Skip to main content

SSH Access and Shells

Machine Access

Jean Zay (login nodes)

The connection to the Jean Zay login node is made via ssh from a machine registered at IDRIS:

ssh my_idris_login@jean-zay.idris.fr

then enter your password, if you have not configured an SSH key.

The jean-zay login node offers the following functionalities:

  • interactive connection,
  • compilation for the other nodes of the cluster,
  • preparation, submission and monitoring of jobs.

Jobs requiring computing resources must be executed on the other nodes via the Slurm batch manager (batch submission from the login node).

Fingerprints of the public keys of jean-zay.idris.fr

When you connect to jean-zay.idris.fr, if the fingerprint of the public key displayed by your SSH client is not listed here, we kindly ask you not to confirm the connection and to notify IDRIS support.

Please note that if you are using a proxy machine, this may be the fingerprint of that machine's public key. Be sure to check it.

KeyMD5 FingerprintSHA256 Fingerprint
ECDSA73:15:d8:37:b1:d5:68:66:46:04:cb:6d:5e:e5:cd:7a9iT4Gq/m+YpRWXITfJkCXhhVKJRIpXH1Fn3MkQFm5Ts
RSA9d:7d:85:d3:d2:23:db:35:51:2d:6e:23:ff:4f:fb:32WvwNGuGDjPJOno4ZV4gRovtPPxmZ0bzXsymjazaonmM
ed2551980:0d:ee:f7:15:26:48:55:1e:58:8b:6f:84:96:22:59pIDgjbJzQdOvnKD+63mykz11aS0n7uvJiJjaqY7H6ms

Jean Zay (pre and post-processing)

The interactive connection to the pre and post-processing login node is made via ssh from a machine registered at IDRIS:

ssh my_idris_login@jean-zay-pp.idris.fr

then enter your password, if you have not configured an SSH key.

The pre/post-processing nodes installed at IDRIS are four HPE machines each equipped with 3 TB of memory, dual Intel Cascade Lake 6132 12-core processors and an NVIDIA V100 GPU.

The jean-zay-pp login node offers the following functionalities:

  • interactive connection,
  • compilation,
  • preparation, submission and monitoring of jobs with the Slurm batch manager.

To use the pre and post-processing nodes in batch, you just need to specify the prepost partition in your Slurm submission file, whether it is submitted from the jean-zay or jean-zay-pp login node.

Fingerprints of the public keys of jean-zay-pp.idris.fr

When you connect to jean-zay-pp.idris.fr, if the fingerprint of the public key displayed by your SSH client is not listed here, we kindly ask you not to confirm the connection and to notify IDRIS support.

Please note that if you are using a proxy machine, this may be the fingerprint of that machine's public key. Be sure to check it.

KeyMD5 FingerprintSHA256 Fingerprint
ECDSAdc:eb:0f:05:c3:f7:45:e0:03:b0:93:8f:8f:18:86:f5MHHu1+VX+n0jdM3dM2po1KGnQxeyZHDJR6L/fkt4oY8
RSA54:83:a5:ae:ad:a8:e8:2d:5a:37:c9:f7:1b:16:a8:82Wn8Lonh4iKIM3J5u/GKIbQvGW1ut9QkwhN8nkcQ0308
ed255197b:93:b0:7f:fe:bf:9f:72:97:bb:01:a8:3e:e9:6e:765Buosoh5BNrt3Ovk0Iip889vhny+5WCBJOzXXmLaXok

Jean Zay (compute node)

Only from jean-zay and jean-zay-pp, you can SSH to the compute nodes allocated to one of your jobs to monitor the execution of your computations with tools such as top, htop or nvidia-smi for example.

When one of your jobs is running, the compute nodes allocated to it are visible with the command squeue -j <jobid> or squeue --me:

squeue --meJOBID    PARTITION         NAME       USER  ST     TIME  NODES  NODELIST(REASON)2042259     cpu_p1       my_job   my_login   R    01:42     10   node[1337-1346]

In this example, job n° 2042259 is running on 10 compute nodes named respectively node1337, node1338, ..., node1345 and node1346. You can then connect via ssh to one of the nodes in this list (for example node1337) with the following command:

ssh node1337
note

You will be automatically disconnected from the node when your job ends.

