| ... | ... | @@ -39,6 +39,8 @@ Host login*.cineca.it |
|
|
|
ProxyCommand ssh -W %h:%p jump.hpc.cineca.it
|
|
|
|
```
|
|
|
|
|
|
|
|
*That's all*: from now on, all connections to Cineca login nodes are going to be mediated by our *bastion host*.
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<details>
|
|
|
|
<summary>Linux/macOS</summary>
|
| ... | ... | @@ -82,7 +84,7 @@ Host login*.cineca.it |
|
|
|
ControlPath ~/.ssh/sockets/ssh_mux_%h_%p_%r
|
|
|
|
```
|
|
|
|
|
|
|
|
Please note that this mode, based on the [`ControlMaster`](https://linux.die.net/man/5/ssh_config) feature, keeps alive the connection socket as long as it is phisically possible, so if your internet connection is flaky or your laptop goes to sleep, the 2FA code would be required again.
|
|
|
|
Please note that this mode, based on the SSH [`ControlMaster`](https://linux.die.net/man/5/ssh_config) feature, keeps the connection socket alive as long as it is physically possible, so if your internet connection is wonky or your laptop goes to sleep, the 2FA code would be required again.
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<details>
|
| ... | ... | @@ -95,22 +97,34 @@ This option is not supported on Windows, unless you're using SSH inside WSL. |
|
|
|
|
|
|
|
## Enter 2FA code once per client machine
|
|
|
|
|
|
|
|
### Linux
|
|
|
|
<p>
|
|
|
|
<details>
|
|
|
|
<summary>Linux</summary>
|
|
|
|
|
|
|
|
*TODO*
|
|
|
|
|
|
|
|
### Windows
|
|
|
|
</details>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<details>
|
|
|
|
<summary>Windows</summary>
|
|
|
|
|
|
|
|
*TODO*
|
|
|
|
|
|
|
|
### macOS
|
|
|
|
</details>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
The Kerberos implementation shipped by macOS isn't suitable due to its lack of armored token cache, so the instructions provided here rely on [Homebrew](https://brew.sh) to install the correctly functioning version of Kerberos needed to make this procedure work.
|
|
|
|
<p>
|
|
|
|
<details>
|
|
|
|
<summary>macOS</summary>
|
|
|
|
|
|
|
|
Unfortunately, the Kerberos implementation shipped by macOS isn't suitable due to its lack of armored token cache, so the instructions provided here rely on [Homebrew](https://brew.sh) to install the correctly functioning version of Kerberos needed to make this procedure work.
|
|
|
|
|
|
|
|
1. Install the MIT flavor of Kerberos: `brew install krb5`
|
|
|
|
2. Donwload the provided Kerberos configuration file `<URL to Cineca config file here>`
|
|
|
|
3. Tell Kerberos to use the downloaded configuration file: `export KRB5_CONFIG=<config file location>`
|
|
|
|
4. Run the following script ti obtain the Kerberos ticket. Please note that after `<duration of the ticket lease>` you should run this again to obtain a new ticket:
|
|
|
|
4. Run the following script to obtain the Kerberos ticket. Please note that after `<duration of the ticket lease>` you should run this again to obtain a new ticket:
|
|
|
|
```bash
|
|
|
|
/usr/local/opt/krb5/bin/kinit -n
|
|
|
|
ARMOR_CCACHE=$(/usr/local/opt/krb5/bin/klist|grep cache:|cut -d' ' -f3-)
|
| ... | ... | @@ -123,8 +137,8 @@ Host *.cineca |
|
|
|
GSSAPIDelegateCredentials yes
|
|
|
|
PreferredAuthentications gssapi-with-mic
|
|
|
|
```
|
|
|
|
6. Connect without passwords or 2FA for the duration of the lease:
|
|
|
|
```bash
|
|
|
|
$ ssh m100.cineca
|
|
|
|
```
|
|
|
|
6. Connect without passwords or 2FA for the duration of the lease.
|
|
|
|
|
|
|
|
</details>
|
|
|
|
</p>
|
|
|
|
|
