One-hop logins and file transfers using ssh tunneling
The only way to access Blue Gene computing resources remotely
(outside the Blue Gene network enclave) is through the Blue Gene ssh
gateways. Even users connecting from inside the BNL campus network need
to go through the gateways.
ssh tunneling allows one-hop access (logins and file transfers)
to the Front-End nodes and the Visualization cluster.
Linux/Mac OS X
- Generate an ssh key pair on your remote desktop using ssh-keygen.
The generated public key will need to be copied to the Blue Gene Front-End Node (FEN)
and be appended in the user's .ssh/authorized_keys file.
Key generation needs to be done once only, not every time the tunnel is created.
stratos@salonica:~$ ssh-keygen -t dsa
The above ssh-keygen command will generate the default private key (id_dsa) and
public key (id_dsa.pub) in the local user's directory ~/.ssh/.
The generated public must now be transfered and appended in the .ssh/authorized_keys
file on the Blue Gene Front-End host.
Generating public/private dsa key pair.
Enter file in which to save the key (/home/stratos/.ssh/id_dsa):
/home/stratos/.ssh/id_dsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): (enter passphrase)
Enter same passphrase again: (enter passphrase)
Your identification has been saved in /home/stratos/.ssh/id_dsa.
Your public key has been saved in /home/stratos/.ssh/id_dsa.pub.
The key fingerprint is:
- On the remote desktop, start the ssh-agent and load the private key:
stratos@salonica:~$ eval `ssh-agent`
Agent pid 22677
Enter passphrase for /home/stratos/.ssh/id_dsa: (enter passphrase)
Identity added: /home/stratos/.ssh/id_dsa (/home/stratos/.ssh/id_dsa)
stratos@salonica:~$ ssh-add -l
1024 34:71:e5:71:70:c4:32:7d:12:7d:bd:53:66:0c:16:c7 /home/stratos/.ssh/id_dsa (DSA)
- Open an ssh tunnel from the remote desktop to the Front-End Node of our Blue Gene/L machine:
(all in one line)
argonaut:~ stratos$ ssh -N -f -L 2134:fen.bluegene.bnl.gov:22 email@example.com
The user will be prompted. Enter the PIN number for your RSA SecurID immediately followed by the tokencode, as described in Accessing the Blue Gene SSH Gateways . (If you have forgotten your RSA SecurID PIN number, please contact the ITD help desk at 631-344-5522).
In the above, 2134 is a port number on your desktop that will be used for the tunneling.
You can choose any large number for the port number.
The last entry in the above command is the hostname of the Blue Gene ssh gateway.
The exact hostname depends on whether the user connects from inside or outside the
- ssh ssh.bluegene.bnl.gov
(outside the BNL network)
- ssh ssh.bluegene.bnl.local
(inside the BNL network)
- Use the tunnel to:
Note: If you get prompted for password in any of the above commands, most likely,
the locally generated public key has NOT been correctly deployed on Front-End Node.
- one-hop login:
stratos@salonica:~$ ssh -p 2134 stratos@localhost
- login with X-forwarding:
stratos@salonica:~$ ssh -X -p 2134 stratos@localhost
- one-hop transfer data from your desktop to the Front-End Node:
stratos@salonica:~$ scp -P 2134 ccsoft.dat stratos@localhost:.
ccsoft.dat 100% 27 0.0KB/s 00:00
- one-hop transfer data from the Front-End Node to your local desktop:
stratos@salonica:~$ scp -P 2134 stratos@localhost:ccsoft.dat .
ccsoft.dat 100% 27 0.0KB/s 00:00
- Cleaning up
Once done with the tunnel, remove the tunnel that day as soon as you are done with it, and kill the ssh-agent.
To remove the tunnel, simply find the corresponding ssh process and kill it using
kill -9 PID.
To kill the ssh-agent:
stratos@salonica:~$ ssh-agent -k
It may be a good idea to put the above ssh-agent -k command in the user's .logout
file in the remote desktop.
echo Agent pid 22677 killed;
ssh clients on windows (such as puTTY)
support agent forwarding and tunneling.
Please see: One-hop logins and File Transfers in Windows to fen using Putty and SSH Tunneling
Last Modified: Wednesday, March 28, 2012
Please forward all questions about this site to:
NYBlue Web Administrator