How does privatekey ssh work?

My cluster uses privatekey authentication for SSH.
When I try to open the terminal in OOD I get pubkey denied as expected.
How are we intended to use this? Is this outside the scope of OOD?

Hi Simon.

Thanks for the post.

I’ll have to check the code, but I believe we only support public keys. I’ll need verify though.

Thanks,
-gerald

I said privatekey authentication but I think the correct term is publickey authentication. Either way, the user needs the private and the remote host needs the public.

How does the typical cluster support the OOD terminal?

Hi Simon.

Sorry for the delay. You need to set it all up just like you would regular passwordless ssh by adding the user’s public key from host 1 into the user’s authorized_keys for in host 2.

Hope this helps.

Please let me know if you need additional assistance.

Thanks,
-gerald

Simon:

I’m somewhat reading between the lines here as to what you are asking, so apologize in advance if this is a bit off base. One fundamental ‘requirement’ of OnDemand is that the front-end host you are running it on should be configured / treated like a login node on your system, with all the corresponding security and trusts in place. As such, a typical configuration has inherent trust relationships between login/compute nodes and doesn’t require SSH keys or passwords if you are bouncing directly between the systems.

i.e. is your system currently configured such that if someone ssh’s into a login node, can they directly ssh into another of your system’s login/compute nodes without having to enter their password or have ssh keys?

We have more details about architecture and context flows for the shell app on page 63 of this document that might help: TrustedCI Open Ondemand 2021 Audit

Thanks, that’s what I needed to know.

Our users need agent forwarding in order to ssh from a login node to a compute node.

OSC uses host based authentication. So the hosts themselves have ssh keys and trust between one another. That’s how it’s seamless for us, but it requires a certain amount of automation to keep all the keys in sync.