Hi Michael,
So what type of authentication does your cluster use? For a normal session from your shell, do you need the public key, or a password (OTP) or both?
From your detailed tests you showed that using the password is fine a problem, but using the private key does not work. AiiDA’s stock SshTransport only supports the PublicKey authentical method.
I think you are on the right track doing the tests with paramiko. Unfortunately I am not an expert but in some cases, I found myself extending its classes to implement the authentication sequence for specific computer. Once you figure out how to do it, you can make a transport plugin with a specialised version of the transport ( probably as a subclass of SshTansport), and then tell AiiDA to use it instead when setting up the computer.
Best wishes,
Bonan
--
AiiDA is supported by the NCCR MARVEL (http://nccr-marvel.ch/),
funded by the Swiss National Science Foundation, and by the European H2020 MaX Centre of Excellence (http://www.max-centre.eu/).
Before posting your first question, please see the posting guidelines at
http://www.aiida.net/?page_id=356 .
---
You received this message because you are subscribed to the Google Groups "aiidausers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
aiidausers+...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/aiidausers/a9a7cef9-c94f-4676-8f93-fb99a068071cn%40googlegroups.com.
Hi Bonan,
thanks for the quick answer!
Usually I log in via PublicKey. If I use the correct port (27), this works very well. For each fresh log in from a new machine a OTP is sent to my phone, and additionally the connection has to be made from a university domain (Today I am connecting from my office though, so that is a given, when at home, I use a VPN). After entering the OTP, all subsequent logins from that machine are then completed without another OTP for 24 hours. I just checked, and restarting the machine does not reset this. I was still able to login with ssh VSC4, using the ssh config file presented previously and not needing another OTP. So I do not think that it is an issue with the OTP, although that could be a problem when actually running high-throughput production code around the clock. For this it would probably be better to run AiiDA on one of the login nodes of the cluster itself in a conda environment, but it is too early to worry about that.
I am not sure if I want to tweak authentication sequence, especially as I am not sure what is even needed to succeed. I guess I will do some more testing with paramiko.Transport and try to find out what is the matter with this Oops, unhandled type 3 ('unimplemented') error that I get in my test script. That makes only sense however when I know what AiiDA is actually trying to do. I guess the best way would be to look into aiida/transports/plugins/ssh.py and go from there?
Thanks again for the quick response, maybe someone else has some ideas as well, and if I find out anything about this, I will post it of course.
Cheers, Michael
To view this discussion on the web visit https://groups.google.com/d/msgid/aiidausers/DB3PR0102MB3370EBE4C9260964EF549FB1B90E9%40DB3PR0102MB3370.eurprd01.prod.exchangelabs.com.
Hello Michael,
I am by no means an expert with this portion but I have successfully installed AiiDA on our supercomputer at LLNL. What this entailed though was installing AiiDA on a server behind our firewall which is then able to ssh without a password between the other servers. Essentially, I have to login to this specific server to work with AiiDA which has been working well for me. Additionally, the Postgres database and RabbitMQ service is hosted somewhere else and I have to provide the information to connect. If you were to attempt this setup you would need to get your university to host a database and RabbitMQ server. Not sure if that’s something they would be willing to do.
I also briefly used AiiDA back at Penn State which has 2FA that could be approved through an application. I had AiiDA installed on my workstation and could simply leave it running to check on the simulations while periodically receiving the 2FA push. This would need to be done once a day as you have mentioned. I didn’t get as much experience from that as I graduated soon after.
I hope that was helpful and let me know if you have any other questions.
