...
The Alliance strongly recommends that you generate bypass codes as a backup for when your registered devices are not available. You will also need a bypass code to access your account if you lose all of your second factors. To do that you just have to go onto their web page above: Multifactor Authentication Management
and click in the button "Generate 10 codes, each valid for one use" resp. "Générer 10 codes, chacun valide pour une seule utilisation" (on the bottom left of the page).
Connecting with multifactor authentication
...
By default you have to authenticate yourself every time you connect to one of the clusters of The Alliance. But you can configure the computer from which you want to connect to one of the clusters of The Alliance in a way so you will only have to authenticate your first connection but will not get asked to authenticate again for any following connections (from and to the same machine) for as long as your first connection exists and even up to 10 n minutes afterwards.
Linux (UQAM servers) and Mac
...
| Volet |
|---|
| Host narval Hostname narval.computecanada.ca User username ControlPath ~/.ssh/cm-%r@%h:%p ControlMaster auto ControlPersist 10m |
Replace 'username' with your username on Narval. The 'narval' above is just a name given to this "host". You can put here any name you like that does not already exist in your ~/.ssh/config. The '10m' means that you will be able to log in without authentication up to 10 minutes after you closed your last connection to Narval from the same machine. Possible time units for ControlPersist are:
none: seconds, s | S : seconds, m | M: minutes, h | H: hours, d | D: days, w | W: weeks
Combinations are also possible, for example: 1h30m → 1 hour 30 minutes (90 minutes)
Windows users
Check out the wiki of The Alliance: Multifactor authentication
GEM runners
When submitting anything on clusters of The Alliance with "soumet" you will get asked to authenticate. Until I find why this is the case I suggest you add the following lines to your ~/.ssh/config on Narval:
| Volet |
|---|
| Host localhost ControlPath ~/.ssh/cm-%r@%h:%p ControlMaster auto ControlPersist 10000000m |
Like written above. There is nothing you have to replace this time. And keep the:
Host narval
Hostname localhost
you probably already have as well as everything else you might have in the file.
With this addition to your ~/.ssh/config you will get ask once every 19 years on each machine (narval1, narval2, ...) to authenticate when submitting a job with soumet.
Automated workflows
This refers to connections to clusters of The Alliance for which you are not around to authenticate yourself. For example, automated nightly data transfers or job checks with crontabs.
Have a look at the official wiki page of The Alliance:
...
First you need to contact The Alliance (support@tech.alliancecan.ca) and ask them to "add your username to the group which is allowed to use the robot nodes" and tell them what which commands you want to execute (for example 'rsync' or 'squeue' etc.) and what tools or libraries you will be using to manage the automation. They should get back to you with more information - or questions.
...
When prompted with the question "Enter file in which to save the key (/home/username/.ssh/id_ed25519):" you can either just press enter or change the name to, for example:
/home/username/.ssh/ id_ed25519_transfer)
When asked for a passphrase and to repeat it you can just press enter. After this you should have the following two new files:
...
Log in on the following CCDB web site:
https://ccdb.alliancecan.ca/ssh_authorized_keys
Paste In the box in which you are supposed to copy your public SSH key (the content of the file ending on *.pub) in the field indicated. Then precede what you just pasted by"Your key will typically start with ..." resp. "Le début de la clé est habituellement ...") first enter the following:
| Volet |
|---|
| restrict,from="IP_address",command="command" |
Where "IP_address" is the IP address from which you want to connect and "command" is the command you would like to execute. The Alliance already provides a number of wrapper scripts which allow common actions. Have a look at their wiki: Automation in the context of multifactor authentication under "Convenience wrapper scripts to use for command=".
Just after the above, only separated by a space, copy-paste the content of your public SSH key (the content of the file ending on *.pub).
For example, if you want to do automated transfers from Narval to UQAM or vice versa, you should put something like:
| Volet |
|---|
restrict,from="132.208.147.*,132.208.132.239",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" full_content_of_public_SSH_key |
...