FAQ

How do I configure password-less access to the Online cluster (Linux)

First login to machine from which you want to have password-less access. There create a ssh public/private key pair if you do not already have one. On lxplus for example

lxplus218> /afs/cern.ch/user/n/neufeld > ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/afs/cern.ch/user/n/neufeld/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /afs/cern.ch/user/n/neufeld/.ssh/id_rsa.
Your public key has been saved in /afs/cern.ch/user/n/neufeld/.ssh/id_rsa.pub.
The key fingerprint is:
8d:c9:7e:ad:0a:2e:22:97:2f:70:d3:41:5e:1c:70:46 neufeld@lxplus218.cern.ch
Copy the public key (~/.ssh/id_rsa.pub) to your Online home directory

lxplus218> scp ~/.ssh/id_rsa.pub USERNAME@lbgw.cern.ch:~
Add the PUBLIC key you copied in in your ~/.ssh/authorized_keys file with the following command (after having logged into lbgw):

gw02>cat ~/id_rsa.pub >> ~/.ssh/authorized_keys

Check access permissions to ~/.ssh and $HOME, they shouldn't be more "open" that drwxr-xr-x:

gw02>chmod og-w $HOME .ssh .ssh/*

In case of Online cluster your ssh client should connect to remote machine using ssh protocol v2:

   ssh -2 username@lbgw
If you have access to /etc/ssh/ssh_config, you can set attribute "Protocol" to "2,1". In this case you should'n use -2 flag in command line.

How do I run a X application through sudo

Sometimes, you want to run a X application in which a root priviledge is needed. Normally, you will be refused, and get something like :

[xxx] /home/xxxxx > sudo ethereal
ssh(27183) X11 connection rejected because of wrong authentication.
The application 'ethereal' lost its connection to the display localhost:10.0;
most likely the X server was shut down or you killed/destroyed
the application.
This is because the original X-forward tunnel is authenticated for user, and not root. In order to pick up the existing X11 connections, we've installed the gksu package so to sudo an Xwindow application, you now need to do something like this:
[xxx] /home/xxxxx > gksudo ethereal

I receive a 'WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED'
error message when I try to ssh to some host

The complete error message is something like that :

[hlte08] /home/online/pvss_projects > ssh online@hlte0801
ssh(13769) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ssh(13769) @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
ssh(13769) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ssh(13769) IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
ssh(13769) Someone could be eavesdropping on you right now (man-in-the-middle attack)!
ssh(13769) It is also possible that the RSA1 host key has just been changed.
ssh(13769) The fingerprint for the RSA1 key sent by the remote host is
59:34:89:e3:e7:49:31:c0:cc:69:d7:fd:5d:d9:cf:3f.
ssh(13769) Please contact your system administrator.
ssh(13769) Add correct host key in /home/online/.ssh/known_hosts to get rid of this message.
ssh(13769) Offending key in /home/online/.ssh/known_hosts:21
ssh(13769) RSA1 host key for hlte0801 has changed and you have requested strict checking.
ssh(13769) Host key verification failed.

It mostly says that the ssh keys for that host changed. When you connect to a computer, ssh asks the computer its host key. If your actual ~/.ssh/known_hosts file has no key for that host, ssh will ask you if you want the host key to be added to the file. If there is already a key for that host, ssh will compare that key with the one it gets from the host and complain if they're different.
The most frequent reason for that is a computer reinstallation as new keys are generated then.

The solution

The easyest solution when you receive that message is to stop the ssh command, run the command ssh-keygen -R , one time with the hostname as parameter, and a second time with the IP address as parameter, then run again the ssh command. For the previous example, it is :

[hlte08] /home/online/pvss_projects > ssh-keygen -R hlte0801
[hlte08] /home/online/pvss_projects > ssh-keygen -R 10.130.152.1

Enjoy it:)

-- NikoNeufeld - 18 May 2007 -- SashaMazurov - 24 May 2007 (new lines about ssh v2 protocol and -2 flag)

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r6 - 2007-08-01 - LoicBrarda
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LHCb All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback