Setting up your account for easier access

Pre-requisite:

  • By now, you have probably received an account information packet from Teragrid help desk (through snail mail).

  • If you don't have a Teragrid account or have not applied for one yet, then visit our Request a Teragrid Account webpage for details.


If you are ready to proceed:


Also recommended:

SSH key based authentication:

Following are the steps to setup SSH keys.Note: Optional steps are shown in gray color.

Important point to note: You'll create a SSH key-pair only once on your workstation or laptop; You'll be transferring (or copying and pasting) the public key part of that key-pair into various resources you might use.

Unix workstation (and MacOS X) users:

  • SSH key-pair generation:

    Note: Skip this step if you wish to use your existing key-pair and move to the "Getting your SSH public key into the autorized_keys file at various sites" step.

    Check if there is an existing .ssh directory and move it out of the way unless you wish to use your old key-pair. 

          
      [agopu@aglaptop agopu]$ ls -latrd .ssh
      drwx------    2 agopu   agopu       4096 Oct 09 12:00 .ssh
      
      [agopu@aglaptop agopu]$ mv ~/.ssh ~/.ssh_old
    Create new key-pair; it'll ask for a passphrase, enter your favorite, secure, hard to guess passphrase. 
          [agopu@aglaptop agopu]$ ssh-keygen -t dsa
      
      Generating public/private dsa key pair.
      Enter file in which to save the key (/home/agopu/.ssh/id_dsa):
      Created directory '/home/agopu/.ssh'.
      Enter passphrase (empty for no passphrase):
      Enter same passphrase again:
      Your identification has been saved in /home/agopu/.ssh/id_dsa.
      Your public key has been saved in /home/agopu/.ssh/id_dsa.pub.
      The key fingerprint is:
      . . .
    • Check if a public key (id_dsa.pub) and a private key (id_dsa) are present in the .ssh directory. Also make sure the private key is readable only to yourself. 
      [agopu@aglaptop agopu]$ ls -latrd .ssh
drwx------    2 agopu   agopu       4096 Oct 19 14:58 .ssh
[agopu@aglaptop agopu]$ ls -latr .ssh
-rw-r--r--    1 agopu   agopu        622 Oct 19 14:58 id_dsa.pub
-rw-------    1 agopu   agopu        736 Oct 19 14:58 id_dsa

  • Getting your SSH public key into the autorized_keys file at various sites

    Depending on whether or not a site allows password based logins [see below], there are two ways to get your SSH public key into a TG-system's authorized_keys file.

    1. Site allows password based login? Avoid hassle, do it yourself: For sites that allow password based logins [NCSA, SDSC], go ahead and login to their system. Then edit your ~/.ssh/authorized_keys file to add your new SSH public key. The example below shows how you can setup you SSH public key at NCSA.

      • Add your SSH public key to the remote site's ~/.ssh/authorized_keys file. 
        [ag@aglaptop ag]$ cat .ssh/id_dsa.pub  | \
ssh tg-login.ncsa.teragrid.org "cat >> tmp/foobar"

        Note: Though highly unlikely, if you happen to get an error saying Directory ~/.ssh does not exist, then you'll need to login to the remote site first and create a ~/.ssh directory: 

        [ag@aglaptop ag]$ ssh tg-login.ncsa.teragrid.org "mkdir ~/.ssh"
      Note: If your NCSA Kerberos password isn't used for a certain number of days, then the kerberos functionality is disabled. In that case you will have to call the TeraGrid helpdesk 1-866-336-2357 to reset your password to the default. Then you can change it again using this webpage:
          https://internal.ncsa.uiuc.edu/cgi-bin/CC/services/passwords/password.cgi

    2. No Password based login? If a site does not allow password based logins, then follow the instructions given in the No Password based login section.

  • You might find useful information about setting up SSH authentication on Windows/Macs on the Caltech "Account Setup" page.

On Windows workstations:

  • If you use SSH.COM's Secure Shell software:

    Important: This method only works for sites that accept password based logins [NCSA, SDSC]. For all other sites, we are still investigating how we could let you login with your Windows based SSH.com type key. Please contact us at hpc [at] indiana.edu if you have any questions.

    Note: This should be relevant to most Windows users at Indiana University....Skip steps 1,2, 3 if you already have a Ssh.com type key on your Windows PC.

