Skip to main content
⚠ INFORMATION
This page was translated by an AI (LLM) with a cursory human check and is awaiting full review.

SSH Access and Shells

Machine Access

Jean Zay (login nodes)

The connection to the Jean Zay login node is made via ssh from a machine registered at IDRIS:

ssh my_idris_login@jean-zay.idris.fr

then enter your password, if you have not configured an ssh.

The jean-zay offers the following functionalities:

  • interactive connection,
  • compilation for the other nodes of the cluster,
  • preparation, submission and monitoring of jobs.

Jobs requiring computing resources must be executed on the other nodes via the Slurm batch manager (batch submission from the login node).

Fingerprints of the public keys of the jean-zay.idris.fr login node

Important

When you connect to an IDRIS server, if the fingerprint (fingerprint) of the public key displayed by your SSH client is not listed here, we kindly ask you not to confirm the connection and to notify IDRIS support at gestutil@idris.fr.

KeyMD5 FingerprintSHA256 Fingerprint
ECDSAf8:27:e1:eb:94:ef:bc:ec:5d:aa:93:a8:fe:83:38:31vJ+SJBxXvPqnPd3/clChlrHI59a06vZxsxUHrA2jZ+k
RSA93:9a:ca:9b:bc:fe:45:4d:43:b7:43:7d:82:17:0e:2a6O6XttLDI8IUJvQpKHnnqHah8K+KX37RZfblwnixD90
ed2551915:f6:d5:68:9d:de:76:de:65:5a:4f:17:a6:2a:ee:25wzxZCto8/HTeYXVmBEQech4gbLcQLNMflJ/BR6+rNuU

Jean Zay (pre and post-processing)

The interactive connection to the pre and post-processing login node is made via ssh from a machine registered at IDRIS:

ssh my_idris_login@jean-zay-pp.idris.fr

then enter your password, if you have not configured an ssh.

The pre/post-processing offer installed at IDRIS consists of four HPE machines each equipped with 3 TB of memory, dual Intel Cascade Lake 6132 12-core processors and an Nvidia V100 GPU.

The jean-zay-pp offers the following functionalities:

  • interactive connection,
  • compilation,
  • preparation, submission and monitoring of jobs with the Slurm batch manager.

To use the pre and post-processing nodes in batch, you just need to specify the partition prepost in your Slurm submission file, whether on the jean-zay or jean-zay-pp.

Fingerprints of the public keys of the jean-zay-pp.idris.fr login node

Important

When you connect to an IDRIS server, if the fingerprint (fingerprint) of the public key displayed by your SSH client is not listed here, we kindly ask you not to confirm the connection and to notify IDRIS support at gestutil@idris.fr.

KeyMD5 FingerprintSHA256 Fingerprint
ECDSAe7:db:94:b2:cd:6c:11:88:b4:b6:5f:11:e0:aa:8b:31QwXaS3z24cG2F1G0wxM62WrZgggBixyZGWmEu6mU/us
RSAae:4b:1b:fc:ca:1c:92:e3:44:cc:3e:25:09:78:6b:6fELupfP1g7EyAUEGr4shULwu2VxZrzdgcmEZbyWu/P5k
ed25519dc:d8:01:1c:cd:4b:0c:1a:9d:80:23:51:02:a0:c1:c7SyFLswODdPz7w2AOaIiYZwdmlUePEFA9Sx73K/fls5c

Jean Zay (compute node)

Only from jean-zay and jean-zay-pp, you can SSH to the compute nodes allocated to one of your jobs to monitor the execution of your computations with tools such as top, htop or nvidia-smi for example.

When one of your jobs is running, the compute nodes allocated to it are visible with the command squeue -j <numero_du_travail> or squeue -u $USER:

squeue -u $USERJOBID    PARTITION         NAME       USER  ST     TIME  NODES  NODELIST(REASON)2042259     cpu_p1  my_job  my_login   R    01:42     10  node[1337-1346]

In this example, job n° 2042259 is running on 10 compute nodes named respectively nœud1337, nœud1338, ..., nœud1345 and nœud1346. You can then connect via ssh to one of the nodes in this list (for example nœud1337) with the following command:

ssh node1337
note

You will be automatically disconnected from the node when your job ends.

