(Open)SSH configuration for Farm and QCD clusters

External URL

https://jlab.servicenowservices.com/scicomp/?id=kb_article_view&sys_kb_id=862c54221bf0d510a552ed3ce54bcb1a

This page is a preview of the above content, for the full web page follow the link above.

A security mandate now requires that you first SSH to a log-in gateway before logging in to an ifarm or qcdi host, regardless of whether you are starting on the on-site network or not (satisfying the two-factor authentication requirement without requiring it on ifarm/qcdi themselves). You can automate that step, allowing you to "directly" ssh (but also ssh -X, scp, sftp, and rsync-over-SSH!) by configuring the ~/.ssh/config (creating the file, if necessary) on the host you are SSHing from (typically your laptop or desktop) with a ProxyJump, e.g.

Re-using connections

To reduce the number of times you need to enter your password or perform two-factor authentication, you can add ControlMaster configuration (if you already have a Match host *.jlab.org. you can append the Control... lines to that stanza, or just have multiple Match host *.jlab.org. stanzas).

See man page ssh_config(5) (ideally on the host you're SSHing from, but also available online) for more information about these directives.

Restarting a shared connection

You can have a problem, for example with X-forwarding, if you need different options for a connection but you're re-using an old one.

Microsoft Windows

I have also written up instructions for PuTTY. For Windows-native OpenSSH, the configuration file is placed under %userprofile% instead of ~ (e.g. C:/Users/lsh/.ssh/config -- create the .ssh directory if it doesn't already exist), and you will need to omit both

both exec checks (which, unlike the rest of the line before them, do not apply on Windows), as well as
the connection-reuse/sharing (ControlMaster) configuration (which is unsupported)

Visual Studio (VS) Code (using Microsoft's "Remote - SSH" extension)

As a prerequisite, make sure the OpenSSH configuration is working from the command prompt (whether that's Windows' cmd.exe, Linux/macOS' /bin/sh, or some other shell) as shown above. Enable Remote.SSH: Remote Server Listen On Socket in your VSCode User Settings. When you select Remote-SSH: Connect to Host... from the Command Palette, you should see the hosts configured in your .ssh/config already listed.