Access

Prerequisites

Access to JUDAC is granted automatically to members of any compute time project or data project. New projects are created by going through an application process that depends on the targeted system, or you can join existing projects through JuDoor.

SSH Login

This section describes the login procedure using the Secure Shell Protocal (SSH). Alternative methods are available and documented elsewhere, see Alternative Login Methods.

SSH is an open protocol, that allows users to log in to a remote server system from a local client system. There are free programs for the most common operating systems that implement the SSH protocol. Details are discussed for both OpenSSH (GNU/Linux, macOS, etc.) and PuTTY (Microsoft Windows).

Restrictions

Due to security concerns, several restrictions have been placed on what SSH login credentials are allowed and which set of features can be used:

  • You cannot log in using username/password credentials. Instead, password free login based on public key cryptography is required.

  • Your private key has to be stored in a file that is encrypted using a secure passphrase.

  • When uploading a public key to our systems, you also have to declare a set of hosts or subnets which you want to log in from.

  • Modifications to the list of authorized keys may only be performed via JuDoor. Please note that suspicious accounts will be suspended.

  • Your home directory on JUDAC cannot be open to write access for other users or groups, otherwise SSH access will be blocked.

  • Too many accesses within a short amount of time will be interpreted as an intrusion and will lead to automatically disabling the originating system at the FZJ firewall.

  • As of May 2020, storage of any private keys on the storage resources at JSC are prohibited, with limited exceptions. Please contact the support team at sc@fz-juelich.de concerning the use of codes requiring system-internal SSH access.

  • Agent-forwarding is turned off server-side on all systems at JSC.

  • See the dedicated section on using Git under these restrictions

OpenSSH

OpenSSH is a popular and freely available SSH client (and server) for UNIX-like operating systems such as GNU/Linux and macOS.

Installation

OpenSSH comes pre-installed on macOS. It is also contained in the package repository of many GNU/Linux distributions, e.g. openssh-client on Debian, Ubuntu, etc. or openssh-clients on Fedora, Centos, etc. As a last resort, the OpenSSH source code can be downloaded from the OpenSSH web site.

Key Generation

At JSC, we do not allow logging into our systems solely with a password; rather, we require key-based authentication.

It is important to generate secure key pairs. The current best key type is called Ed25519. Generate a key of this type with the following line

$ ssh-keygen -a 100 -t ed25519 -f ~/.ssh/id_ed25519

The options specify the type of the key (-t), the number of key derivation function rounds (-a), and the location to place the key (-f), which is selected to be the default. Optionally, one can give a comment to the key with -C to help distinguish multiple keys.

Note

If the file ~/.ssh/id_ed25519 already exists, ssh-keygen will ask before overwriting it. You probably do not want to overwrite the file as you might already be using it as credentials for another system. Instead, use a different file name, e.g. ~/.ssh/id_ed25519_jsc and remember to use the same file name on all subsequent command lines in this document.

Afterwards, ssh-keygen will ask for a passphrase. It is imperative to provide a strong passphrase at this point, i.e. one that cannot easily be guessed or found by brute force. It needs to be entered in the future to unlock your private key. You might want to use a password manager to save your key and ease the use of complicated passphrases.

Note

It is not allowed to store private keys which you use to log in to systems at JSC without protecting them by a passphrase!

Keep the private part (i.e., ~/.ssh/id_ed25519) of the key-pair safe, confidential, and on your local host only. The generated public key (in the example above ~/.ssh/id_ed25519.pub) needs to be uploaded to the HPC systems via JuDoor.

Key Upload, Key Restriction

Public keys are uploaded to Jülich HPC systems via the user portal JuDoor (https://judoor.fz-juelich.de/) for each system separately. Once uploaded, the key will be available on the system within 15 minutes.

Uploaded public keys need to be additionally restricted to allow access only from certain connection sources. This is an additional security measure to prevent access from unknown computers. Restriction is solved via the from clause in SSH.

The from clause is added before the public key during upload in the format

from="127.0.0.1" ssh-ed25519 AAAAC3N….

In this case, the SSH daemon on JUDAC would only allow connections to the system using the key in question if the connection originates from 127.0.0.1. Please note that 127.0.0.1 is solely provided as an example and will never be a useful from clause.