If you try to connect to a node on which none of your jobs are running, you will get the following error:

ssh node1400Access denied by pam_slurm_adopt: you have no active jobs on this node

SSH key connection

SSH connections using an SSH key pair (private key / public key) are possible on Jean Zay.

caution

We are considering strengthening our security policy regarding access to the Jean Zay machine. Therefore, we ask you to test, from now on, the use of certificates for your SSH connections instead of the usual SSH key pairs (private key / public key) by following the detailed procedures below.

SSH key connection with certificate

In order to strengthen the security of access to Jean Zay, we ask you to test the use of certificates for your SSH connections instead of the usual SSH key pairs (private key / public key).

This change will not affect password connections which will always be possible. During the test phase, connections via classic SSH keys remain possible. The date of the end of support for classic SSH keys will be announced later once all blocking issues are resolved.

Please report any problems you encounter with the use of certificates that are not mentioned in the list of known issues available below.

note

The Jean Zay pre/post-processing nodes do not currently allow authentication via SSH certificates.

We detail here the procedures to follow to define your certificates via the IDRIS tool idr_keygen as well as their implementation to use them.

Note that you can define two types of certificates:

  • one (valid for 1 year) allowing all types of connections (interactive or not, in particular via the command ssh) which must be protected by a passphrase,
  • the other (valid for 7 days) allowing only file transfers (commands scp, sftp, bbcp, bbftp and rsync) but not requiring a passphrase.
caution

There are known issues that we are trying to resolve:

  • Versions of OpenSSH prior to version 7.8 (released in August 2018) do not support the SSH certificates produced by idr_keygen.
  • Our certificates do not seem to work under macOS.
  • Under Windows, SSH certificates are only supported from version 0.78 of Putty (released in October 2022) and will only be supported from version 6 of WinSCP (not yet released).
  • Some diacritical characters (such as é, è, à, ç, ...) cause problems:
    • if your passphrase contains a character of this type, your certificate will not work
    • if your Jean Zay password contains a character of this type, idr_keygen might reject it even if it is correct.

The idr_keygen tool

The IDRIS command idr_keygen available on Jean Zay, allows you to generate the two types of certificates using the options -t interactive or -t transfert-only (or their long format equivalents --type ...) depending on the desired certificate type. The option -o OUTPUT (or the long format --output OUTPUT) allows you to specify a filename (zip format) that will contain the private and public components of the generated certificate. The syntax of the command is provided by one of the options -h or --help:

idr_keygen --helpusage: idr_keygen [-h] [-t {interactive,transfert-only}] [-o OUTPUT] [-v]
Generates authentication keys for SSH that are signed by a CertificationAuthority. The type of key to be generated is specified with the -t option. Ifinvoked without any arguments, idr_keygen will generate an RSA key for use inSSH protocol 2 interactive connections.
optional arguments:  -h, --help            show this help message and exit  -t {interactive,transfert-only}, --type {interactive,transfert-only}                        selects SSH certificate type:                          interactive : for login sessions (ssh)                          transfert-only : for data transferts (scp, sftp, bbcp, bbftp and rsync)                         (default: interactive)  -o OUTPUT, --output OUTPUT                        ZIP Downloaded filename and location (default: /path/to/your/home/sshkey.zip)  -v, --verbose         Increase verbosity output (default: False)

"Interactive" type certificate

For your connections via the command ssh, you must generate on Jean Zay, an interactive type certificate that you must protect with a passphrase. This certificate has a validity period of 365 days and will therefore need to be renewed once a year. It also authorises non-interactive connections.

