccess.ecmwf.int)
- [imgaccess](https://ecaccess.wolke.img.univie.ac.at) - using [imgaccess](https://ecaccess.wolke.img.univie.ac.at)
2. via the ecaccess-webtoolkit 2. via the ecaccess-webtoolkit
After creating **new associations** it takes a while before they actually work (about 10min). After creating **new associations** it takes a while before they actually work (about 10min).
...@@ -285,12 +287,12 @@ Steps: ...@@ -285,12 +287,12 @@ Steps:
2. Go to **ECtrans setup** 2. Go to **ECtrans setup**
3. Click **add association** (at bottom) 3. Click **add association** (at bottom)
4. Fill in the association 4. Fill in the association
- `name` - `name`
- `hostname` (login.img.univie.ac.at or jet01 or jet02) - `hostname` (login.img.univie.ac.at or jet01 or jet02)
- `directory` (`/srvfs/scratch/[USERNAME]` or something else) - `directory` (`/srvfs/scratch/[USERNAME]` or something else)
- `comment` (giving you a hint where it drops the file sto) - `comment` (giving you a hint where it drops the file sto)
- `login` (this is your imgw server username) - `login` (this is your imgw server username)
- `password` (this is your imgw server password) - `password` (this is your imgw server password)
5. Click on _Create_ 5. Click on _Create_
Later you can also change the password for your associations. Later you can also change the password for your associations.
...@@ -353,9 +355,75 @@ aurora login.img.univie.ac.at active scratch ...@@ -353,9 +355,75 @@ aurora login.img.univie.ac.at active scratch
$ ecaccess-association-list -gateway ecaccess.img.univie.ac.at $ ecaccess-association-list -gateway ecaccess.img.univie.ac.at
jet jet01.img.univie.ac.at active scratch jet jet01.img.univie.ac.at active scratch
# send a file to both # send a file to both
```
### using ssh-keys
There is another way to overcome the need to continuously changing the password in the association. It is possible to add a ssh-key to the ectrans association.
Steps:
1. Create a compatible ssh-key
2. Add ssh public key (e.g. `ecmwf.pub`) to [IPA](../SSH-VPN-VNC/IPA.md#add-ssh-key)
3. Modify the association
```sh title="Create an ectrans ssh-key"
# generate a ssh-key using the PEM format
ssh-keygen -t rsa -m PEM -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): ecmwf
Enter passphrase for "test" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test
Your public key has been saved in test.pub
The key fingerprint is:
SHA256:2FIvXhZASKo/b565cUiWQsImKV63YZhhnx0ySb3Rak8 user@notebook
The key's randomart image is:
+---[RSA 4096]----+
| o.=+++ |
| o. =o*o.o |
|+ ++o* .= . |
|oo.+o oO E . |
| .. ..B S + |
| . + + = |
| o o o |
| o.= |
| o*. |
+----[SHA256]-----+
#
``` ```
Add the public key to the IPA. It might take up to 10 min, before the new key is registered by the system. You can check on aurora by running: `sss_ssh_authorizedkeys $USER`
Now you can modify the association by adding your generated **private key**:
``` title="Modified association"
...
sftp.port = "22"
sftp.prefix = ""
sftp.privateKey = "
-----BEGIN RSA PRIVATE KEY-----
eJaBR2f80p2qlgapAku1z+PsnY2gjdL7y6iqxnrR19L8/CnM+A2OdU+lSnBv1PS7
VU2/nY4Al6xSJTJOrZ+k9dkyWjbixF1FCpVeNOxqJdqjtcFw/2nX8Mtp+5BOrCxg
rTkoW31foJQL+FNf/VelOPO1xf+YSfKIUmZ7OU3LHrzDm07p0pd/Aclj7Qqf89mp
pjqDXe7/00OuRuda6gu2Sbd4Oro+5ha9jkvfDQpV8Xj5QsLbjnxjp5+J9yUDoujq
...
vlN5kEeFbyB22H5QCkCF4RWVOUfudCTcPNC2DMeR7gtFwlWmxzizZuaVi5v48vP3
8/zt0udPyCyPP2B0NOyJzrDejcvfVQ76SmLGgArjQN3jJDF7p7UausliO2R1SD/p
jJNEf9KEDEeO3COLZrT0tcfTmAEd7OVSURdZKJTXQCPai2LTevTBYJxXHgFFly4Z
-----END RSA PRIVATE KEY-----
"
sftp.sessionTimeOut = "60000"
sftp.suffix = ".tmp"
sftp.usetmp = "yes"
sftp.wmoLikeFormat = "no"
###### END-OF-PROPERTIES ######
';
```
to either the association file or via the web interface. Then you can remove the password, but leave the `login=[USERNAME]`.
More information on these details can be found [here](https://confluence.ecmwf.int/display/ECAC/Unattended+file+transfer+-+ectrans)
## ECaccess Gateway ## ECaccess Gateway
The department is running a member state ecaccess gateway service. **The purpose of an individual access server is to bridge ECMWF's network with IMGW's network.** Hence, protecting these networks. For example, you can access the JET cluster from the department ecaccess server, but not from boaccess server, but from boaccess you can accesss aurora. The department is running a member state ecaccess gateway service. **The purpose of an individual access server is to bridge ECMWF's network with IMGW's network.** Hence, protecting these networks. For example, you can access the JET cluster from the department ecaccess server, but not from boaccess server, but from boaccess you can accesss aurora.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment