If you set up working environments to run the Salish Sea NEMO model on salish or on a Westgrid cluster, or need to access model results files from a Westgrid cluster, you should set up ssh-agent forwarding to minimize the need to repeatedly type your ssh key pass phrase and to minimize the number of machines on which your private key is stored.
ssh keys work by having a public key and a private key pair with the public key on remote machines and the private key on the local machine you log into first. Your private key is usually protected by a long passphrase that you only have to enter once per login session on the local machine. After that an ssh-agent program on the local machine uses the private key to exchange encrypted authentication information with the remote machines.
The public key needs to be stored on every machine that you want to ssh into. Because your home directory is shared across all of the Waterhole machines (and salish, and skookum) you only need to put your public key on any one of those machines. On WestGrid and ComputeCanada you need to put your public key on each machine that you use (cedar, graham, orcinus, etc.). The sections below include instructions for how to store your public key on various machines.
ssh-agent Forwarding for salish¶
To set up agent forwarding for salish create a
$HOME/.ssh/config file on your Waterhole machine containing the following (or append the following if
$HOME/.ssh/config already exists):
Host salish Hostname salish.eos.ubc.ca User userid ForwardAgent yes
where userid is your EOAS user id.
The first two lines establish salish as a short alias for salish.eos.ubc.ca so that you can just type ssh salish.
The third line sets the user id to use on the remote system, which is convenient if it differs from your EOAS user id.
The last line enables agent forwarding so that authentication requests received on the remote system are passed back to your Waterhole machine for handling. That means that connections to Bitbucket (for instance) in your session on salish will be authenticated by your Waterhole machine. So, after you type your ssh key pass phrase in to your Waterhole machine once, you should not have to type it again until you log off and log in again.
The other thing that is required for agent forwarding to work is that your ssh public key be stored in the
$HOME/.ssh/authorized_keys file on the remote system.
Thanks to shared storage between the Waterhole machines and salish that is really easy to do:
cd $HOME/.ssh cat id_rsa.pub >> authorized_keys
ssh-agent Forwarding for Westgrid and ComputeCanada Clusters¶
To set up agent forwarding for a Westgrid or ComputeCanada machine append the appropriate block below to the
$HOME/.ssh/config file on your Waterhole machine:
Host cedar Hostname cedar.computecanada.ca User userid ForwardAgent yes Host graham Hostname graham.computecanada.ca User userid ForwardAgent yes Host orcinus Hostname orcinus.westgrid.ca User userid ForwardAgent yes
where userid is your Westgrid or ComputeCanada user id.
If you do not have a Westgrid or ComputeCanada account follow the instructions here to make one: Create a WestGrid Account.
Install your ssh public key on the remote machine; cedar, for example:
ssh-copy-id -i $HOME/.ssh/id_rsa cedar
You will be prompted for your Westgrid or ComputeCanada password. After the key has been installed you should be able to use ssh, scp, and sftp to connect to the remote machine without having to type your password. Likewise, Mercurial commands on the remove machine should not require your to type your ssh key pass phrase.