The content of the from clause, the 127.0.0.1 in the example above, is a comma-separated list of IPs or hostnames, which can also include partial patterns. If one of the patterns match, access to the system is granted. The following options for patterns are possible:

  • A literal IP address, like 134.94.7.247 (note: the HPC systems can only be reached via IPv4)

  • A literal hostname, like host.example.com

  • An IP or hostname with wildcard operators, like *.example.com

  • An IP range in CIDR notation, like 134.94.0.0/16

An example of a combination of the patterns:

from="127.0.0.1,134.94.0.0/16,*.fz-juelich.de" ssh-ed25519 AAAAC3N…

It would allow a specific IP address (127.0.0.1, the local host), would allow the whole FZJ subnet (134.94.0.0 to 134.94.255.255), and additionally allow connections from hostnames ending on .fz-juelich.de.

Warning

Patterns with the wildcard operator * in the last position (such as hostname.* or 134.94.*.*) are not recommended. By allowing an arbitrary suffix, patterns of this form make it easy for an attacker to create a reverse DNS entry that matches (e.g. hostname.attacker.com or 134.94.attacker.com).

Please restrict your from clause as much as possible. It strongly increases the security of your account and with that the security of the whole system. Here are some hints and thoughts about choosing a good set of from patterns:

  • Add the subnet of your academic institution! Even if you are not on-site and might work from somewhere else, you probably have a VPN which can connect you into the network of the institution. You can then use that to connect to our system.

  • Do you have a static IP address at home? Add it as well!

  • If you do not have access to a narrow set of static IP addresses, either at your place of work or at home, as a last resort you can add temporarily a pattern for the IP address range of your internet provider: 1) Get your IP, it is printed during the SSH key upload in JuDoor – or search online for “what is my IP”; 2) Look up the hostname associated to your IP address; call nslookup <your IP> in a shell or search online for “display my hostname”; 3) Try to understand the hostname generation scheme of your internet provider and place a wildcard (*), defining a pattern as coarsely as needed and a tightly as possible. For example, if your IP resolves to 2909a2-ip.nrw.provider.net, placing *.nrw.provider.net could be a good bet. Don’t be too gracious with the wildcards here! It has the potential to allow unwanted access!

JSC is currently reviewing the access policy and may enforce additional measures in the near future. Please try to limit the range of source systems as much as possible so that less modifications are required later.

More on the from clause and further clauses which can improve the security of your account can be found in the sshd(8) (man sshd on a system, or the online version of sshd(8)) and ssh_config(5) (man ssh_config on a system, or the online version of ssh_config(5)) man pages.

Technical Note: SSH expects public keys and clauses to them in the authorized_keys file in the .ssh directory of your home directory. In Jülich, JuDoor manages this file for you. You never edit authorized_keys directly but always through JuDoor.

Logging in to JUDAC

To login to JUDAC, please use

$ ssh -i ~/.ssh/id_ed25519 <yourid>@judac.fz-juelich.de

where <yourid> is your user id at JSC (e.g. mustermann1). You will be prompted for the passphrase of the ssh key which is the one you entered when you generated the key (see above). With your first connection to the HPC system, you will also be asked to check the host key fingerprint of the system you log in to. This fingerprint is displayed in JuDoor next to the form you use to upload your public key. Please compare the host key fingerprint from JuDoor to the one printed during your first login! Only if both are identical, proceed to connect to the system. If they don’t match, please inform JSC via sc@fz-juelich.de

Note

Recent versions of OpenSSH (starting with version 8.0 from April 2019) instead of forcing you to do the comparison manually and answer yes/no will also allow you to copy and paste the key fingerprint as found in JuDoor. The ssh client will then perform the comparison for you and abort if there is a mismatch.

If the Ed25519 algorithm is not available to you (e.g. if you are using an older version of OpenSSH), you may choose RSA as a backup. We only allow keys with a length of at least 2048 bit! A more future proof 4096 bit RSA key can be generated with ssh-keygen -a 100 -t rsa -b 4096 -f ~/.ssh/id_rsa.