If you try to connect to a node on which none of your jobs are running, you will get the following error:

ssh node1400Access denied by pam_slurm_adopt: you have no active jobs on this node

SSH Key Connection

SSH connections using an SSH key pair (private key / public key) are possible on Jean Zay.

SSH CERTIFICATE

We are considering strengthening our security policy regarding access to the Jean Zay machine. Therefore, we ask you to test, from now on, the use of certificates for your SSH connections instead of the usual SSH key pairs (private key / public key) by following the detailed procedures below.

This change will not affect password connections which will always be possible. During the test phase, connections via classic SSH keys remain possible. The date of the end of support for classic SSH keys will be announced later once all blocking issues are resolved.

Please report any problems you encounter with the use of certificates that are not mentioned in the list of known issues available below.

note

The Jean Zay pre/post-processing nodes do not currently allow authentication via SSH certificates.

SSH Key Connection with Certificate

We detail here the procedures to follow to define your SSH certificates via the IDRIS tool idr_keygen, and how to use them.

known issues

There are known issues that we are trying to resolve:

  • Versions of OpenSSH prior to version 7.8 (released in August 2018) do not support the SSH certificates produced by idr_keygen.
  • Our certificates do not seem to work under macOS.
  • Under Windows, SSH certificates are only supported from version 0.78 of Putty (released in October 2022) and from version 6.1 of WinSCP (released in May 2023).
  • Some diacritical characters (such as é, è, à, ç, ...) cause problems:
    • if your passphrase contains a character of this type, your certificate will not work
    • if your Jean Zay password contains a character of this type, idr_keygen might reject it even if it is correct.

You can define two types of certificates:

  • an "interactive" type certificate (valid for 1 year) allowing all types of connections (interactive or not, in particular via the command ssh) which must be protected by a passphrase,
  • a "transfert-only" type certificate (valid for 7 days) allowing only file transfers (commands scp, sftp, bbcp, bbftp and rsync) but not requiring a passphrase.

The IDRIS command idr_keygen available on Jean Zay, allows you to generate the two types of certificates using the options -t interactive or -t transfert-only (or their long format equivalents --type ...).

The option -o OUTPUT (or the long format --output OUTPUT) allows you to specify a filename (zip format) that will contain the private and public components of the generated certificate.

The syntax of the command is provided by one of the options -h or --help:

idr_keygen --helpusage: idr_keygen [-h] [-t {interactive,transfert-only}] [-o OUTPUT] [-v]
Generates authentication keys for SSH that are signed by a CertificationAuthority. The type of key to be generated is specified with the -t option. Ifinvoked without any arguments, idr_keygen will generate an RSA key for use inSSH protocol 2 interactive connections.
optional arguments: -h, --help show this help message and exit -t {interactive,transfert-only}, --type {interactive,transfert-only} selects SSH certificate type: interactive : for login sessions (ssh) transfert-only : for data transferts (scp, sftp, bbcp, bbftp and rsync) (default: interactive) -o OUTPUT, --output OUTPUT ZIP Downloaded filename and location (default: /path/to/your/home/sshkey.zip) -v, --verbose Increase verbosity output (default: False)

"Interactive" Type Certificate

For your connections via the command ssh, you must generate on Jean Zay, an "interactive" type certificate that you must protect with a passphrase. This certificate has a validity period of 365 days and will therefore need to be renewed once a year. It also authorises non-interactive connections.

For example, to generate an "interactive" type certificate and save it in the file interactive_certif.zip (here in the $HOME of Jean Zay), the command to use is:

idr_keygen -t interactive -o ~/interactive_certif.zipGenerating SSH signed key (type interactive will be used ; use help option -h to know more)
Please enter the certificate s passphrase: Confirm the certificate s passphrase:
Request server to get your SSH certificate Please enter login_idris s password: Success. /path/to/your/home/interactive_certif.zip was successfully downloaded.

