Versions Compared

Old Version 32

changes.mady.by.user Alessandro Marani

Saved on

compared with

New Version Current

changes.mady.by.user Alessandro Marani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • using package manager scoop on PowerShell
  • using Windows Subsystem for Linux (WSL) with a Linux distribution installed from Microsoft Store

Warning: The Putty shell does not support the 2FA system provided by Cineca.

Windows PowerShell

Open the PowerShell, and the window as shown below appears

...

UI Text Box
sizemedium
languagepowershell
themeFadeToGrey
showIconfalse

scoop bucket add smallstep https://github.com/smallstep/scoop-bucket.git

scoop install smallstep/step

  • Verify smallstep
UI Text Box
sizemedium
languagepowershell
themeFadeToGrey
showIconfalse
step

...

UI Text Box
sizemedium
showIconfalse

step ssh login <your-email> --provisioner cineca-hpc hpc 

Enter your HPC credentials in the web interface window/tab that opened.

...

UI Text Box
sizemedium
showIconfalse

step ssh list --raw  'email@cineca.it'raw  <user_email> | step ssh inspect stepinspect 


Now you can login to the cluster.

...

UI Text Box
sizemedium
showIconfalse

if [ -f ~/.bash_agent ]; then

     . ~/.bash_agent

fi

steptest=$(step ssh list --raw '<user-email>'| step ssh inspect | grep "Valid")

if [ -z "$steptest" ]

then

        eval $(ssh-agent)

        echo "export SSH_AUTH_SOCK=$SSH_AUTH_SOCK" > ~/.bash_agent

        echo "export SSH_AGENT_PID=$SSH_AGENT_PID" >> ~/.bash_agent

        step ssh login '<user-email>' --provisioner cineca-hpc

fi


Windows SSH/SFTP Clients

There are many SSH or SFTP Clients available for Windows, that are of common usage but are not automatically configured for working with the new 2FA system. It is although possible to login with them by exploiting the OpenSSH agent forwarding that can be set by taking advantage of another tool installable on Powershell, that is WinSSH-Pageant.

The procedure is as follows:

- Follow the setup of the Two-factor authentication for Powershell as documented in our Userguide, up to and including paragraph “Activation of the ssh-agent";

- Download WinSSH-Pageant by executing the following command in Powershell: 

UI Text Box
sizemedium
showIconfalse
wingetinstallwinssh-pageant

- You should find a new executable in this path: 
C:\Users\$Env:UserName\AppData\Local\Programs\WinSSH-Pageant\winssh-pageant.exe 
the only difference is in $Env:UserName, that is specific to your workstation. 
In principle this command has to be launched with its full path, but you may want to setup an easier way to access it. The most simple way would be to create an alias: 

UI Text Box
sizemedium
showIconfalse
New-Alias winssh-pageant C:\Users\$Env:UserName\AppData\Local\Programs\WinSSH-Pageant\winssh-pageant.exe 

Keep in mind though that Powershell keeps an alias alive only until the shell is closed. An easy permanent solution would be to copy the programwinssh-pageant.exe to another folder, for example C:\Users\$Env:UserName\scoop\shims that has been already included permanently in the PATH variable by the previous installation of step and is therefore recognized by Powershell without the need of expliciting the full path. 

- From Powershell, launch the WinSSH-pageant with this command: 

UI Text Box
sizemedium
showIconfalse
winssh-pageant --sshpipe  

(assuming that you have estabilished a shortcut, otherwise use the full path as mentioned previously)

It is possible to check if the previous command worked and a WinSSH-pageant process is active, with the command:

UI Text Box
sizemedium
showIconfalse
Get-Process | Select-String pageant 

The expected output is as in this screenshot:

Image Added


Now, everytimeyouneed to create a new certificate you can use the typical step command from Powershell: 

UI Text Box
sizemedium
showIconfalse

step ssh login <your-email> --provisioner cineca-hpc 

And at this point you can connect with a SSH/SFTP client opening a session with a specific configuration, that usually can be saved for subsequent uses. 

The method has been tested with the following clients:

Putty: 
In the login window, check the category “Connection --> SSH --> Auth” and be sure that the boxes “Attempt authentication using Pageant” and “Allow agent forwarding” are ticked. 

Image Added


WinSCP: 
In the login window, from the Advanced settings go to “SSH--> Authentication” and tick the boxes “Attempt authentication using Pageant” and “Allow agent forwarding”. Be sure that the file protocol is set to “SCP”. 

Image Added

Image Added

Note: It is possible that if you try to edit an already saved site, the ssh-agent won’t be recognized. If this is the case, we recommend to create a new site from scratch and configure it accordingly. The new site can then be saved and will keep working. 
Note: In certain cases, we noted that the procedure may not work at first try, and you will get an error at login even if everything is in order. In most cases, a simple reboot of your workstation solves the problem and the issue will not occur again.


Filezilla: 
In your site configuration, be sure that the Protocol is set to “SFTP - SSH File Transfer Protocol” and the Logon type is set to “Normal”. 

Image Added


MobaXTerm:

In the upper menu bar with the general options, make sure that in "Settings" → "Configuration" → "SSH" the box "Use external Pageant" is ticked (it should be by default).

Image Added

After that, opening a simple ssh session should do.

Image Added



Other SSH/SFTP clients don’t seem to be working with this method and are currently not supported by CINECA (for example BitviseSSH), or haven’t been tested yet. We will keep updating the Userguide when other clients will be proven compatible.