Connecting to LaPalma
Before Connecting
Before you can connect to LaPalma, you need to have an account on that machine. Accounts are related to projects, if you are IAC's staff, please, contact us sending an email to res_support@iac.es and we will inform you about how to ask for a project on LaPalma. If you don't belong to IAC, then you should ask for time submitting a proposal in the RES website. Accounts are personal and non-transferrable, once a project is created, new accounts can be added by the project leader (asking for it to res_support@iac.es for IAC's users or through the RES website for other users).
Connecting to LaPalma
You must use Secure Shell (ssh) tools to login into or transfer file
into LaPalma. We do not accept incoming connections from protocols as
telnet, ftp, rlogin, rcp, or rsh commands. Once you are logged
into LaPalma you cannot make outgoing connections for security reasons.
To get more information about the secure shell version supported and how
to get ssh for your system (including windows systems) see SSH
section.
LaPalma does not support authentication based on user and password, but
a key-based authentication mechanism. In order to get access to
catLaPalma you have to provide us your public ssh key via email
(res_support@iac.es). Take a look at SSH section for generating you
own public/private key pair.
Once you have provided your public ssh key you can get into LaPalma
system, connecting to the login node: lapalma1.iac.es.
Here you have an example of logging into LaPalma from a UNIX environment:
[mymachine]$ ssh -l usertest lapalma1.iac.es
+----------------------------------------------------------------------+
| |
| Welcome to LaPalma |
| |
| |
| * Please contact res_support@iac.es for questions at any time |
| |
+----------------------------------------------------------------------+
usertest@login1:~>$
If you are on a Windows system, you need to download and install a Secure Shell client to perform the connection to the machine (See SSH section for more information).
Most of these applications are graphical and you will have to fill some
information in some of the fields offered, in the field 'Host name' or
'Remote Host name' you will need to introduce: lapalma1.iac.es.
After this procedure you may be logged into LaPalma.
The first time that you connect to the LaPalma system secure shell needs to interchange some initial information to establish the communication. This information consists of the acceptance of the RSA key of the remote host, you must answer 'yes' or 'no' to confirm the acceptance of this key. If you cannot get access to the system after following this procedure, first consult SSH section for an extended information about Secure Shell, or you can contact us.
Login node
Once you are connected into the machine, you will be presented with a UNIX shell prompt and you will normally be in your home ($HOME) directory. If you are new to UNIX, you will have to learn the basics before you could do anything useful.
The machine in which you will be logged in will be LaPalma (login1). This machine acts as front ends, and are used typically for editing, compiling, preparation/submission of batch executions and as a gateway for copying data inside or outside LaPalma.
Caution
It is not permitted the execution of cpu-bound programs on this node, if some compilation needs much more cputime than the permitted, this needs to be done through the batch queue system. It is not possible to connect directly to the compute nodes from the login nodes, all resource allocation is done by the batch queue system.
Graphical applications
You could execute graphical applications from the login node, to do that the only way is tunnelling all the graphical traffic through the Secure shell connection established.
You will need to have an Xserver running on your local machine to be able to show the graphical information. Most of the UNIX flavors have an X server installed by default. In a Windows environment, you will probably need to download and install some type of X server emulator (see SSH section).
The second step in order to be able to execute graphical applications is
to enable in your secure shell connection the forwarding of the
graphical information through the secure channel created. This is
normally done adding the -X flag to your normal ssh command used to
connect to LaPalma. Here you have an example:
[mymachine]$ ssh -X usertest@lapalma1.iac.es
+----------------------------------------------------------------------+
| |
| Welcome to LaPalma |
| |
| |
| * Please contact res_support@iac.es for questions at any time |
| |
+----------------------------------------------------------------------+
usertest@login1:~>$
For Windows systems, you will have to enable the 'X11 forwarding',
that option normally resides on the 'Tunneling' or 'Connection' menu
of the client configuration window (see SSH section for further
details).
SSH
ssh is a program that enables secure logins over an insecure network.
It encrypts all the data passing both ways, so that if it is intercepted
it cannot be read. It also replaces the old an insecure tools like
telnet, rlogin, rcp, ftp, etc. ssh is a client-server
software. Both machines must have ssh installed for it to work.
We have already installed an ssh server in our machines. You must have
installed an ssh client in your local machine. ssh is available
without charge for almost all versions of Unix. IAC recommend the use of
OpenSSH client that can be downloaded from
http://www.openssh.org, but any client compatible with SSH
version 2 can be used.
To accomplish a login in LaPalma with ssh you have to provide a public
key. If you have not got already one you can generate a public/private
key pair with the following instructions.
Generating an ssh key pair on Linux (also for MacOS)
In your private linux workstation execute the command ssh-keygen with
next options:
[mymachine]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Accept the default location to store the key (~/.ssh/id_ed25519) by
pressing Enter (strongly recommended) or enter an alternative location.
Enter file in which to save the key (/home/myuser/.ssh/id_ed25519):
Created directory '/home/myuser/.ssh'.
Enter a passphrase consisting of 10 to 30 characters. The same rules as for creating safe passwords apply. It is strongly advised to refrain from specifying no passphrase.
Enter passphrase (empty for no passphrase):******************************
Enter same passphrase again:******************************
Your identification has been saved in /home/myuser/.ssh/id_ed25519.
