[mpich-discuss] I do not succeed to correctly setup password-less ssh

William Scullin wscullin at alcf.anl.gov
Fri Oct 9 05:04:20 CDT 2015 

Hi Moshe,

Your question may be a bit off-topic for this list, but others can
correct me either way.

I think the tutorial you found is missing a couple of steps and needs
correction. SSH relies on public key cryptography for authentication.
The id_rsa file is a user's private key. The id_rsa.pub file is the
corresponding public key. The authorized_keys file is a listing of
public user keys which are trusted to access an account and should be
readable by the account. The known_hosts file is a listing of hosts'
public keys that allow ssh clients to authenticate server identity.

My short instructions for setting up user public key authentication
might read like:

1. On node00, create passphraseless ssh keys that you won't use
outside of this cluster, the -f option allows you to specify the name
of the keys:

$ cd ~/.ssh/
$ ssh-keygen -f cluster_only_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in cluster.
Your public key has been saved in cluster.pub.
The key fingerprint is:
f1:a4:56:b7:31:ae:e9:22:53:47:70:28:b1:d0:40:55 wscullin at alcfwl197.alcf.anl.gov
The key's randomart image is:
+--[ RSA 2048]----+
|   .++ooE.       |
|     .o.o .      |
|      ...oo +    |
|         *.o +   |
|        S.. o    |
|       .. .o     |
|       . .o      |
|      o ..       |
|       o ..      |
+-----------------+


2. Still on node00 in the ~/.ssh directory set up your ssh_config and
authorized_keys files, for more information about the .ssh/config file
look at the ssh_config man page:

$ echo "IdentityFile ~/.ssh/cluster_only_key" >> config
$ cat cluster_only_key >> authorized_keys
$ chmod 600 config authorized_keys


3. Test functionality by sshing to the current host:

$ ssh -o StrictHostKeyChecking=no localhost node00 date

if it fails, adding the -v option more or one times will provide
debugging output. The option:

-o StrictHostKeyChecking=no localhost

will automatically add the host's public key to your known_hosts file
without querying you. Use this only when you are sure about the
security and identity of hosts. If you're lucky whoever setup the
cluster already put all the nodes in the system-wide known_hosts file.


4. Propagate your authorized_keys, cluster_only_key,
cluster_only_key.pub, and config file to every node in the cluster.

IMPORTANT NOTE: Most clusters have home directories mounted on all
nodes over the network via NFS or some parallel file system which
makes this automatic. If you do not have home directories and other
shared storage mounted globally over the network to all nodes, this
will make running MPI applications very difficult later as as binaries
and files needed to run will need to be staged on all nodes. If you
don't have shared storage, ask your systems administrator to rectify
this post-haste.

For the manually minded:

$ cd ~/.ssh
$ scp -rp ~/.ssh/* node01:~/.ssh/
$ scp -rp ~/.ssh/* node02:~/.ssh/
...

5. Once all nodes have been ssh'ed into, propagate your known_hosts to
all nodes in the cluster.

6. Test all to all:

for i in miralac{1..4}; \
do \
ssh $i 'echo "testing from $(hostname)"; \
  for k in miralac{1..4}; \
    do\
      ssh $k "echo \$(hostname) connected";\
    done'; \
done

I hope this helps,
William

On Fri, Oct 9, 2015 at 2:57 AM, Moshe Goldstein <goldmosh at g.jct.ac.il> wrote:
>
> Hi!
>
> I am new with MPI.
> First I tried an MPI program in a multicore Linux computer, and it worked
> OK.
> My current step is to try to run the same program in a "cluster" composed by
> two multicore Linux computers, when my final goal is to have a cluster
> composed by 16 computers (actually, a 64-cores cluster).
> I learned that in order to run such a program I need to prevent ssh password
> requirement when nodes send and/or receive messages among each other. I
> found the "How to set up SSH Keys" tutorial and setup the two-computer
> "cluster" according to what is explained in the tutorial.
>
> The result of the 4-steps tutorial procedure is as follows:
>
> the .ssh directory of the first computer has the following files: id_rsa,
> id_rsa.sub, and known_hosts
> the .ssh directory of the second computer has the following files:
> authorized_keys, and known_hosts
> If I do by-hand ssh from the first computer to the second, the second
> computer does not require password.
> If I do by-hand ssh from the second computer to the first, the first
> computer requires password.
>
> Because of this, I guess, when I run the MPI program, it gets stuck when an
> ssh connection is tried between the second computer to the first one. Right?
>
> Thus, I request your help to correctly setup password-less ssh capability in
> the first computer, in order to allow password-less ssh among all the nodes
> in the cluster (currently, among only two computers). Actually, the question
> is how I allow password-less ssh connection to the first computer.
>
> I thank you all of you in advance for your help.
> Sincerely,
> -- Moshe Goldstein
>
>
> _______________________________________________
> discuss mailing list     discuss at mpich.org
> To manage subscription options or unsubscribe:
> https://lists.mpich.org/mailman/listinfo/discuss
_______________________________________________
discuss mailing list     discuss at mpich.org
To manage subscription options or unsubscribe:
https://lists.mpich.org/mailman/listinfo/discuss

More information about the discuss mailing list