[euler-users] Upcoming SSH Login Changes
50 views
Skip to first unread message
Colin Vanden Heuvel
Jan 26, 2024, 6:35:14 PM1/26/24
to 'Colin Vanden Heuvel' via euler-users
Hello Euler Users,
Over the next few weeks, we will be implementing some changes that will affect the way that
ALL USERS connect to Euler.
Background:
The current DNS load balancer that translates euler.engr.wisc.edu into the address of one of the login nodes when you connect via SSH is no longer maintained and CAE will be decommissioning it very soon. In order to preserve the load balancing functionality
and keep users spread out between login nodes, a new connection forwarding service will be used as a middle-ground between users and Euler's login nodes.
How you're affected:
There should be very little interruption of service when the cutover happens (if any), but as with any major change, there are likely to be some less-than-subtle differences that you will notice when you connect.
-
SSH connections from legacy IPv4 addresses will NOT require the use of the College of Engineering or UW VPN.
-
The load balancer is able to take IPv4 connections and forward them on to Euler's native IPv6 interfaces.
- Idle connections may be closed more frequently.
-
The new load balancer is able to determine when connections have been idle and will disconnect those that have had no traffic for some amount of time.
-
This behavior will almost certainly require tuning, so if you regularly rely on long-lived shell sessions when working on Euler, PLEASE PARTICIPATE IN BETA TESTING (see below).
- Connecting to a specific login node WILL require the use of the College of Engineering or UW VPN.
-
The load balancer will handle all of the connections coming from outside of the UW network.
-
For added security, the login nodes will not accept direct connections from the public internet after this change has been implemented.
-
You might see a warning that "The authenticity of host '....' can't be established."
-
This is just your SSH client telling you that something has changed. In most cases, it will be accompanied by some other text that will identify that the machine is known by other names or addresses. Those names should include the ones you're used to for Euler.
-
If you are worried that something is wrong, you can verify that Euler's host key fingerprint hasn't changed. Euler's ED25519 host key fingerprint is
SHA256:KZ6Qjew+ZNGiu9ob0pnd70ncfE2am35q8Ww3eELoAXE, and you can reproduce this information on your own by runningssh-keyscan euler.engr.wisc.edu | ssh-keygen -l -f-
When will this happen?
[euler.engr.wisc.edu] will begin pointing to the new load balancer on Monday, February 12th.
How can you test things ahead of time?
There will be two testing phases leading up to the service cutover on February 12th.
-
Beta test week (Jan 26th - Feb 5th)
-
Users who wish to ensure that their preferred configuration works before the changes are implemented can connect to Euler using the testing address [euler-ha-dev.engr.wisc.edu] to route their connection through load balancer before it is deployed. This testing address may see breaking changes at any time.
- Pre-production checks (Feb 5th - Feb 12th)
- The load balancer will be deployed to our production servers one week ahead of time as [euler-ha.engr.wisc.edu]. The production service will only receive changes that have been tested ahead of time on the -dev server, so it is expected to be stable for users who wish to begin using the new system in earnest.
NOTE: The addresses beginning with euler-ha and euler-ha-dev are for meant for internal
use and are used to stage changes which will be deployed to the load balancer. As always, [euler.engr.wisc.edu] is the preferred and stable way to connect to Euler.
What should you do if you have a problem connecting to Euler?
Reach out to euler-...@engr.wisc.edu as soon as possible. Issues with the load balancer
which are uncovered during beta testing and pre-production can only be fixed once we are aware of them. Solutions to known client-side issues will be shared on the Euler Q&A site at
https://euler-answers.cae.wisc.edu.
Regards,
Colin Vanden Heuvel
Colin Vanden Heuvel
Feb 12, 2024, 3:41:30 PM2/12/24
to 'Colin Vanden Heuvel' via euler-users
These changes have been implemented. Thanks to those of you who provided feedback during the testing periods.
Regards,
Colin
From: 'Colin Vanden Heuvel' via euler-users <euler...@g-groups.wisc.edu>
Sent: Friday, January 26, 2024 17:35
To: 'Colin Vanden Heuvel' via euler-users <euler...@g-groups.wisc.edu>
Subject: [euler-users] Upcoming SSH Login Changes
Sent: Friday, January 26, 2024 17:35
To: 'Colin Vanden Heuvel' via euler-users <euler...@g-groups.wisc.edu>
Subject: [euler-users] Upcoming SSH Login Changes
--
You received this message because you are subscribed to the Google Groups "euler-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to euler-users...@g-groups.wisc.edu.
To view this discussion on the web visit https://groups.google.com/a/g-groups.wisc.edu/d/msgid/euler-users/CY4PR0601MB36049C89EE07671E51525B99F6792%40CY4PR0601MB3604.namprd06.prod.outlook.com.
You received this message because you are subscribed to the Google Groups "euler-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to euler-users...@g-groups.wisc.edu.
To view this discussion on the web visit https://groups.google.com/a/g-groups.wisc.edu/d/msgid/euler-users/CY4PR0601MB36049C89EE07671E51525B99F6792%40CY4PR0601MB3604.namprd06.prod.outlook.com.
Reply all
Reply to author
Forward
0 new messages