Your public key has been saved in /home/myuser/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:1fHELFajEIi4FpLB1zL50SmM6BUGn7wmViXK6j8FPXk myuser@mymachine
The key's randomart image is:
+--[ED25519 256]--+
| o=o |
| . * .= |
| = = X S.o |
| . . + * *o |
| .F = O = |
| o + O . o |
|++ ...o O . |
| oo .X . |
| .oE..+o |
+----[SHA256]-----+
You should make absolutely sure that the private key
(~/.ssh/id_ed25519) is not accessible by anyone other than yourself
(always set its permissions to 0600). The private key must never
fall into the hands of another person.
To change the password of an existing key pair, use the command:
[mymachine]$ ssh-keygen -p
Once the public/private key pair is generated, you have to send the
public key file ~/.ssh/id_ed25519.pub to
res_support@iac.es
(please, make sure you send us only the public key, while
the private key must be kept safe on your computer).
Using the ssh-agent in Linux
When doing lots of secure shell operations it is cumbersome to type the
SSH passphrase for each such operation. Therefore, the SSH package
provides another tool, ssh-agent, which retains the private keys for
the duration of an X or terminal session. All other windows or programs
are started as clients to the ssh-agent. By starting the agent, a set
of environment variables is set, which will be used by ssh, scp, or
sftp to locate the agent for automatic login. See the ssh-agent man
page for details.
After the ssh-agent is started, you need to add your keys by using
ssh-add. It will prompt for the passphrase. After the password has
been provided once, you can use the secure shell commands within the
running session without having to authenticate again.
Using the ssh-agent in a Terminal Session
In a terminal session you need to manually start the ssh-agent and
then call ssh-add afterward. There are two ways to start the agent.
The first example given below starts a new Bash shell on top of your
existing shell. The second example starts the agent in the existing
shell and modifies the environment as needed.
[mymachine]$ ssh-agent -s /bin/bash
[mymachine]$ eval $(ssh-agent)
After the agent has been started, run ssh-add to provide the agent
with your keys.
Using ssh-agent in an X Session
To invoke ssh-add to add your keys to the agent at the beginning of an
X session, do the following:
Log in as the desired user and check whether the file
~/.xinitrcexists.If it does not exist, use an existing template or copy it from
/etc/skel:if [ -f ~/.xinitrc.template ]; then mv ~/.xinitrc.template ~/.xinitrc; \ else cp /etc/skel/.xinitrc.template ~/.xinitrc; fi
If you have copied the template, search for the following lines and uncomment them. If
~/.xinitrcalready existed, add the following lines (without comment signs).# if test -S "$SSH_AUTH_SOCK" -a -x "$SSH_ASKPASS"; then # ssh-add < /dev/null # fi
When starting a new X session, you will be prompted for your SSH passphrase.
Using keychain in MacOS
If you want to load the keys automatically and store the passphrases in the Keychain you need to modify your
~/.ssh/configfile:Host * AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_ed25519
Add the private key to the SSH agent after updating ssh config file:
[mymachine]$ ssh-add -K ~/.ssh/id_ed25519
Generating an ssh key pair on Windows
In windows systems IAC recommend the use of putty. It is a free SSH
client that you can be downloaded from
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html, but any other client compatible with
SSH version 2 could be used. In the next lines we will describe how to
install, configure and use a ssh client under Windows systems.
Once the client has been installed, try next steps if you are using
putty (other clients have similar instructions):
Download putty and follow instructions on the web to install it (we recommend you install the full package that includes
puttyand also other useful tools likeputtygen,pageant,pscp,pftp, etc.)Launch
PuTTygenin order to generate the ssh keySelect
Ed25519as Type of key and click onGenerateMove your mouse randomly since it is needed to generate strong keys
Click on
Save public keyto store the public key into a file. Send this file containing the public key to res_support@iac.esEnter a passphrase consisting of 10 to 30 characters. The same rules as for creating safe passwords apply. It is strongly advised to refrain from specifying no passphrase
After introducing the key passphrase click on
Save private keyKeep the private key file in a safe location and do not share with anyone.
Connecting to LaPalma using your private key
The private/public key pair must be generated only once (as it was
described above), and then you will need to specify the very same
private key file every time you use putty to connect LaPalma
(lapalma1.iac.es). To do so, go to putty menu, choose SSH and then
click on Auth, there you will find the place where you can specify the
file where your private key is stored. You can avoid specifying the
private key every time you want to connect LaPalma if you use a
ssh-agent, as described below.
Using the ssh-agent in Windows
As in the case of Linux, the package Putty provides a tool to avoid
typing the SSH passphrase for each connection. The name of the tool is
Pageant. You can use it following next steps;
If
Pageantis not currently running (an icon is displayed in the taskbar), launch itDouble-click on the icon in the taskbar an the list of keys will be shown
Push
Add Keyand select the private key previously generatedEnter the passphrase
The list is now updated and you can click on
CloseNow it is possible to connect to
lapalma1.iac.eswithPutty. Launch the application and specify the remote machine and click onOpenFinally, a new window will appear asking for your username, specify it and you will connect
LaPalma(no password is required)
Warning
If it is your first connection to the machine, your will get a
Warning telling you that the hostkey from the server is unknown, and
will ask you if you are agree to cache the new host key, press Yes.
Important
If you see this warning another time and you haven't modified or reinstalled the ssh client, please, don't log in and contact with LaPalma support.