In general, it makes sense to have one key-pair per source system from which you connect to the HPC systems, e.g. your laptop and your desktop computers. In addition, you might want to generate individual keys for specific use-cases. Use a non-standard key during your SSH connection with ssh -i path/to/nonstandard/key or by adding it to your key agent or providing an entry in your SSH configuration (see Key Agent and Persistent Configuration).

Key Agent

If you chose a strong passphrase for your brand-new Ed25519 key, you might be annoyed by having to enter it for every connection. You don’t need to be. An SSH agent can be used to remember the passphrase for you.

An SSH agent (or similar service, possibly provided by a password manager or your desktop) is probably started on your system automatically, check if ssh-add -l returns an error. If an agent is running, you can add any SSH key you have generated via

$ ssh-add ~/.ssh/id_ed25519

assuming you have used the path and key stated above. Without arguments, ssh-add will look for keys of all supported types in their default locations. SSH keys can also be added automatically as soon as you start using them via an option in SSH configuration (see Persistent Configuration), then no extra command is necessary.

Check keys stored in your agent with ssh-add -l or their public keys with ssh-add -L. Both commands will include the comment you have provided during key generation.

You can limit the life-time of keys stored in the agent by supplying -t <seconds> as an option. This provides more control and ensures keys are not stored indefinitely (i.e. until the agent is restarted). Agents might also interplay with the keychain of your operating system.

Persistent Configuration

The user-side SSH configuration can be used to create shortcuts to targets / hosts and configure connections. These shortcuts and options also influence the behaviour of any program that uses SSH underneath, such as git, scp, and rsync.

An overview of all the available options can be seen via man ssh_config. That’s probably overwhelming, so here are a few options and configurations highlighted.

The entries go into ~/.ssh/config.

To configure settings for connections to JUDAC, follow the shortcut entry by a configuration entry like this:

Host judac
  HostName judac.fz-juelich.de
  User mustermann1
  IdentityFile ~/.ssh/id_ed25519_jsc

Afterwards, connecting to JUDAC is as easy as typing ssh judac (instead of the equivalent but bulky ssh -i ~/.ssh/id_ed25519_jsc mustermann1@judac.fz-juelich.de). Added benefit: Copying a file from JUDAC with scp can also make use of the alias: scp judac:~/file.txt ~/.

Wildcards are supported as well. An example which sets your username for all Jülich systems:

Match Host *.fz-juelich.de
  User some1

Further interesting options are highlighted in the following example entry

Match Host showoptions
  ForwardX11 Yes              # Be aware of security implications!
                              # Always together with "ForwardX11Trusted No"! See note!
  ForwardX11Trusted No        # Be aware of security implications! Never use "Yes"! See note below!
  ForwardAgent No             # Agent forwarding is not allowed on our systems
  AddKeysToAgent Confirm      # Add key used for this host to SSH agent, and confirm on every use
  LogLevel Verbose            # For finding out what's going wrong
  Port 2222                   # If connecting to an SSH server on a non-default port (=22)
X Forwarding

Launching GUI applications on remote systems can involve forwarding the X window to your source system – this is usually called X forwarding or X11 forwarding.

Using X forwarding with ssh -X (or ForwardX11 Yes in the SSH configuration) is considered secure, but some applications do not work with this option. SSH provides a less secure alternative, ssh -Y (or ForwardX11Trusted Yes), which does indeed often work with forwarded applications. But this connection is not secure; the target system is trusted blindly! An attacker with root privileges on the target system has the ability to listen to every keystroke in your local X window environment. Don’t use X forwarding with -Y! If you can not use -X with the application of your choice, rather fall back to launching a VNC server on the target machine and connect to it via SSH port forwarding. Read more about this on a dedicated website.

Troubleshooting

If you have trouble connecting to one of our systems, please run the SSH client with verbose output:

$ ssh -vvv <yourid>@judac.fz-juelich.de

Send the resulting output to the support team at sc@fz-juelich.de with a description of your problem.

Further Reading

PuTTY

PuTTY is a popular and freely available SSH client for Microsoft Windows. The following guide will give an overview about the stand alone usage of PuTTY, not the integration into larger client tools such as MobaXTerm.