    1. Open Windows SSH software; under menu options, choose: 

      Edit -> Settings

    2. On the "Settings" window, click your way through "Global Settings => User Authentication => Keys"

    3. - Click on the "Generate New..." button
      - Then click "Next", choose key type (recommended: DSA) and key length (recommended:1024 or more) and then click "Next" again.
      - The software will generate a public key - private key pair, this might take a few seconds. Then click "Next" and enter a file name (we prefer id_dsa_sshcom or id_rsa_sshcom depending on your key type)
      - You'll also have to enter a passphrase - select a safe passphrase which is not easy to guess and then click "Next".

    4. Now that your Ssh.com type keys are created, you will have to upload them on any site you want pass-phrase access. To do this, follow these steps or just ftp the public key (file ending with .pub extension) over to the server side under the .ssh directory:
      - Connect the site as you would normally do, using your password.

      - Then, again, go to "Edit => Settings" on the menu and back to "Global Settings => User Authentication => Keys" on the Settings window (same as illustrated in steps 1 and 2)
      - Select the key you just created under the list of keys shown, then click "Upload..."; Type ".ssh" in the "Destination Folder" text box and click on "Upload". This should load up your id_dsa_sshcom.pub file into the ~/.ssh/ directory on the Teragrid site; i.e. you should be able see it by doing an ls. 
      ncsa/agopu> ls -latr ~/.ssh/id_dsa_sshcom1024.pub 
-rw-r--r--    1 agopu   hpc  715 2004-10-28 17:11 .ssh/id_dsa_sshcom1024.pub
      - Then use ssh-keygen to convert the Ssh.com type key to OpenSSH type key as follows: 
      ncsa/agopu> ssh-keygen -i -f \
~/.ssh/id_dsa_sshcom1024.pub > ~/.ssh/id_dsa_openssh1024.pub

ncsa/agopu> cat ~/.ssh/id_dsa_openssh1024.pub >> ~/.ssh/authorized_keys

ncsa/agopu> rm ~/.ssh/authorization ~/.ssh/id_dsa_sshcom1024.pub
      - The cat line shown above will concatenate your public key to the authorized_keys file. Also, it's a good idea to delete the Ssh.com key and its own authorization file.

    5. The next time you try to login to the same server, the SSH software should ask you for your passphrase instead of the password. Shown below is screenshot of what you could possibly see - depending on the version of SSH software you use, etc. If you are interested in looking at screenshots of the entire process above, then check out Using SSH for More Secure Connections page.


  • If you use PUTTY software for SSH access:

    1. Download Putty: To download Putty and its key generation software, PuttyGen, goto the Putty download page; you will need both putty.ext as well as puttygen.exe.

    2. Generate key-pair:
      - Once you have puttygen.exe on your local workstation, double click on it.
      - Choose the key type (SSH2 DSA or SSH2 RSA only...recommended: SSH2 DSA) and key length (1024 or 2048).
      - Then click on "Generate". You will be asked to move your mouse over the blank area on the upper part of the windows, please do so till key generation is finished :-)
      - Once the key generation is finished (you'll know, since the window will change and a key will appear on the top of it), you will have to do three things:

      • Enter a passphrase that's not easy to guess and then save your keys using the "Save public key" and "Save private key" buttons.
        (Important: You _should_ save both keys for this to work. Give some meaningful names based on the encryption algorithm, etc.; for eg.: id_dsa_openssh2048)

    3. Getting your SSH public key into the autorized_keys file at various sites

      Depending on whether or not a site allows password based logins [see below], there are two ways to get your SSH public key into a TG-system's authorized_keys file.

