[Swift-devel] ssh, intrepid, etc.

Mihael Hategan hategan at mcs.anl.gov
Thu Nov 12 23:53:50 CST 2009 

Folk requested the ability to use the BG/Ps remotely.

Right now, the only path into intrepid is ssh with a cryptocard.

The ssh provider did not support keyboard-interactive authentication, so
the authentication stuff had to be cleaned a little.

In most cases, you won't see many differences. However, some exist:

- if nothing is specified in auth.defaults, the client will prompt for a
username and then try all authentication methods supported by the server
and the client (pubkey, pwd, kbd-interactive)
- if some type of authentication is specified in auth.defaults, the
client will only try that method. 
- it is not necessary to specify all parameters (such as username, key
path, etc.). If you don't you will be prompted for them. If you do, the
prompt will be pre-populated with the info
- the graphical prompts have gone up a notch in usability. I think.


Running swift through this pretty much means you have to run with
coasters (unless you want to keep typing tokens from the crypto card). 

Here are some details on how to run this on intrepid:

1. Make sure you set GLOBUS_HOSTNAME to the external IP of your submit
machine.
2. Hack around the following sample sites.xml:
<pool handle="intrepid">
    <filesystem provider="coaster"
url="ssh://login6.intrepid.alcf.anl.gov"/>
    <execution provider="coaster" url="login6.intrepid.alcf.anl.gov"
jobManager="ssh:cobalt"/>
    <workdirectory>/home/hategan/work</workdirectory>
    <scratch>/scratch</scratch>
    <profile namespace="globus"  key="project">HTCScienceApps</profile>
    <profile namespace="globus"  key="queue">prod-devel</profile>
    <profile namespace="globus"  key="kernelprofile">zeptoos</profile>
    <profile namespace="globus"  key="alcfbgpnat">true</profile>
    <profile namespace="karajan" key="initialScore">10000</profile>
    <profile namespace="globus"  key="workersPerNode">4</profile>
    <profile namespace="globus"  key="slots">8</profile>
    <profile namespace="globus"  key="maxTime">3000</profile>
    <profile namespace="globus"  key="nodeGranularity">64</profile>
    <profile namespace="globus"  key="maxNodes">64</profile>
    <!-- important -->
    <profile namespace="globus"
key="internalHostname">172.17.5.144</profile>
  </pool>

3. Unfortunately coasters need GSI credentials for security reasons. You
need a proxy on the submit side. Since SSH doesn't support GSI
delegation, you also need a valid proxy on intrepid. I'm thinking of
ways of solving this issue, but until then this is needed.

What will happen is that you will see a prompt once for the username and
one for the password. You can put the username in auth.defaults and the
auth type to "interactive", and then you'll only get one prompt for the
password.

I have only tried this in an environment where Swing graphical apps can
run. The prompts should also work in text-mode, but it needs testing.

More information about the Swift-devel mailing list