Installation

The latest version of PuTTY can be downloaded at https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html which is the official website of the PuTTY developer. When downloading new versions of PuTTY, always verify the URL and the HTTPS connection (typically visualized by your browser). Do not use PuTTY executables out of untrusted sources! PuTTY can be fully installed on your system or just be downloaded as an individual binary file which can be placed anywhere within your folders and needs no installation permissions for execution. When downloading the individual binaries make sure to download putty.exe, puttygen.exe, and pageant.exe.

Key Generation

Key handling within PuTTY is done with the tool called puttygen.exe. It allows you to create new keys, open existing keys or convert keys between different formats.

To create a new key, open the tool. Select Ed25519 for the key type (you need a current version of puttygen.exe to select this key type). If the Ed25519 algorithm is not available to you (e.g. if you are using an older version of puttygen), you may choose RSA only as a backup. For RSA you have to specify the key length. We only allow keys with a length of at least 2048 bit! 4096 is recommended.

Afterwards click on Generate to start generating the key. You have to move your mouse until the full key is generated, this creates some randomness within the key pattern.

Afterwards set a Key comment. Here it is recommended to add your username and the system name where you generated the key.

Finally you have to select a Key passphrase. The passphrase is used to protect your key file on your local system. The passphrase will never be transferred to an external system. It is imperative to provide a strong passphrase at this point, i.e. one that cannot easily be guessed or found by brute force. It needs to be entered in the future to unlock your private key.

Note

It is not allowed to store private keys which you use to log in to systems at JSC without protecting them by a passphrase!

Using Save private key creates an encrypted .ppk private key file. Keep this file confidential, and on your local host only. Never send it to us or any other person! You can always use puttygen.exe and the Load button together with your passphrase to reopen a .ppk file.

The public part of your key is directly displayed in the PuTTY Key Generator window itself: Public key for pasting into OpenSSH authorized_keys file The generated public key text (in the example below ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVbTcHgGDpiLJ+Sn8DgeRzIRlzTESOMMGcr9jUwZjLO user@systemname) needs to be uploaded to the HPC systems via JuDoor.

Warning

During upload with JuDoor, certain additional restrictions need to be applied; please see the paragraph above relating to Key Upload and Restriction.

_images/putty_key_generator.png

Persistent Configuration

Start putty.exe to configure your SSH connection. PuTTY allows to store all settings in a so called Session. You can create a new Session by setting a Session name and hitting the Save button. Keep in mind to always use the Save button after you changed the current selected Session. You can use Load to load the configuration of an existing Session.

The first important configuration option is the Host Name of the system you want to access.

_images/putty_session_configuration.png

To select your generated SSH key, you have to browse to the Connection ‣ SSH ‣ Auth page of the PuTTY configuration window. Here you can select your private key .ppk file. You should also allow agent forwarding. By selecting this option authentication requests from other machines (e.g. if you want to access another system via SSH behind your first access) will then be forwarded back onto the first originating machine, e.g. your local host.

_images/putty_auth_configuration.png

If you access a system for the first time, PuTTY will show an alert message. The message will point you to the fingerprint of the target system. You can compare the shown fingerprint to the system specific host fingerprints which are provided within the key upload page in JuDoor. Please compare the host key fingerprint from JuDoor to the one printed during your first login! Only if both are identical, proceed to connect to the system. If they don’t match, please inform JSC via sc@fz-juelich.de

_images/putty_security_alert.png

Other useful configuration options are located in:

  • Connection ‣ Data : Here you can store your personal username, which avoids entering this name during every login.

  • Connection ‣ SSH ‣ X11 : Allows to enable X11 forwarding. In parallel you need a running XServer for Windows (e.g. XMing) on your local system.

Login Nodes

The JUDAC system is accessible via ssh through 4 login nodes:

Generic Name:

judac

Specific Names:

Currently not configured

Domain:

fz-juelich.de

Users outside the FZ campus have to use fully qualified names including the domain name. When using the generic name, a connection is established to one of the login nodes in the JUDAC pool. Initiating two logins in sequence may lead to sessions on different nodes. In order to force the session to be started on the same nodes use the specific node names instead.

Example

$ ssh <yourid>@judac.fz-juelich.de

Alternative Login Methods

Apart from login via SSH, JSC also offers login via UNICORE and Jupyter.