For example, to generate an interactive type certificate and save it in the file interactive_certif.zip (here in the $HOME of Jean Zay), the command to use is:

idr_keygen -t interactive -o ~/interactive_certif.zipGenerating SSH signed key (type interactive will be used ; use help option -h to know more)
Please enter the certificate s passphrase:  Confirm the certificate s passphrase:  
Request server to get your SSH certificate  Please enter login_idris s password:  Success. /path/to/your/home/interactive_certif.zip was successfully downloaded.
note

This command asks you to enter:

  • a passphrase to protect the certificate
  • and your password on Jean Zay to ensure that it is indeed you performing this operation.
warning

The passphrase must be provided a second time to confirm the first entry and must follow the following rules:

  • It must be at least 20 characters long (no restriction on the type of characters to use).
  • And it must not be composed of words from dictionaries, nor trivial combinations (1234, azerty, ...).

To test an SSH connection from your local machine to Jean Zay via this certificate, you must:

  1. copy to your local machine (the one from which you want to reach Jean Zay) the certificate in zip format previously generated on Jean Zay:
scp login_idris@jean-zay.idris.fr:~/interactive_certif.zip ./. login_idris@jean-zay.idris.fr s password:interactive_certif.zip                                100% ...
  1. Then unzip it to obtain the private and public components of the certificate which must then be saved in your ~/.ssh of your local machine:
unzip ~/interactive_certif.zip -d ~/.sshArchive: /path/to/your/home/interactive_certif.zipinflating: /path/to/your/home/.ssh/id_ecc_ptyinflating: /path/to/your/home/.ssh/id_ecc_pty.pub

Note that, unlike classic SSH keys, it is not necessary to add the public part of the certificate (.pub file) to the ~/.ssh/authorized_keys file of Jean Zay.

Important

If you were already using SSH keys, to ensure that you are really testing an SSH connection to Jean Zay via the generated certificate, you must rename on Jean Zay, your file ~/.ssh/authorized_keys to ~/.ssh/authorized_keys.bk (for example) to disable support for classic SSH keys:

mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bk
  1. You can then establish from your local machine, an ssh connection to Jean Zay using the identity corresponding to this certificate (~/.ssh/id_ecc_pty for this example) via the -i option of ssh:
ssh -i ~/.ssh/id_ecc_pty login_idris@jean-zay.idris.frEnter passphrase for key /path/to/your/home/.ssh/id_ecc_pty:...
Remarks
  • With this certificate, you can enable X11 display forwarding (-X option of ssh): 
    ssh -X -i ~/.ssh/id_ecc_pty login_idris@jean-zay.idris.frEnter passphrase for key /path/to/your/home/.ssh/id_ecc_pty:...
  • if you do not use the ssh-agent on your local machine, the passphrase protecting the certificate is requested. But you can add it to your ssh-agent on your local machine so that you do not need to provide the passphrase every time you use this certificate: 
    ssh-add ~/.ssh/id_ecc_ptyEnter passphrase for ~/.ssh/id_ecc_pty:Identity added: ~/.ssh/id_ecc_pty (~/.ssh/id_ecc_pty)
  • it is possible to indicate the certificate to use in your SSH configuration file (~/.ssh/config file on the machine used for the connection): 
    Host jean-zay    HostName jean-zay.idris.fr    User login_idris    CertificateFile /path/to/private/part/id_ecc_pty

"Transfert-only" type certificate

For your data transfers, you can generate on Jean Zay, a transfert-only type certificate. This certificate does not require a passphrase to facilitate non-interactive use. In return, it has a validity period limited to 7 days.

For example, to generate a transfert-only type certificate and save it in the file transfert_certif.zip (here in the $HOME of Jean Zay), the command to use is:

idr_keygen -t transfert-only -o ~/transfert_certif.zipGenerating SSH signed key (type transfert-only will be used ; use help option -h to know more)
Request server to get your SSH certificatePlease enter login_idris s password:  Success! /path/to/your/home/transfert_certif.zip was successfully downloaded.
note

This command does not ask you to enter a passphrase since the transfert-only type certificate does not require protection. But your password on Jean Zay is requested to ensure that it is indeed you performing this operation.

