...
Below you find some tips from me:
Sommaire
Enroll & manage Multifactor Authentication
You can enroll and manage your Alliance account into multifactor authentication by logging in to the following CCDB web site:
Multifactor Authentication Management
...
The Alliance strongly recommends that you generate bypass codes as a backup for when your registered devices are not available. You will also need a bypass code to access your account if you lose all of your second factors. To do that you just have to go onto their web page above: Multifactor Authentication Management
and click in the button "Generate 10 codes, each valid for one use" resp. "Générer 10 codes, chacun valide pour une seule utilisation" (on the bottom left of the page).
Connecting with multifactor authentication
Once multifactor authentication is activated for you you will see the following message when connecting to one of the clusters of The Alliance:
...
- open the Duo Mobile app, generate a new code and type it the terminal and then press 'Enter' or
- type '1' and then press 'Enter'. Then you will get a message in your Duo Mobile App asking you to confirm that it is really you who wants to connect.
- enter a bypass code if the options above to not work
Configuration to authenticate only once
By default you have to authenticate yourself every time you connect to one of the clusters of The Alliance. But you can configure the computer from which you want to connect to one of the clusters of The Alliance in a way so you will only have to authenticate your first connection but will not get asked to authenticate again for any following connections (from and to the same machine) for as long as your first connection exists and even up to n minutes afterwards.
Linux (UQAM servers) and Mac
When connecting from a Linux machine (like our UQAM servers) or from a Mac you can edit your file ~/.ssh/config. For example, if you want to connect to Narval you can add something the following to your ~/.ssh/config:
...
Combinations are also possible, for example: 1h30m → 1 hour 30 minutes (90 minutes)
Windows users
Check out the wiki of The Alliance: Multifactor authentication
GEM runners
When submitting anything on clusters of The Alliance with "soumet" you will get asked to authenticate. Until I find why this is the case I suggest you add the following lines to your ~/.ssh/config on Narval:
...
With this addition to your ~/.ssh/config you will get ask once every 19 years on each machine (narval1, narval2, ...) to authenticate when submitting a job with soumet.
Automated workflows
This refers to connections to clusters of The Alliance for which you are not around to authenticate yourself. For example, automated nightly data transfers or job checks with crontabs.
Have a look at the official wiki page of The Alliance:
...
And here are some tips from me:
Contact The Alliance
First you need to contact The Alliance (support@tech.alliancecan.ca) and ask them to "add your username to the group which is allowed to use the robot nodes" and tell them which commands you want to execute (for example 'rsync' or 'squeue' etc.) and what tools or libraries you will be using to manage the automation. They should get back to you with more information - or questions.
Once you have the okay from The Alliance to proceed you need to manage your SSH keys.
Manage your SSH keys
For this you can either use an SSH key you already have or create a new one.
Create a new SSH key
The specific process to generate an SSH key pair depends on the operating system you use. For the Windows PuTTY or MobaXterm clients, see Generating SSH keys in Windows. For a Unix-like environment (Linux, Mac, WSL or Cygwin), see Using SSH keys in Linux.
Create a new SSH key for Linux (UQAM servers)
On any of our internal UQAM servers go into your ~/.ssh directory:
...
| Volet |
|---|
| id_ed25519_transfer # private key - never share!!! id_ed25519_transfer.pub # public key |
Upload your public SSH key to the CCDB
Log in on the following CCDB web site:
https://ccdb.alliancecan.ca/ssh_authorized_keys
...
Then give or change the "Description" (optional but recommended) and click on "Add Key".
Issue commands without being asked for authentication
Once you did all the above correctly you can issue the commands you specified in the SSH key above without being asked for authentication. For example, you can now copy data from Narval to UQAM (issued from an internal UQAM server) with:
...
Again, for more information have a look at their wiki: Automation in the context of multifactor authentication under "Using the right key".
Create host to simplify commands
You can create a "host" which includes the name of your private SSH key to avoid having to put it in every command. For example, add the following lines to your ~/.ssh/config file (on our UQAM servers), so they get picked up by any ssh client invocation:
...