Access
This page describes how to access ML Cloud resources; you will need an ML Cloud account and an ssh login key (described below).
Prerequisites
In order to gain access to the ML Cloud, you have to be given access to the system. To that, your group PI or Group Manager need to request one to be created for you through the User Management System. All ML-Cloud services share the same identity backend. The account/credentials can therefore be used to log into all all of them. These accounts are exclusive to the ML-Cloud.
Your username is generated by the ML Cloud; you should receive a Nextcloud password reset link to enable you to set your password (if you didn't, follow that link). This username and password is separate from those provided by other university services, and is specific to the ML Cloud systems.
The account will grant you access to:
- Compute Clusters
- Openstack
- ML Cloud Gitlab
- Nextcloud as flexible cloud-storage.
- ML Cloud User Management System
Login
At the ML Cloud, we do not allow logging into our systems solely with a password; rather, we require key-based authentication:
- You cannot log in to SLURM using username/password credentials. Instead, password free login based on public key cryptography is required.
- Your private key has to be stored in a file that is encrypted using a secure passphrase.
Once you have received an account on the ML Cloud, you have to deploy your ssh public key within 2 days of account creation (the system administrators temporarily whitelist you for password based login) to the compute systems. If you miss this window, you will not be able to access the system.
Generate your key
OpenSSH is a popular and freely available SSH client (and server) for UNIX-like operating systems such as GNU/Linux and macOS. OpenSSH comes pre-installed on macOS. It is also contained in the package repository of many GNU/Linux distributions, e.g. openssh-client on Debian, Ubuntu, etc. or openssh-clients on Fedora, Centos, etc. As a last resort, the OpenSSH source code can be downloaded from the OpenSSH web site.
It is important to generate secure key pairs. The current best key type is called Ed25519. Generate a key of this type with the following line
ssh-keygen -a 100 -t ed25519 -f ~/.ssh/id_ed25519
The options specify the type of the key (-t), the number of key derivation function rounds (-a), and the location to place the key (-f), which is selected to be the default. Optionally, one can give a comment to the key with -C to help distinguish multiple keys.
If you still want (or have to) use RSA please make sure to use a bit length of 4096 by the following command:
ssh-keygen -t rsa -b 4096 -o -a 100
Note
If the file ~/.ssh/id_ed25519 already exists, you probably don't want to override it as you might already be using it as credentials for another system. Instead, use a different file name, e.g. ~/.ssh/id_ed25519_mlcloud and remember to use the same file name on all subsequent command lines in this document.
Afterwards, ssh-keygen will ask for a passphrase. This passphrase is purely private and has a priori nothing to do with your University or ML Cloud credentials. It is imperative to provide a strong passphrase at this point, i.e. one that cannot easily be guessed or found by brute force. It needs to be entered in the future to unlock your private key. You might want to use a password manager to save your key and ease the use of complicated passphrases.
A pair of keys, one public and the other private, will be generated. The public key authentication is the most secure and flexible approach to ensure a multi-purpose transparent connection to a remote server. This approach is enforced on the ML Cloud Platforms and assumes that the public key is known by the system in order to perform an authentication based on a challenge/response protocol instead of the classical password-based protocol.
The generated keys for ed25519 are stored in the following files:
| Key | Explanation |
|---|---|
~/.ssh/id_ed25519 |
Contains private key that should be stored only on your machine. NEVER EVER TRANSMIT THIS FILE |
~/.ssh/id_ed25519.pub |
This file is the ONLY one SAFE to distribute |
and for rsa4096 are stored:
| Key | Explanation |
|---|---|
~/.ssh/id_rsa |
contains the private key. NEVER EVER TRANSMIT THIS FILE |
~/.ssh/id_rsa.pub |
This file is the ONLY one SAFE to distribute |
Keep the private part (i.e., ~/.ssh/id_ed25519) of the key-pair safe, confidential, and on your local host only.
Only the generated public key (in the example above ~/.ssh/id_ed25519.pub) needs to be uploaded to the ML Cloud.
Deploying your SSH Key to the System
Once you have your ssh key generated, your public key needs to be deployed on the ML Cloud. The easiest way to do that is to use the following command:
ssh-copy-id -i ~/.ssh/id_ed25519.pub ml-cloud-user-id@IP_OF_LOGIN_NODE
The command ssh-copy-id copies your public key into ~/.ssh/authorized_keys on the cluster's login node.
In the event that you don’t have permission to write to ~/.ssh/authorized_keys, you have to grant yourself that permission with chmod 600 ~/.ssh/authorized_keys.
Once your key is on the cluster you may have to change its permission:
ssh USERNAME@IP_OF_LOGIN_NODE
chmod 600 ~/.ssh/authorized_keys
After you have deployed your key you will be able to ssh into the cluster from your device without entering a password. The authentication is performed via your key.
Setting up Persistent Configuration
The "ssh" command (SSH protocol) is the standard way to connect to the ML Cloud. SSH also includes support for the file transfer utilities scp and sftp. Wikipedia is a good source of information on SSH. SSH is available within Linux and from the terminal app in the Mac OS. If you are using Windows, you will need an SSH client that supports the SSH-2 protocol: e.g. Bitvise, OpenSSH, PuTTY, or SecureCRT.
The user-side SSH configuration can be used to create shortcuts to targets/hosts and configure connections. The following entry creates a shortcut that allows you to refer to login nodes via short names by adding your short names to your ~/.ssh/config:
Host slurm
Hostname IP_OF_LOGIN_NODE
User ml-cloud-user-id
ForwardAgent=yes
Then you can simply ssh by:
ssh slurm
Troubleshooting
If you have trouble connecting to one of our systems, please run the SSH client with verbose output:
ssh -vvv -i .ssh/id_ed25519 ml-cloud-user-id@IP_OF_LOGIN_NODE
Send the resulting output to the support team at support@mlcloud.uni-tuebingen.de with a description of your problem and we will try to fix the issue for you.
Linux Shell
The default login shell for your user account is Bash. To determine your current login shell, execute:
$ echo $SHELL
If you'd like to change your login shell to tcsh, sh, or zsh, submit a ticket through the support system.
When you start a shell on the ML Cloud, system-level startup files initialize your account-level environment and aliases before the system sources your own user-level startup scripts. You can use these startup scripts to customize your shell by defining your own environment variables, aliases, and functions. These scripts (e.g. .profile and .bashrc) are generally hidden files: so-called dotfiles that begin with a period, visible when you execute: ls -a.