To run a Rose/Cylc suite on ARE VDI, passwordless SSH has to be setup to allow

  • Rose to install the suite
  • Cylc to launch, and then communicate with cylc server, and
  • Cylc to submit and monitor the status of jobs on Gadi.

Automatic Setup

The gadi-cylc-setup  script facilitates the SSH configuration by handling various scenarios. 

  • For users with no ~/.ssh directory or an empty ~/.ssh directory, it creates a restricted SSH key in ~/.ssh to setup passwordless SSH from certain hosts. 
  • For users with an existing ~/.ssh directory, the script
    • backs up the ~/.ssh directory to ~/.gadi-cylc-setup
    • tests passwordless SSH to Gadi
    • makes necessary revisions to files in ~/.ssh to set up passwordless SSH to Gadi

Restricted SSH Key

We encourage users to use restricted SSH key to reduce the attack surface. The automatic setup restricts SSH keys to only be used from certain hosts. 

If your workflow allows, please also add restrictions to limited commands. By limiting the commands that can be executed over SSH, it helps to prevent accidentally executing unintended or malicious commands on Gadi.

An example of restricted SSH key file is shown below. 

~/.ssh/hr22.pub
from="*.nci.org.au,host3",command="command",no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1yc2EAAZZWWQABAAABgQDIDoHUN2En123456Cmi7HsnmmurlcPMvdhYBawsuUEkoIsl4SUVaADcebYGWevaMA9LvYpI0B99J5TFe/sLWGKLrdr3BqHdayscP7b5zEaSEpyacTjMigPL66sFVxXCzV1nbaM7DJQSkWH8ZAw4pSxfEN7LJvOkzDkgDaUz2aLiwUF8V50uxVRPF6/i8mUl0KpF+M5MDQOgTLFqYH85FpGHpj7oyW6l2Wl8K1/EvyzS3Vqbieoa2DD3kHElHJMk0OPPjlw514utfKCOVPbb1+fok8/3BH6YdRJh759Fcayq5eSsR4Q9XXNeFoRph+u73ZAwE/yrfOHgfRlDHfNaspMcjLTk5QWtViAip7u4xDIhUutbjVn0QyrN3U3Z+zy12k1f/7a40NGwvcqafXh+NDbUBSSjLdDFOfXM0rf/EWd6k7ayjJjb2/p5KDtDcY+W4Yzu1umjOtE0N1OPfalXUiI1C2saTMyUtBRsLLIXXTc06XL1RruZ+OjxNung8M2J98= abc123@gadi-login-01.gadi.nci.org.au

Test

A quick test to tell whether the SSH setup of  your ARE VDI session is correct is to run the following commands. Example output is shown.

MATE Terminal
$ ssh gadi 'echo hello from $(hostname)'
hello from gadi-cpu-bdw-0001.gadi.nci.org.au
$ ssh gadi.nci.org.au 'echo hello from $(hostname)'
hello from gadi-cpu-bdw-0001.gadi.nci.org.au
  • No labels