Nathan
-----------------------------------------------------------------------------------
Nathan Keilbart, PhD
Postdoctoral Research Scientist, Quantum Simulations Group
Lawrence Livermore National Laboratory
-----------------------------------------------------------------------------------
To view this discussion on the web visit
https://groups.google.com/d/msgid/aiidausers/82ea38881f0b619ce8151df158f1757b%40univie.ac.at.
import paramiko
from time import sleep
def transport_test_password(ip, port, user, password, command):
transport = paramiko.Transport((ip, port))
try:
transport.start_client()
print('transport client started')
except Exception as e:
print(e)
try:
transport.auth_password(username=user, password=password)
print('transport authentication did not fail')
print('is transport authenticated: {}'.format(transport.is_authenticated()))
except Exception as e:
print(e)
if transport.is_authenticated():
print(transport.getpeername())
channel = transport.open_session()
channel.exec_command(command)
response = channel.recv(1024)
print('Command %r(%r)-->%s' % (command,user,response))
def transport_test_keyfile(ip, port, user, keyfile, command):
transport = paramiko.Transport((ip, port))
try:
transport.start_client()
print('transport client started')
except Exception as e:
print(e)
try:
k = paramiko.RSAKey.from_private_key_file(keyfile)
transport.auth_publickey(username=user,key=k)
sleep(1)
print('transport authentication did not fail')
print('is transport authenticated: {}'.format(transport.is_authenticated()))
except Exception as e:
print(e)
if transport.is_authenticated():
print(type(transport.is_authenticated()))
print(transport.getpeername())
channel = transport.open_session()
channel.exec_command(command)
response = channel.recv(1024)
print('Command %r(%r)-->%s' % (command,user,response))
host = "vsc4.vsc.ac.at"
user = "mwo3"
keyfile = "/fs/home/wolloch/.ssh/id_rsa"
passwd = <password>
command = 'pwd'
paramiko.util.log_to_file("VSC4_test.log", level="DEBUG")
transport_test_password(ip=host, port=22, user=user, command=command, password=passwd)
transport_test_keyfile(ip=host, port=27, user=user, command=command, keyfile=keyfile)
And here is the output:
(aiida) hodor:aiida> python paramiko_test.py
transport client started
transport authentication did not fail
is transport authenticated: True
('193.170.79.54', 22)
Command 'pwd'('mwo3')-->b'/home/fs71411/mwo3\n'
transport client started
transport authentication did not fail
is transport authenticated: False
You received this message because you are subscribed to a topic in the Google Groups "aiidausers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/aiidausers/52OBK9Tq8BM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to aiidausers+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/aiidausers/5B037BAA-6E16-488A-A863-19FB9D3199EC%40llnl.gov.
Hi all,
I figured this thing out! In fact I spend a lot of time debugging an issue that was not even there. My example code did not authenticate correctly because I did not use the paramiko.SSHclient.connect() method and then open a transport channel, which is what is done by AiiDA. Instead I was using parmaiko.Transport.auth_publickey() and that runs into problems, turns out because of the OTP, even if there is no need to enter it at that given time. It can be fixed using the auth_interactive_dumb() method afterwards, but this is handled anyhow in an elegant way by the connect() method of SSHclient! The real problem was that my cluster limits the MaxSessions in the sshd_config to 1, a problem that Giovanni pointed out already some days ago. I cannot access sshd_config on the cluster myself and had to wait for support to answer me, which I got todaz. I asked them if they can increase this to 10 (would that be enough)? But I have not heared back from them yet and I am a little doubtful that they will make the change just for one user.
Here is some code that works and closely mimics what AiiDA does, but if I add another channel at the end (by uncommenting the two lines), I get the exact error I see when running verdi computer test VSC4, as expected with only one session allowed per client.
keyfile = "/fs/home/wolloch/.ssh/id_rsa"
command = 'pwd'
k = paramiko.RSAKey.from_private_key_file(keyfile)
paramiko.util.log_to_file("min_test.log", level="DEBUG")
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.client.AutoAddPolicy())
client.connect(hostname=host, username=user, port=27, pkey=k)
channel = client.get_transport().open_session()
channel.close()
#channel2 = client.get_transport().open_session()
#channel2.close()
client.close()
I guess the lesson for me (other than knowing a lot more about paramiko and ssh connections) is that one should really try to follow the traceback closely, find out what really is going on, and not immediately start with simplified versions of the problem!
Thanks for all the help anyhow, I am very happy that this mailing list is so active and supportive,
Michael
To view this discussion on the web visit https://groups.google.com/d/msgid/aiidausers/CAHAEejBGmuBn%2B%3D0HnK7-3R3845JJ_wgmtrLfnc09zrk80uKwvQ%40mail.gmail.com.