Euler: Connecting via SSH

First steps and best practices for getting connected to Euler

Connecting to Euler via SSH

Overview

This document provides information on how to connect to Euler for various purposes, and suggests some best practices which may help users in their Euler workflow.

How to Connect

Prerequisites

You will need:

  • Your CAE username and password
  • Your MFA device (beginning Summer 2024)
  • An SSH client

Basic SSH sessions

The main way in which users connect to Euler is using SSH. The standard SSH command to log Euler looks like this:

ssh bengineer@euler.engr.wisc.edu

Where bengineer is the username for your CAE account.

Euler-specific Considerations

The SSH Load Balancer

The network architecture that connects you to Euler isn't as simple as it might appear on the surface.When you connect to euler.engr.wisc.edu via SSH, your system doesn't actually contact Euler. Instead, it reaches out to a load balancer that automatically determines which of Euler's login nodes is least busy and redirects your connection to that node. This serves both to isolate Euler from potentially malicious actors on the public internet and to redirect users to a working machine if one of the login nodes were to crash. Working through a load balancer has its drawbacks, however.

Problem 1: There's no way to tell the load balancer which login node it should use.

If you need to connect to a specific login node — for example, because you have sessions running in the background, or because you have data in a temporary folder that isn't shared between systems — you can still reach the individual login nodes from within the College of Engineering's network. In other words, ifyou are using a workstation with a wired internet connection to a college-owned building, one of the CAE lab computers, or the Engineering VPN, you can ssh directly to the login node you need to return to.

Problem 2: The load balancer makes it difficult to diagnose slow or inconsistent connections.

Sometimes systems get busy. On one hand, the load balancer can introduce extra overhead when the college's network is congested or when certain types of computationally-intensive tasks are in progress. On theother hand, Euler gets busy too. The load balancer will sometimes disconnect idle users to help free up bandwidth and processing power, but that can only go so far. The best ways to mitigate these problems are things that you, as a user, can do.

  • Use SSH compression. At the time of thiswriting, CPUs are fast enough that the time it takes to compress and decompress data from typical usage is less significant than the performance impact of network congestion.
  • Use Globus to transfer files or folderscontaining more than a few MB of data. Globus bypasses both the load balancer and the login nodes, allowing it to write data directly to Euler's storage and can support nearly 10× as much traffic as Euler can over SSH.

Other Best Practices

Here are a few other suggestions made by Euler's maintainers at CAE which you may find useful depending on your workflow.

Use an SSH config file

SSH configs allow you to set automatic flags that will be applied to every connection (Compression is a great example) or to create aliases for frequently used commands.

Example

The entry below automatically uses your username, enables compression, and allows you to omit the fully-qualified domain name when connecting to Euler.

Host euler
    User bengineer
    Compression yes
    HostName euler.engr.wisc.edu

With the above settings, the simple command:

ssh euler

behaves as if you had entered:

ssh -C bengineer@euler.engr.wisc.edu

Use your SSH keys securely

Should you decide to use SSH keys as an alternative form of authentication when logging in, it's important to treat the key as carefully as you would a password. Just like there are recommended practices for password security, there are recommended practices for the security of encryption keys:

  • SSH private keys should always stay private; NEVER share them with someone else!
  • Protect your private key with a passphrase! Because keys are stored as text files on your computer, an unprotected key can easily be exploited if it gets stolen. Adding a passphrase effectively adds a secondauthentication factor in order to use your key.
  • Use different keys for different systems! Just like you wouldn't use the same password for everything, don't use the same SSH key for everything. You can use the IdentityFile config option to set up which key should be used for which host so you don't need to keep track of them yourself.
  • Update your keys from time to time. Cryptography is an ever-changing field, and sometimes what was considered secure at one time is superseded by a better or more comprehensive option at a later time. For example, NIST no longer recommends the use of 1024-bit RSA keys and instead recommends a minimum of 2048-bitkeys.
  • Revoke old keys when you aren't using them anymore! For many systems, once you've authorized an SSH key, the key remains valid indefinitely. A key stored on an old laptop or device that you no longer use could be found and used by someone else.

On most Linux systems, you can revoke a key by connecting to that system and removing the offending key from the file ~/.ssh/authorized_keys. Other services such as GitHub and GitLab may require you to use a specific web page to manage your keys.

The following SSH client(s) are known to work with Euler and are considered relatively easy to obtain and use.

OpenSSH

Supported on Windows, Mac, Linux

OpenSSH is the most ubiquitous SSH implementation, and it can be used with most major operating systems including Linux, macOS, and Windows (10 and newer).

How to get it

Most systems come with this SSH client by default and users can access it by simply opening their Terminal app (or PowerShell, on Windows) and typing an ssh command.

NOTE: SSH versions provided with your system are typically updated alongside your system. Be sure to keep your system up to date with the latest security updates.



Keywordseuler, ssh, key, hpc, intro   Doc ID138004
OwnerColinGroupCAE
Created2024-06-20 11:19:26Updated2024-06-20 11:26:30
SitesComputer-Aided Engineering
Feedback  0   0