As of September 25, 2024, logging in to Marvin requires setting up a public/private key pair, as login with username + password alone is no longer possible.
There are two reasons for this change. First, using keys is generally considered more secure than using passwords, and second, there is a SLURM bug where users can access resources beyond their job allocation when SSHing to a compute node. We were therefore faced with a choice between the approach described above or disabling SSH to the compute nodes altogether, which we know many users rely on.
To set up password-less login on Marvin, you need to do at least two things:
- Generate a public/private key pair
- Upload the public key to FreeIPA
Once the public key has been uploaded, SSH needs to be able to use the corresponding private key to log in. If you follow the guides on this page, you likely will not need to do anything additional, but any more complex setup might require more actions such as telling SSH which key to use etc. Refer to our the section on SSH in our Linux tutorial on how to do that.
¶ Generate a public/private key pair
You can generate a key pair using only tools that come with your SSH implementation. The console command ssh-keygen can be used for this.
The key should be generated on your PC, not on the cluster.
The following things are recommended when generating a key pair in this way:
-
You should use the option
-t ed25519. This uses a key generation algorithm which is nowadays recommended over the default (RSA). -
You should give the key a passphrase. This will ensure that the private keyfile itself will be encrypted.
-
You should put the keyfile in the directory
/home/<your username>/.ssh. This will likely be the default suggested by the key generator anyway. This applies analogously to Windows, keys should go inC:/Users/<your username>/.ssh. -
On most operating systems, SSH will complain if the file permissions for the
.sshdirectory are too lenient. On Linux and MacOS, you might have to usechmodin this case to remove all permissions for everyone except the owning user. See our Linux tutorial on Linux permissions.On Windows, the situation is more complex, and we cannot give any general advice. The permissions can be controlled from the file/folder properties (right-click -> "Properties"). The "Security" tab contains the permissions.
Once you are done, the .ssh directory inside your home directory on your PC should contain a file with the name that you chose for your key and another file with the same name and the ending .pub. These are the private and public keys, respectively. They are regular text files and can be opened with any text editor, although the private key will be encrypted and unreadable.
You will need to open the public key file to copy the key, simply hit Ctrl+A in most text editors to highlight everything, then Ctrl+C to copy.
¶ Alternative method for Windows users
On Windows, the method described above works essentially the same way. Alternatively, you can generate a key pair using the key generation GUI that comes with PuTTY or MobaXTerm. This is possible, but you need to be careful, as the key format differs from the one described above.
You still need to generate the key and then copy it, to later paste it into FreeIPA. However, if you are using the PuTTY/MobaXTerm key generator, the procedure is slightly different:
-
Select "EdDSA" at the bottom and make sure the dropdown menu says "Ed25519 (255 bits)". This ensures that the recommended key generation algorithm is used.
-
Click "Generate", then move the mouse around to create randomness, as instructed.
-
You will now see the generated public key in the correct format. Copy the public key from the generator window. This is what you will need to paste into FreeIPA later.
-
Click Save public key and save the key to the
.sshfolder in your home directory. If the folder is not there, simply create it.
-
Enter a passphrase for the private key, enter it again to confirm, then click Save private key.
If you need to get the key in the format used by FreeIPA again in the future, you can use the Load button in the key generator window.
¶ Upload the public key to FreeIPA
You can upload a key to FreeIPA via following steps:
- Open the web portal https://freeipa.hpc.uni-bonn.de in your browser.
You may get a certificate warning the first time you open that page. We realize that is suboptimal, but unfortunately we cannot fix that without reinstalling FreeIPA from scratch. The security impact should not be too large, as the page is only reachable from within the Uni Bonn VPN. Simply add an exception (in most browsers: click "Advanced", then "Continue").
-
Log in. The login data are the same as for connecting to Marvin.
-
Once logged in, click on your name in the top right, then on "Profile".
-
You will get to your user settings page. On the right hand side of that page, there is a section "Public SSH Keys". Click on Add key. (If you come back later, this will be labeled Show/Set key instead).
-
A text field will open. Paste your public SSH key here. Make sure it is the public one. You can only have one key in this field. Then click Set
-
Click Save in the top left bar. If you get a "Validation Error", there is something wrong with the text you pasted. The key needs to be a single line of text with three elements, separated by spaces: the algorithm (
ssh-ed25519if you followed the guide above), the actual key and optionally a comment.
From this point on, you should be able to log in with the key provided.
We have discovered that FreeIPA sometimes takes a few minutes to synchronize the new key to the Marvin nodes. If you cannot log in after uploading the key, wait 15 minutes and try again.
You can upload multiple keys in the FreeIPA web portal, as long as you put each one in a separate entry. Note the Add button in the SSH keys section.
¶ Host Key Fingerprints
Here are the host key fingerprints for Marvin. They are the same for all login nodes.
3072 SHA256:rsHfwuyzFTOTnZjwjrg5JSiy7C6sZTz8gyNrtphHVhU localhost (RSA)
256 SHA256:9OuqgxfgnbqT4tOUcd5e0NGNvbYKZ4bj4TnLTUUK4Dg localhost (ECDSA)
256 SHA256:3rhTMOUpIcLo3tuKTeDsv46m836QlG4G9xu2ojzC8WM localhost (ED25519)
You can use these to verify that you are indeed connecting to Marvin. See this explanation on SSH fingerprinting.