Windows Native SSH client¶
This short tutorial describes how to connect to a CÉCI cluster from a Windows PowerShell using the native Windows SSH client. It has been tested on Windows 11 but should be valid for an up-to-date Windows 10 installation.
Clusters¶
All CÉCI users can connect to any of the following clusters:
- Lyra:
lyra.ulb.be - Lemaitre4:
lemaitre4.cism.ucl.ac.be - Nic5:
nic5.uliege.be - Hercules2:
hercules.ptci.unamur.be - Dragon2:
dragon2.umons.ac.be - Dragon1:
dragon1.umons.ac.be
To decide which cluster is better suited for your kind of jobs, please check the details about them in the CÉCI clusters page.
Gateways¶
As the clusters are not accessible from outside the university networks, you will need to use a SSH gateway and the university VPN in some cases. Going through a SSH gateway can be entirely transparent provided your client is correctly configured. The CÉCI does not offer a centralized gateway service, so you will have to use the one provided by the University you belong to:
- UCL: Use
gwceci.cism.ucl.ac.beas SSH gateway with your CÉCI account. See the CISM documentation. - ULB: Use
gwceci.ulb.ac.beas SSH gateway with your CÉCI account. You will need to use a VPN also if you are outside Belgium. - UMons: Contact the local support team to learn how to setup the VPN, then use
dragon2.umons.ac.beas gateway. - UNamur: Use
gwceci.unamur.bewith your UNamur identity (eID) - ULiège: use
gwceci.uliege.bewith your CÉCI account AND use the ULiège VPN.
1. Get the private CÉCI key¶
To get the private key, you need to create or renew your CÉCI account
Note
Please note that since the moment you got the email with your key confirming your account is active, you might need to wait up to ~20 minutes maximum until the access is enabled in all the clusters.
For some universities the CÉCI public key needs to be set in the gateway and this can take some hours.
To follow this tutorial, you need to start a PowerShell terminal. By pressing the Windows + R keys together, type powershell in the dialog box and press enter to launch the PowerShell.
-
Once you have received your private key by email, store it in a safe location. The most rational place to store it is in your
.sshfolder in your home directory. The first step is to create this folder and hide it so that it does not appear in the file explorer. To do so, run the following commands:New-Item -Path "$env:USERPROFILE\.ssh" -ItemType Directory (Get-Item "$env:USERPROFILE\.ssh").Attributes += 'Hidden' -
The next step is to copy your SSH key to the newly created
.sshfolder with the command:Copy-Item "C:\Path\To\id_rsa.ceci" -Destination "$env:USERPROFILE\.ssh"In the above command, you need to replace
C:\Path\To\id_rsa.ceciwith the actual location of the key you received via email. To get this path, from the File Explorer, right-click on the key file, select Copy as path and paste the path in your terminal.
2. Connect to a cluster¶
Even if you are used to use ssh.exe on the command line, the fact of having
to go through a gateway makes the command to connect too cumbersome to type it
every time. So we will instruct you on how to create a ssh_config file to
ease with this.
-
Go to our ssh config wizard that will aid in creating the configuration depending on your university.
-
Choose which is your University and provide the required information.
-
Use the Notepad application to create and edit the configuration file
.ssh\confige.g.:New-Item -Path "$env:USERPROFILE\.ssh\config" -ItemType File notepad.exe "$env:USERPROFILE\.ssh\config"if the file doesn't exist click yes to create it and copy-paste the contents provided by the wizard. Save the file.
-
Now everything is set, you can do your first connection using the command:
ssh.exe cecicluster
Where you should replace cecicluster by one of the Host alias for the CÉCI
clusters: lemaitre4, lyra, hercules, dragon1, dragon2 or
nic5.
Note
If it is the first time you use the private key and/or your agent is not running, you will be asked for the key passphrase twice. One for the gateway connection and another for the cluster connection.