This command asks you to enter:

  • a passphrase to protect the certificate
  • and your password on Jean Zay to ensure that it is indeed you performing this operation.

The passphrase will be asked a second time to confirm the first entry.

passphrase definition rules

The passphrase must follow the following rules:

  • It must be at least 20 characters long (no restriction on the type of characters to use).
  • And it must not be composed of words from dictionaries, nor trivial combinations (1234, azerty, ...).

To test an SSH connection from your local machine to Jean Zay via this certificate, you must:

  1. Copy to your local machine (the one from which you want to reach Jean Zay) the certificate in zip format previously generated on Jean Zay:
scp login_idris@jean-zay.idris.fr:~/interactive_certif.zip ./. login_idris@jean-zay.idris.fr s password:interactive_certif.zip                                100% ...
  1. Then unzip it to obtain the private and public components of the certificate which must then be saved in the ~/.ssh folder of your local machine:
unzip ~/interactive_certif.zip -d ~/.sshArchive: /path/to/your/home/interactive_certif.zipinflating: /path/to/your/home/.ssh/id_ecc_ptyinflating: /path/to/your/home/.ssh/id_ecc_pty.pub

Note that, unlike classic SSH keys, it is not necessary to add the public part of the certificate (.pub file) to the ~/.ssh/authorized_keys file of Jean Zay.

disable support for usual SSH keys

If you were already using SSH keys, to ensure that you are really testing an SSH connection to Jean Zay via the generated certificate, you must rename on Jean Zay, the file ~/.ssh/authorized_keys to ~/.ssh/authorized_keys.bk (for example) to disable support for usual SSH keys:

mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bk
  1. You can then establish an SSH connection to Jean Zay from your local machine, using the identity corresponding to this certificate (~/.ssh/id_ecc_pty for this example) via the -i option of ssh:
ssh -i ~/.ssh/id_ecc_pty login_idris@jean-zay.idris.frEnter passphrase for key /path/to/your/home/.ssh/id_ecc_pty:...
Remarks
  • With this certificate, you can enable X11 display forwarding (-X option of ssh):
    ssh -X -i ~/.ssh/id_ecc_pty login_idris@jean-zay.idris.frEnter passphrase for key /path/to/your/home/.ssh/id_ecc_pty:...
  • You can add the passphrase protecting the certificate to your ssh-agent on your local machine so that you do not need to provide it every time you use this certificate:
    ssh-add ~/.ssh/id_ecc_ptyEnter passphrase for ~/.ssh/id_ecc_pty:Identity added: ~/.ssh/id_ecc_pty (~/.ssh/id_ecc_pty)
  • It is possible to indicate the certificate to use in your SSH configuration file (~/.ssh/config file on the machine used for the connection):
    Host jean-zay    HostName jean-zay.idris.fr    User login_idris    CertificateFile /path/to/private/part/id_ecc_pty

"Transfert-only" Type Certificate

For your data transfers, you can generate on Jean Zay, a "transfert-only" type certificate. This certificate does not require a passphrase to facilitate non-interactive use. In return, it has a validity period limited to 7 days.

For example, to generate a "transfert-only" type certificate and save it in the file transfert_certif.zip (here in the $HOME of Jean Zay), the command to use is:

idr_keygen -t transfert-only -o ~/transfert_certif.zipGenerating SSH signed key (type transfert-only will be used ; use help option -h to know more)
Request server to get your SSH certificatePlease enter login_idris s password: Success! /path/to/your/home/transfert_certif.zip was successfully downloaded.

This command does not ask you to enter a passphrase since the "transfert-only" type certificate does not require protection. But your password on Jean Zay is requested to ensure that it is indeed you performing this operation.