      1. Password based login? Avoid hassle, do it yourself: For sites that allow password based logins [NCSA, SDSC], go ahead and login to their system. Then edit your ~/.ssh/authorized_keys file to add your new SSH public key. For example, let us say you want to install your public key to NCSA's tg-login node, then you could copy n paste it to a file on the server and then cat it to the authorized_keys file as shown below:

        • Select the entire public key under the "Public key for pasting into OpenSSH authorized_keys file:" heading and then copy it (right-click => copy). Then login to your server and add the contents you copied to the ~/.ssh/authorized_keys file. 

          ncsa/agopu> cat > ~/.ssh/id_dsa_openssh2048.pub
ssh-dss AAAAB3NzaC1kc3MAAAEASEPTcxrwXgrZ8dU3arM+XvyBu6 . . .
 . . .
[Press Ctrl + D to save and quit]
ncsa/agopu> cat ~/.ssh/id_dsa_openssh2048.pub >> \
 ~/.ssh/authorized_keys

        • Next, close the puttygen program and open the putty program by double-clicking on putty.exe.
          - Create a new profile for the server you want to connect to i.e. enter hostname in the textbox, make sure SSH is selected, enter a name for the profile and then click on "Save". - Then, under "Category:", go to "Connection => SSH => Auth" and click on "Browse". This will enable you to select the private key file you saved a few mins ago (it's the file with extension .ppk).

        • Now you should be all set...Just click on "Open" and then enter username. Enter Passphrase when prompted. Also, the next time you want to login to the same server, open putty and then click on the saved profile (from the list shown) and then click "Load".

      2. If a site does not allow password based logins, then follow the instructions given in the No Password based login section.

  • No Password based login? Email help [at] teragrid.org: For sites that do not allow password based logins [IU, PSC, Caltech, UC/ANL], you'll need to send an e-mail, with the public key attached, to help [at] teragrid.org. See the list below for recommended email-subject lines; this is not mandatory, but we have found it expedites the process! Individual tickets will be assigned for each site for this purpose and someone from each site will contact you in this regard. (Important: Please do not copy and paste the public key to the email body. Send it to help [at] teragrid.org as an attachment).

    Recommended subject for use in email to help [at] teragrid.org especially for sites that do not allow password based logins.

    • Caltech: "Attn: Caltech Account Management"
    • ANL: "Attn: UC/ANL Account Management"
    • IU: "Attn: Indiana University Account Management"

GSI-SSH key based authentication (Globus certs):

Following are the steps to setup your certificate in each site - will enable you to access TG resources using gsi-ssh authentication.

Assumption:
It is assumed you already have a Globus certificate recognized by Teragrid. If you do not have a cert. yet then you could get one by visiting the Creating a cert. section of the Teragrid UserInfo documentation website and following instructions on the page. For example, the NCSA CA link clearly explains how you could get a NCSA cert.
Note: Optional steps are shown in gray color.

  • Check if there is an existing .globus directory and move it out of the way if you wish to create/use a new certificate. 
          
      [agopu@aglaptop agopu]$ ls -latrd .globus
      drwx------    2 agopu   agopu       4096 Oct 09 13:00 .globus
      
      [agopu@aglaptop agopu]$ mv ~/.globus ~/.globus_old
  • Copy certificate files to .globus directory:
    After making sure there are no existing certs, which you might over-write, copy your certificate files into the .globus directory. For example, if you have an NCSA cert that sits on ~/.globus/ directory on tg-login.ncsa.teragrid.org, and you want to do gsissh to IU's tg-login1. Then you could use scp to copy the certs over. 
          ncsa/agopu> ls -latr ~/.globus/
      total 20
      -rw-------    1 agopu    agg          1743 2004-10-06 16:26 userkey.pem
      -rw-------    1 agopu    agg          4946 2004-10-06 16:26 usercert.pem
      -rw-------    1 agopu    agg          2830 2004-10-06 16:26 usercert.p12

      ncsa/agopu> scp -rd ~/.globus agopu@tg-login1.iu.teragrid.org:.
  • Create a proxy at originating site
    Using grid-proxy-init, create a proxy at the originating site (Eg: NCSA used below). 
          ncsa/agopu> grid-proxy-init
      Your identity: /C=US/O=National Center for Supercomputing Applications/CN=. . .
      Enter GRID pass phrase for this identity:
      Creating proxy .................................. Done
      Your proxy is valid until: Thu Oct 21 05:03:30 2004
  • Use gsissh to login to remote system
          ncsa/agopu> gsissh agopu@tg-login1.iu.teragrid.org
  • Misc:
    Getting information about your proxy: 
          ncsa/agopu> grid-proxy-info
      subject  : /C=US/O=National Center for . . . /CN=. . ./CN=proxy
             ...
    Destroying proxy: 
          ncsa/agopu> grid-proxy-destroy