If everything worked properly, you should be greeted by a message similar to :
Welcome to
__ __ ______ ______ _______
| \ | \ \/ \| \
| ▓▓\ | ▓▓\▓▓▓▓▓▓ ▓▓▓▓▓▓\ ▓▓▓▓▓▓▓
| ▓▓▓\| ▓▓ | ▓▓ | ▓▓ \▓▓ ▓▓____
| ▓▓▓▓\ ▓▓ | ▓▓ | ▓▓ | ▓▓ \
| ▓▓\▓▓ ▓▓ | ▓▓ | ▓▓ __ \▓▓▓▓▓▓▓\
| ▓▓ \▓▓▓▓_| ▓▓_| ▓▓__/ \ \__| ▓▓
| ▓▓ \▓▓▓ ▓▓ \\▓▓ ▓▓\▓▓ ▓▓
\▓▓ \▓▓\▓▓▓▓▓▓ \▓▓▓▓▓▓ \▓▓▓▓▓▓
the new (January 2021) ULiege/CECI cluster, featuring:
70 nodes with two 32 cores AMD EPYC Rome 7542 cpus at 2.9 GHz and 250 GB of RAM, 3 nodes with 1 TB of RAM,
520 TB of fast BeeGFS $GLOBALSCRATCH and a 100 Gbps Infiniband HDR interconnect (blocking factor 1,2:1),
for a total of 4672 cores. Max walltime is 2 days. See also https://www.campus.uliege.be/nic5
Contact, support: https://support.ceci-hpc.be/cecihelp/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CÉCI clusters: Dragon1 - Dragon2 - Hercules2 - NIC5 - Lemaitre4
Don't know where to start?
--> http://www.ceci-hpc.be/install_software.html
--> http://www.ceci-hpc.be/slurm_tutorial.html
<yourUserId>@nic5-login1 ~ $
Note
Upon your very first connection to each CÉCI cluster, you will be greeted by a warning such as::
The authenticity of host 'my-ceci-cluster.example.com (XXX.XXX.XX.XX)' can't be established.
RSA key fingerprint is SHA256:aqUPC4C8gkBjgCUMpHt3kzpciSkQcKR2gNOahnbZN3c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ceci-cluster.ac.be,XXX.XXX.XX.XX' (RSA) to the list of known hosts.
This warning is normal, the SSH program warns that it is the first time it sees this computer. To make sure you are actually connecting to the right machine, you should compare the RSA key fingerprint shown in the message with the fingerprint announced on the Access section of the CÉCI cluster page. The fingerprint can be based on hash function MD5 or SHA-256.
If they match, you are safe to proceed and enter yes. That hostname key will be stored and used to check in every subsequent SSH connection that the server is indeed always the same.
3. Using an SSH agent to avoid typing the passphrase at each login¶
You can further ease the process by using an SSH agent which will remember the passphrase so you do not have to type it each time you issue the SSH command.
The first step is to enable automatic startup of the agent so that you don't
need to start it every time you reboot your computer. You need to have
administrative privilege to perform this action. If you don't have
administrative privilege you need to restart your agent after reboot as decribed
:ref:here <start-agent>. To start a PowerShell with elevated privilege, run
the command
Start-Process Powershell -Verb runAs
and use the following command in the new PowerShell windows. Once it's done, you can close the windows.
Set-Service ssh-agent -StartupType Automatic
Next, make sure that the SSH agent is running with the command
ssh-add.exe -l
If the output is The agent has no identities or something looking like this
2048 SHA256:lA7mvQ9Pqbyfj1Nb2rrO3718paA0pjalCipuuHYW7hw C:\Users\auser\.ssh\id_rsa.ceci (RSA)
your agent is running and you don't need to start it. If you get the following
output: Error connecting to agent: No such file or directory however, it
means that the ssh-agent is not running. Start it with the command
Start-Service ssh-agent
With the agent running, load the CÉCI key with the command:
ssh-add.exe "$env:USERPROFILE\.ssh\id_rsa.ceci"
you'll be prompted once for your passphrase. From now on, in the current terminal, all ssh commands will be handled by the agent and you won't have to type your passphrase again.
With the agent running, you can use the -A option of ssh.exe to forward
your agent from one computer to another (you don't need this if you are using
the ForwardAgent option in a .ssh\config as explained in the section
above). This allows you to connect, or copy files, from one cluster to another
effortlessly.