We would like for OOD to be the primary method to access our HPC resources (rather than SSH). The terminal in OOD, of course, prompts for a password, which our users do not have. We have configured OOD to use CILogon, which means users need neither a password nor an SSH key by default.
How can I permit users to access the default terminal app without requiring a password? I have been told it would involve configuring/enabling host-based authentication, but can someone please provide additional guidance as to the necessary steps?
In sum, I am trying to permit users who may have neither an SSH key nor a password to launch the default OOD terminal app. Users can already launch Jupyter through OOD and open a terminal that way, which doesnât require a password (but that requires several extraneous and needless steps and resources just to open a terminal). It would be nice if the default terminal worked in a similar way. Users can likewise start a virtual desktop session, but yet again itâs extra steps and way more resources than necessary.
I can really only google for you, so hereâs an Oracle document that seems to have a lot to it.
You may already be familiar with ssh keys and how to use them personally. You have one, and youâve added it to your ~/.ssh/authorized_keys.
Well HostBasedAuthentication is essentially the same thing, only itâs for a machine and not for a user.
So in /etc/ssh on a given host, there are files for itâs key (the public and private keys for that machine) as well as /etc/ssh/known_hosts which has the public key for all hosts.
Beyond that you may have better luck on https://ask.cyberinfrastructure.org/ as weâre Web developers and this is really a system administration question.
Well, all I can say is that Chase Eyster strongly encouraged me to post here and was reasonably certain that the OOD developers would have a helpful response. I wasnât asking you to âGoogle for me,â but then, Iâve never really received useful feedback here, so par for the course I guessâŚ
Sorry about that. To elaborate a bit: the initial statement you made âThe terminal in OOD, of course, prompts for a passwordâŚâ is a bit confusing. The vast majority of the OOD production deployments Iâm aware of donât act like this. Rather, the terminal app opens up directly into a shell, without needing a password.
My limited understanding of this is because itâs a system level setup of host based keys, which is what Jeff was trying to explain. For many centers, this is completely independent of any OOD configuration and entirely dependent on your underlying system architecture (and already something configured / supported at the center by default even without OOD being installed.)
At the risk of stating the obvious, hereâs a more specific example example: here at OSC, we have multiple clusters, each with their own traditional login nodes. If we take OOD out of the equation and just talk about traditional SSH, a client can use a SSH client to SSH into say the owens.osc.edu login node. They will need to authenticate into that node. Once they are in that shell, they can then ssh to the pitzer.osc.edu login node without needing to authenticate again. This is because we have setup a trust relationship between the login nodes via host based SSH keys at a system level (i.e. it just works for all clients, no personal keys needed).
Bringing OOD into the equation, the same thing is true for our OOD âloginâ web node. The underlying system is configured with host based SSH keys, so that once someone has authenticated into OOD (say via CI Login) they can effectively SSH to any other login node without authenticating (which is whatâs happening when you open a terminal app window).
Without knowing the specifics of the underlying host system that you have installed OOD on, we canât really be more specific than to point you to generic info on host-based authentication. The Oracle hosted document that Jeff pointed to is part of the Oracle Solaris OS documentation, but seems to be generic enough to apply to most any Linux operating system. There likely are more specific instructions available for your specific OS if needed.
Happy to try to help out however we can, but as Jeff tried to indicate, some of this is getting into more system administration knowledge sets than OOD web-based knowledge.
Ouch! I think everyone from the OSC OOD staff to the OOD community of users is quite responsive and supportive on this platform. We all have similar set ups but none are exactly the same so it is often difficult to have a single answer to a question in these contexts. As Alan and Jeff said, this is independent of OOD. The way we have our login nodes configured does not allow for password logins and only uses SSH keys. Not all of our users want to setup SSH keys so they use OnDemand instead. Within OnDemand we allow the terminal app to connect to our login node. Because of our security restriction of requiring SSH keys this wonât work for OnDemand users - like yours is prompting for a password. We have a few things in place to allow these connections though, using pam.d and SSH keys in usersâ home directories. Finally, using SSHD configs we override the SSH key requirement for any connections coming from our OnDemand servers. Hope that helps!