To make transfers between your local machine and Jean Zay via this certificate, you must:

  1. Copy to your local machine (the one from which you want to reach Jean Zay) the certificate in zip format previously generated on Jean Zay:
scp login_idris@jean-zay.idris.fr:~/transfert_certif.zip .login_idris@jean-zay.idris.fr s password:transfert_certif.zip                                  100% ...
  1. Then unzip it to obtain the private and public components of the certificate which must then be saved in the ~/.ssh folder of your local machine:
unzip ~/transfert_certif.zip -d ~/.sshArchive: /path/to/your/home/transfert_certif.zipinflating: /path/to/your/home/.ssh/id_ecc_rsyncinflating: /path/to/your/home/.ssh/id_ecc_rsync.pub

Note that, unlike classic SSH keys, it is not necessary to add the public part of the certificate (.pub file) to the ~/.ssh/authorized_keys file of Jean Zay.

disable support for usual SSH keys

If you were already using SSH keys, to ensure that you are really testing an SSH connection to Jean Zay via the generated certificate, you must rename on Jean Zay, your file ~/.ssh/authorized_keys to ~/.ssh/authorized_keys.bk to disable support for usual SSH keys:

mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bk
  1. You can then perform data exchanges between your local machine and Jean Zay using the identity corresponding to this certificate (~/.ssh/id_ecc_rsync for this example) via the -i option of scp. For example, the following command, executed on your local machine, transfers the file local_data from your local machine to the /path/to/. directory on Jean Zay:
scp -i ~/.ssh/id_ecc_rsync local_data login_idris@jean-zay.idris.fr:/path/to/.local_data                              100% ...

Conversely, the following command, executed on your local machine, transfers the file jean-zay_data from the /path/to directory of Jean Zay to the current directory of your local machine:

scp -i ~/.ssh/id_ecc_rsync login_idris@jean-zay.idris.fr:/path/to/jean-zay_data ./.jean-zay_data                            100% ...

As this type of certificate is not protected by a passphrase, no password is requested during transfers.

Certificate Expiration

Currently, no notification is sent to indicate the expiration of SSH certificates. To find out the expiration date of your certificate, you can run the following command:

# example for the "interactive" type certificate ~/.ssh/id_ecc_pty.pubssh-keygen -Lf ~/.ssh/id_ecc_pty.pub

This will return information in the following format, where you will find the certificate's validity date in the Valid:... line:

id_ecc_pty.pub:        Type:         Public key:         Signing CA:         Key ID:         Serial:         Valid:  from 2023-05-31T10:12:10 to 2024-05-30T10:12:40        Principals:         Critical Options: (none)        Extensions: 

Managing Your Environment

Your $HOME is common to all Jean Zay login nodes. Therefore, each modification of your personal environment files automatically applies to all machines.

What shells are available on IDRIS machines?

The Bourne Again shell (bash) is the only command interpreter supported as a login shell on IDRIS machines: IDRIS does not guarantee that the default user environment is correctly defined with other shells. The bash is a major evolution of the Bourne shell (old sh) with advanced features. However, other interpreters (ksh, tcsh, csh) are also installed on the machines to allow the execution of scripts using these shells.

What are the environment files invoked when launching a bash login session?

The .bash_profile file, if it exists in your $HOME, is executed at login only once during a session. Otherwise, the .profile file is executed, if it exists. This is where you place the environment variables, the programs to be launched at connection.

It is preferable to use only one environment file: the .bash_profile or .profile.

The definition of aliases, personal functions and the loading of modules should be placed in the .bashrc file, which is executed at the launch of each sub-shell.

stay on the right path

Overwriting the PATH variable always leads to catastrophes, which is why it is always advisable to keep the PATH provided by the machine. If you wish to add a search directory for the execution of local commands in all your future sessions, you must add the following line to your .bash_profile or .profile:

export PATH=$PATH:directory_to_add

How to have a user-friendly environment in bash?

Depending on the type of editor you prefer, the bash offers two editing modes using the set command:

set -o emacs # to be in emacs modeset -o vi    # to be in vi mode