131 | | === I am trying to login to the hosts and I am prompted for a password === |
132 | | When you trying to login to GENI hosts you should only be prompted for your ssh passphrase. If you are prompted for a password then there is |
133 | | something wrong. Things you can try: |
134 | | * '''change the permissions of your private key''' . If while trying to login you get a warning that says : |
| 132 | === I am trying to login to the hosts and I am prompted for a password. === |
| 133 | When you are trying to login to GENI hosts you should only be prompted for your ssh passphrase. If you are prompted for a password then there is |
| 134 | something wrong. Things that might be wrong: |
| 135 | * '''the permissions of your private key''' . If while trying to login you get a warning that says : |
| 150 | === My GENI host is behind a firewall. === |
| 151 | Some hosts in GENI are behind a firewall. In most cases where nodes are behind a firewall, there is one or more machines that are accessible from the public internet that can be used as "stepping stones" to access these machines, i.e. you should login to them first and then login to the hosts that are behind the firewall. Currently in GENI the two most common cases of nodes that are behind a firewall are: |
| 152 | * '''Wide Area ProtoGENI hosts in Internet 2 !PoPs''' : Any node in Utah can be used as a "stepping stone". If your slice doesn't already have a host in Utah, then you should add a VM in Utah that you will use for this purpose. |
| 153 | * '''Mesoscale hosts in some campuses''': If you are using nodes in [wiki:TangoGENI Mesoscale] that are behind a firewall, you can use ops.pgeni.gpolab.bbn.com as a "stepping stone". You can login to ops.pgeni.gpolab.bbn.com using the your pgeni credentials file as your private key. |
| 154 | Once you have determined which host you will use as your stepping stone (pub_host from now on) to get to the host behind the firewall(priv_host from now on), you have several options: |
| 155 | 1. '''Recommended''' Use the `-A` ssh option to enable forwarding of the authentication agent. So try : |
| 156 | {{{ |
| 157 | ssh -A <username>@<pub_host> |
| 158 | }}} |
| 159 | Then from <pub_host> you can ssh to the private host without the need to upload your private key to <pub_host>. |
| 160 | {{{ |
| 161 | user@<pub_host>$> ssh <username>@<priva_host> |
| 162 | }}} |
| 163 | 2. If the above option does not work then you can try using [https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding ssh port forwarding] to get to your host. The main idea is that you will forward a local port on the client to go through the connection to <pub_host> and from there to ssh to <priv_host>. If you want to do this in command line then first login to the public host: |
| 164 | {{{ |
| 165 | ssh -L <local port>:<priv_host>:22 <username>@<pub_host> |
| 166 | }}} |
| 167 | |
| 168 | Then on a different terminal, try logging to the private host through the local port : |
| 169 | {{{ |
| 170 | ssh -i <private key> <username>@localhost -p <local port> |
| 171 | }}} |
| 172 | |
| 173 | You can also modify the ssh configuration file to that effect. This way it is easier to port-forward multiple firewalled hosts by adding the following lines in the file : |
| 174 | {{{ |
| 175 | Host <pub_host_alias> |
| 176 | Hostname <pub_host> |
| 177 | LocalForward <local port1> <priv_host_1>:22 |
| 178 | LocalForward <local port2> <priv_host_2>:22 |
| 179 | user <username> |
| 180 | |
| 181 | Host <priv_host_alias_1> |
| 182 | Hostname localhost |
| 183 | port <local port1> |
| 184 | user <username> |
| 185 | |
| 186 | Host <priv_host_alias_2> |
| 187 | Hostname localhost |
| 188 | port <local port2> |
| 189 | user <username> |
| 190 | }}} |
| 191 | Then on one terminal do : |
| 192 | {{{ |
| 193 | ssh <pub_host_alias> |
| 194 | }}} |
| 195 | |
| 196 | And on another terminal: |
| 197 | {{{ |
| 198 | ssh <priv_host_alias_1> |
| 199 | }}} |
| 200 | |
