Mirrors 
  CERN   QMUL   		    ATLAS     Level 1     Calorimeter Trigger     Software    

L1Calo Software Tips for setting up ssh


L1Calo

Home
Documents
Doxygen
Links
Meetings
Packages
Prehistory
Search
Software
Cmt
Cvs
Online
Prerequisites
Rpmlist
Setup
Ssh tips
System
Vme
About
Sitemap

 

Introduction

The ATLAS DAQ system is a distributed system and requires that processes can be started on remote nodes. Normally this is done by a PMG agent, but when the DAQ is started it must ensure that a PMG agent is running on each node. This is done via an ssh command. For this to work, you must be able to ssh into all the remote nodes used by the DAQ without being prompted for a password (or for verification of the remote nodes identity which ssh asks for the first time you ssh into a given node).

There are a number of ways of setting up ssh to allow you to login to a defined set of nodes without giving your password again. In this web page, we describe one of them, using the ssh-agent to forward keys. This is not necessarily the simplest way, but can be convenient.

There are two aspects to setting this up. Firstly you need to create and distribute keys, secondly you need to start the ssh-agent. These are discussed in the sections below.

Creating and distributing keys

You create your own private keys with the ssh-keygen command. There are three types of key: RSA1, RSA and DSA. The first is used by older versions (1.x) of ssh, the last two are also available in more recent versions (2.x). For compatibility with all possible systems, I usually create all three types of key: 
  ssh-keygen -t rsa1
  ssh-keygen -t rsa
  ssh-keygen -t dsa
The private and public keys are stored in your $HOME/.ssh directory. The public key files are identity.pub, id_rsa.pub, id_dsa.pub respectively. These are the ones you need to copy to remote systems. The private keys lack the .pub extension and should remain on your system, readable only by you.

Depending on how widely you expect to distribute your keys and your personal paranoia level, you may choose to give a separate (and longer) password or pass phrase than your normal login password.

You then need to copy the public key file(s) to the remote system(s) and append them to the files of your authorized keys. There are different files for the different ssh protocol versions: 

  cat identity.pub >> $HOME/.ssh/authorized_keys
  cat id_rsa.pub   >> $HOME/.ssh/authorized_keys2
  cat id_dsa.pub   >> $HOME/.ssh/authorized_keys2
NB if you create keys on more than one group of systems, be careful not to overwrite the local *.pub files when copying across those from another system!

Starting the ssh-agent

You can start the ssh-agent by hand. However you need to set appropriate environment variables in your process which involves evaluating the output of the command that starts the agent. You then need to add your keys to the agent (this step prompts you for your pass phrase): 
eval `ssh-agent`
ssh-add
If you set up a little script to do that, you would have to source the script.

A more convenient alternative - if you run your X session on a Unix system (rather than just using terminal windows) - is to start the agent as part of your X startup. Then all your X terminal windows and other processes inherit the connection to the ssh-agent.

You will need your own $HOME/.xinitrc or $HOME/.Xclients file. The last line of such a file would normally be an exec command to start your favourite window manager, eg for the basic fvwm2: 

  exec /usr/X11R6/bin/fvwm2
Instead of this, you need to exec the ssh-agent and get it to start the window manager: 
  exec /usr/bin/ssh-agent /usr/X11R6/bin/fvwm2
For other window managers, various Unixes, Linux variants, etc the details may vary.

Apart from starting your window, you also need to add your keys to the agent. This can usually be done by customising the startup of the window manager so that it invokes the ssh-add command. Typically this will try to throw up a small window prompting for your pass phrase.

Forwarding your keys

For all this to work for more than a single ssh hop, you also need to ensure that your connection to your ssh-agent is also forwarded to the remote nodes. This is determined by a configuration option in either the system ssh configuration file (/etc/ssh/ssh_config) or else in your own personal ssh configuration file ($HOME/.ssh/ssh_config). You should ensure that for all (*) or a set of remote nodes, the agent connection is forwarded. Eg: 
Host *
  ForwardAgent yes
  ForwardX11 yes

Last updated on 15-Jan-2003 by Murrough Landon