To make transfers between your local machine and Jean Zay via this certificate, you must:

  1. copy to your local machine (the one from which you want to reach Jean Zay) the certificate in zip format previously generated on Jean Zay:
scp login_idris@jean-zay.idris.fr:~/transfert_certif.zip .login_idris@jean-zay.idris.fr s password:transfert_certif.zip                                  100% ...
  1. Then unzip it to obtain the private and public components of the certificate which must then be saved in your ~/.ssh of your local machine:
unzip ~/transfert_certif.zip -d ~/.sshArchive: /path/to/your/home/transfert_certif.zipinflating: /path/to/your/home/.ssh/id_ecc_rsyncinflating: /path/to/your/home/.ssh/id_ecc_rsync.pub

Note that, unlike classic SSH keys, it is not necessary to add the public part of the certificate (.pub file) to the ~/.ssh/authorized_keys file of Jean Zay.

Important

If you were already using SSH keys, to ensure that you are really testing an SSH connection to Jean Zay via the generated certificate, you must rename on Jean Zay, your file ~/.ssh/authorized_keys to ~/.ssh/authorized_keys.bk to disable support for classic SSH keys:

mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bk
  1. You can then perform data exchanges between your local machine and Jean Zay using the identity corresponding to this certificate (~/.ssh/id_ecc_rsync for this example) via the -i option of scp. For example, the following command, executed on your local machine, transfers the file local_data from your local machine to the /path/to/. directory on Jean Zay:
scp -i ~/.ssh/id_ecc_rsync local_data login_idris@jean-zay.idris.fr:/path/to/.local_data                              100% ...

Conversely, the following command, executed on your local machine, transfers the file jean-zay_data from the /path/to directory of Jean Zay to the current directory of your local machine:

scp -i ~/.ssh/id_ecc_rsync login_idris@jean-zay.idris.fr:/path/to/idris_data ./.idris_data                              100% ...

As this type of certificate is not protected by a passphrase, no password is requested during transfers.

Certificate expiration

Currently, no notification is sent to indicate the expiration of SSH certificates. To find out the expiration date of your certificate, you can run the following command:

# example for the "interactive" type certificate ~/.ssh/id_ecc_pty.pubssh-keygen -Lf ~/.ssh/id_ecc_pty.pub

This will return information in the following format, where you will find the certificate's validity date in the Valid:... line:

id_ecc_pty.pub:        Type:         Public key:         Signing CA:         Key ID:         Serial:         Valid:  from 2023-05-31T10:12:10 to 2024-05-30T10:12:40        Principals:         Critical Options: (none)        Extensions:

Managing Your Environment

Your $HOME is common to all Jean Zay login nodes. Therefore, each modification of your personal environment files automatically applies to all machines.

What shells are available on IDRIS machines?

The Bourne Again shell (bash) is the only command interpreter supported as a login shell on IDRIS machines: IDRIS does not guarantee that the default user environment is correctly defined with other shells. The bash is a major evolution of the Bourne shell (old sh) with advanced features. However, other interpreters (ksh, tcsh, csh) are also installed on the machines to allow the execution of scripts using these shells.

What are the environment files invoked when launching a bash login session?

The .bash_profile file, if it exists in your $HOME, is executed at login only once during a session. Otherwise, the .profile file is executed, if it exists. This is where you place the environment variables, the programs to be launched at connection.

The definition of aliases, personal functions and the loading of modules should be placed in the .bashrc file, which is executed at the launch of each sub-shell.

It is preferable to use only one environment file: the .bash_profile or .profile.

Attention

Overwriting the PATH variable always leads to catastrophes, which is why it is always advisable to keep the PATH provided by the machine. If you wish to add a search directory for the execution of local commands in all your future sessions, you must add the following line to your .bash_profile or .profile:

export PATH=$PATH:directory_to_add

How to have a user-friendly environment in bash?

Depending on the type of editor you prefer, the bash offers 2 editing modes using the set command:

set -o emacs # to be in emacs modeset -o vi    # to be in vi mode

Your opinion matters!

To give your feedback, report an error, or suggest an improvement, click here:

quick anonymous questionnaire

This questionnaire is temporary and will take less than a minute, so take the opportunity!