158 | | <li> <b> Mac OS </b> If you are on OSX Leopard or later, ssh-agent runs automatically for you. It will also integrate with the <a href='http://en.wikipedia.org/wiki/Keychain_(Mac_OS)'> Keychain</a> that is a program for managing identities, passwords, etc. The first time that you use your private key to login to a machine, a keychain window will pop-up offering to store your passphrase, if you want to avoid the hustle of typing in your passphrase every time you want to login you should click on that option. </li> |
| 210 | <li> <b> Mac OS </b> If you are on OSX Leopard or later, ssh-agent runs automatically for you. It also integrates `ssh-agent` with the <a href='http://en.wikipedia.org/wiki/Keychain_(Mac_OS)'> Keychain</a> that is a program for managing identities, passwords, etc. The first time that you use your private key to login to a machine, a keychain window will pop-up offering to store your passphrase, if you want to avoid the hustle of typing in your passphrase every time you want to login you should click on that option. </li> |
186 | | |
187 | | === Logging in to host behind firewalls === |
188 | | Some hosts in GENI are behind a firewall. In most cases where nodes are behind a firewall, there is one or more machines that are accessible from the public internet that can be used as "stepping stones" to access these machines, i.e. you should login to them first and then login to the hosts that are behind the firewall. Currently in GENI the two most common cases of nodes that are behind a firewall are: |
189 | | * '''Wide Area ProtoGENI hosts in Internet 2 PoPs''' : Any node in Utah can be used as a "stepping stone". If you slice doesn't have a host in Utah, then you should add a VM in Utah that you will use for this purpose. |
190 | | * '''Mesoscale hosts in some campuses''': If you are using nodes in [wiki:TangoGeni Mesoscale] that are behind a firewall, you can use ops.pgeni.gpolab.bbn.com as a "stepping stone". You can login to ops.pgeni.gpolab.bbn.com using the your pgeni credentials file as your private key. |
191 | | Once you have determined with host you will use as your stepping stone (pub_host from now on) to get to the host behind the firewall(priv_host from now on), you have several options: |
192 | | 1. '''Recommended''' Use the `-A` ssh option to enable forwarding of the authentication agent. So try : |
193 | | {{{ |
194 | | ssh -A <username>@<pub_host> |
195 | | }}} |
196 | | Then from <pub_host> you can ssh to the private host without the need to upload your private key to <pub_host>. |
197 | | {{{ |
198 | | user@<pub_host>$> ssh <username>@<priva_host> |
199 | | }}} |
200 | | 2. If the above option does not work then you can try using [https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding ssh port forwarding] to get to your host. The main idea is that you will forward a local port on the client to go through the connection to <pub_host> and from there to ssh to <priv_host>. If you want to do this in command line then first login to the public host: |
201 | | {{{ |
202 | | ssh -L <local port>:<priv_host>:22 <username>@<pub_host> |
203 | | }}} |
204 | | |
205 | | Then on a different terminal, try logging to the private host through the local port : |
206 | | {{{ |
207 | | ssh -i <private key> <username>@localhost -p <local port> |
208 | | }}} |
209 | | |
210 | | You can also modify the ssh configuration file to that effect. This way it is easier to port-forward multiple firewalled hosts by adding the following lines in the file : |
211 | | {{{ |
212 | | Host <pub_host_alias> |
213 | | Hostname <pub_host> |
214 | | LocalForward <local port1> <priv_host_1>:22 |
215 | | LocalForward <local port2> <priv_host_2>:22 |
216 | | user <username> |
217 | | |
218 | | Host <priv_host_alias_1> |
219 | | Hostname localhost |
220 | | port <local port1> |
221 | | user <username> |
222 | | |
223 | | Host <priv_host_alias_2> |
224 | | Hostname localhost |
225 | | port <local port2> |
226 | | user <username> |
227 | | }}} |
228 | | Then on one terminal do : |
229 | | {{{ |
230 | | ssh <pub_host_alias> |
231 | | }}} |
232 | | |
233 | | And on another terminal: |
234 | | {{{ |
235 | | ssh <priv_host_alias_1> |
236 | | }}} |