[tutorial] ssh tunneling and socks proxy

Adrien.Albert · May 13, 2025, 9:22am

(baobab)-[alberta@login1 ~]$ salloc -n1 -c4 --partition=shared-cpu --time=12:00:00 --mem=32G
salloc: Pending job allocation 17996383
salloc: job 17996383 queued and waiting for resources
salloc: job 17996383 has been allocated resources
salloc: Granted job allocation 17996383
salloc: Waiting for resource configuration
salloc: Nodes cpu321 are ready for job
(baobab)-[alberta@cpu321 ~]$

It’s working for me:

[root@localhost ~]# ssh -L 20000:localhost:20000 alberta@cpu321.baobab -J alberta@login1.baobab.hpc.unige.ch

Last login: Fri Apr  4 10:53:37 2025
Installed: Thu Feb 20 15:21:55 CET 2025
(baobab)-[alberta@cpu321 ~]$ cd .ssh
(baobab)-[alberta@cpu321 .ssh]$ ll
total 22
-rw------- 1 alberta hpc_users  986 Oct 24  2023 authorized_keys
-rw------- 1 alberta hpc_users   52 Jan 23  2024 config
-rw------- 1 alberta hpc_users 2610 Jan 23  2024 id_rsa_github
-rw-r--r-- 1 alberta hpc_users  575 Jan 23  2024 id_rsa_github.pub
-rw------- 1 root    root      1766 Oct 15  2021 id_rsa_luniplcom2
-rw-r--r-- 1 root    root       408 Oct 15  2021 id_rsa_luniplcom2.pub
-rw-r--r-- 1 alberta hpc_users  575 Sep  1  2023 id_rsa.pub.orig
-rw------- 1 alberta hpc_users 6263 Apr 17 14:10 known_hosts
-rw-r--r-- 1 alberta hpc_users 5607 Dec  9 20:01 known_hosts.old
drwxr-xr-x 2 alberta hpc_users    2 Oct 23  2023 old
(baobab)-[alberta@cpu321 .ssh]$

I think you have an ssh key used by default defined in ~/.ssh/

could you try to rename or backup: id_ed25519 id_ed25519.pub and try again ?
you must not have a default key in .ssh.

(baobab)-[chataint@login1 ~]$ cd .ssh
(baobab)-[chataint@login1 .ssh]$ ls
id_ed25519  id_ed25519.pub  known_hosts  known_hosts.old

Issue related to : [Authentication] modification sshPublicKey managment - #16 by Yann.Sagon

Thibaut.Chataing · May 13, 2025, 11:50am

Hi,

So i backed up the ssh key on baobab :

(baobab)-[chataint@gpu011 .ssh]$ ll
total 3.0K
-rw------- 1 chataint hpc_users 419 Jun 18 2024 bu_id_ed25519
-rw-r–r-- 1 chataint hpc_users 107 Jun 18 2024 bu_id_ed25519.pub
-rw------- 1 chataint hpc_users 1.1K May 12 16:55 known_hosts
-rw-r–r-- 1 chataint hpc_users 349 Nov 28 11:00 known_hosts.old

I don’t even have a config file for ssh in baobab.
In local, I did the same with putting suffix in front of all ssh key but nothing change

Our process do not seem to be identical. I’m asked to provide a password for the bastion and then another for the node :

PS C:\Users\chataint\Documents> ssh -L 20000:localhost:20000 chataint@gpu011.baobab -J chataint@login1.baobab.hpc.unige.ch
(chataint@login1.baobab.hpc.unige.ch) Password:
chataint@gpu011.baobab’s password:
Permission denied, please try again.
chataint@gpu011.baobab’s password:

When looking at the log from the ssh argument -vvv . ssh try to login with the ssh key but fail because it does not found any match so it fall back to the second method : password.

Thanks for the help.

Adrien.Albert · May 13, 2025, 12:49pm

Oups forget to say:

You need to put the SSHPublicKey you registered in your account in the AuthoriizedKeys file: hpc:faq [eResearch Doc]

ssh-copy-id -i <key.pub> chataint@login1.baobab.hpc.unige.ch

Reference to this procedure: ProxyJump ssh not working on Baobab - #15 by Adrien.Albert

# remove authorized key file:
(baobab)-[alberta@gpu014 ~]$ cd .ssh/
(baobab)-[alberta@gpu014 .ssh]$ ls
authorized_keys  authorized_keys.old  config  id_rsa_github  id_rsa_github.pub  id_rsa_luniplcom2  id_rsa_luniplcom2.pub  id_rsa.pub.orig  known_hosts  known_hosts.old  old
(baobab)-[alberta@gpu014 .ssh]$ rm authorized_keys
(baobab)-[alberta@gpu014 .ssh]$ 
logout
debug1: client_input_channel_req: channel 1 rtype exit-status reply 0
debug1: client_input_channel_req: channel 1 rtype eow@openssh.com reply 0
debug1: channel 1: free: client-session, nchannels 2
debug1: channel 0: free: port listener, nchannels 1
Connection to gpu014.baobab closed.
Transferred: sent 3976, received 4520 bytes, in 16.5 seconds
Bytes per second: sent 240.4, received 273.3
debug1: Exit status 0
debug1: channel 0: free: direct-tcpip: listening port 0 for gpu014.baobab port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Killed by signal 1.

# Try again it fails = your situation
[root@localhost .ssh]# ssh  -L 20000:localhost:20000 alberta@gpu014.baobab -J alberta@login1.baobab.hpc.unige.ch
alberta@gpu014.baobab's password: 
Permission denied, please try again.
alberta@gpu014.baobab's password: 
Killed by signal 2.

#Copy the key (same registered in your Unige account)
[root@localhost .ssh]# ssh-copy-id -f -i id_rsa_alberta alberta@login1.baobab.hpc.unige.ch
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa_alberta.pub"

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'alberta@login1.baobab.hpc.unige.ch'"
and check to make sure that only the key(s) you wanted were added.

#And try again, it should work:
[root@localhost .ssh]# ssh  -L 20000:localhost:20000 alberta@gpu014.baobab -J alberta@login1.baobab.hpc.unige.ch
Last login: Tue May 13 14:46:43 2025 from login1.baobab
Installed: Thu Feb 20 16:03:08 CET 2025
(baobab)-[alberta@gpu014 ~]$

Adrien.Albert · May 13, 2025, 1:27pm

For more explanation about the “issue”:
https://unix.stackexchange.com/questions/755371/ssh-proxyjump-hostbased-authentication

You can also Easily connect with and avoid evything I said before about the SSHAuthorizedKey:

(baobab)-[alberta@gpu014 ~]$ 
logout
Connection to gpu014 closed.
Connection to login1.baobab.hpc.unige.ch closed.

[root@localhost .ssh]# ssh -t  alberta@login1.baobab.hpc.unige.ch "ssh gpu014"
Last login: Tue May 13 15:25:23 2025 from login1.baobab
Installed: Thu Feb 20 16:03:08 CET 2025
(baobab)-[alberta@gpu014 ~]$

Thibaut.Chataing · May 13, 2025, 2:42pm

It is working !
Thank you !