[Authentication] modification sshPublicKey managment

Adrien.Albert · September 4, 2023, 2:35pm

Dear users,

As part of our ongoing efforts to enhance the HPC clusters at the University of Geneva (Unige), we would like to inform you about upcoming changes regarding the authentication methods for accessing the HPC frontend.

The objective of this operation is to transition to a “full” LDAP authentication system, which directly and dynamically relies on Unige’s IT directory, thereby improving the security of our clusters.

Here are the key changes to be aware of:

Starting on 2023-09-10T22:00:00Z, authentication via SSH key registered in your home directory on the clusters (path: $HOME/.ssh/authorized_keys) will no longer be effective.

To continue connecting via SSH key, you will need to add your SSH public key to Unige’s LDAP directory by following the instructions available at my-account.unige.ch, under the “My SSH public key” section (and follow the provided instructions, which typically involve copying your XXXX.pub key).

We encourage you to make these changes as soon as possible to minimize any disruptions to your access to the clusters.

However, the isis password authentication remains available and unchanged. (==> No actions required)

For any questions, please comment on this topic.

Questions summary:

1. Where can I update my sshPublicKey:

For users (Students / collaborators / external) having a ISIS account: my-account.unige.ch
For Outsider: applicant.unige.ch/main/outsider-info/update

2. Is there any possibility to keep our accounts accessible from more than one ssh key?

It’s possible to have multiple sshPuclicKey registered on LDAP server. However, my-account.unige.ch doesn’t allow this at the moment (work in progress). In the meantime, you can send us your request or contact the LDAP team directly. mailto:dl-distic-windows-team@unige.ch

After requesting an additional sshPublicKey, if you update it via my-account, all previous references will be overwritten.

3. When I tried to update my ssh public Key I get an error message:

Le format ou la valeur n’est pas correct/The format or value is not correct".
It seems it’s not working on safari, try firefox or chrome.

Best Regards,

–
HPC Team
Adrien. A Gaël. R Yann. S

Christophe.Berthod · September 5, 2023, 8:20am

The page https://my-account.unige.ch/main/home rejects my key with the message “Le format ou la valeur n’est pas correct”. To be sure, I generated a new key with ssh-keygen on MacOS 10.14.6. The new key works for logging into baobab but is still rejected. Any hint?
Best
Christophe B.

PS: The format of my key is
ssh-rsa AAAAB …(372 characters in total)… MXDpX christophe@MacBook-Pro-de-Christophe.local

Paul.Coppin · September 5, 2023, 8:48am

Hi,
The Unige LDAP page seems to only allow one single public ssh key to be added. For historical (and safety) reasons, I have been using different ssh key-pairs on different machines. Is there any possibility to keep our accounts accessible from more than one ssh key?
All the best, Paul

Adrien.Albert · September 5, 2023, 11:49am

Dear All,

These questions have been escalated to the Actvive Diresctory (= LDAP)Team. I keep you inform about it as soon as I have the answer.

The decision to bind the sshPublicKey from LDAP is intended to enhance security and keep a dynamical authentication process .

@Christophe.Berthod Are you sure you’ve copied the right (xxx.pub) public key? (without a space at the end, for example.) Could you give me the command you use to generate your key?

Christophe.Berthod · September 5, 2023, 12:15pm

Thank you. I just found that it may be a browser issue. It didn’t work in Safari, but it worked in Firefox (?).

Michael.Sonner · September 5, 2023, 3:17pm

Hi,
What will be the new best practice for large file transfers between baobab and yggdrasil?
For the moment I am using a separate ssh keys for file transfers. I would feel slightly uncomfortable uploading the private “master”-key to anywhere. Is there another more secure way of doing this?

Cheers,
Michael

Yann.Sagon · September 6, 2023, 7:10am

This can be a nice solution:

Other variant is to upload your ssh private key to Baobab protected by a strong passphrase. Of course your private key must be protected the same way when stored on your laptop as we are talking about best practices.

ref: [An Illustrated Guide to SSH Agent Forwarding]

Adrien.Albert · September 6, 2023, 8:41am

@Paul.Coppin

I have some update. Let me know if something is not clear.

Best Regards

Paul.Coppin · September 11, 2023, 6:57am

Ok, thanks for the information!
I will send an email to the LDAP team.

Adrien.Albert · September 11, 2023, 1:41pm

Dear Users,

The change has been applied, and the SSH method authentication’authorizedKeys’ is no longer available.

We remain available for any questions and needs.

Best Regards,

Debajyoti.Sengupta · September 11, 2023, 2:36pm

EDIT
Had to update my wsl ssh config as well and now it works, sorry about the false alarm!

Hi
I have added my public key to the Unige LDAP server per the instructions.
My ssh config points to the same key as well, but I can’t seem to login to baobab.
Am I missing something?

Host jettagging~*
    RemoteCommand apptainer shell --nv -B /srv,/home /home/users/s/senguptd/UniGe/Anomaly/jettagging/container/jettag_image.sif && cd home/users/s/senguptd/UniGe/Anomaly/jettagging/
    RequestTTY yes

Host baobab
    HostName baobab2.hpc.unige.ch
    User senguptd
    IdentityFile c:/Users/admin/.ssh/id_baobab_new
    RequestTTY yes

Host nodebaobab jettagging~nodebaobab
    HostName cpu277
    User senguptd
    ProxyJump baobab
    IdentityFile c:/Users/admin/.ssh/id_baobab_new
    RequestTTY yes

Yann.Sagon · September 12, 2023, 3:06pm

There is a “slight” delay between the key upload and its propagation. You can check which is your active key like that:

(baobab)-[senguptd@login2 ~]$ /usr/bin/sss_ssh_authorizedkeys $USER

Nicolas.Morisset · September 15, 2023, 1:51pm

Hi,
Did you think about these specfic user which in fact are not a user (applicative user as you named them if I’m not mistaken!) ?
I use one for running Euclid jobs on yggdrasil. But I do no have an isis account for this user so I can not add my SSH public key to Unige’s LDAP directory! how should I proceed?
As now I can not ssh to login1.yggdrasi anymore.
Thanks.
Nicolas.

Yann.Sagon · September 15, 2023, 3:15pm

Dear @Nicolas.Morisset

Please send an email to mailto:dl-distic-windows-team@unige.ch and attach your public key.

Best

Mohammad.Pourmohammadi · September 16, 2023, 6:09pm

Hi, I am having a similar on yggdrasil. I have uploaded my key, but I can’t seem to log in. I am still required to type in my password to enter.

Yann.Sagon · September 18, 2023, 9:26am

Hi, I’ve just checked: your public key is uploaded and in sync with Yggdrasil. Please show us the details:

location of your private key ?
are you using an ssh-agent ? If yes, is your key loaded?
ssh client ?
output of ssh -vvv <your_isis_username>@login1.yggdrasil.hpc.unige.ch

Thanks