After a recent update of hpc-login ecs-login and other aliases, their host key has changed. You may get the following error when connecting:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The ECDSA host key for hpc-login has changed, and the key for the corresponding IP address 10.100.192.100 is unknown. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:QdNPyN2jAR5m7ngLbtIUjc2JgzknvFP2flMOGbd1i5k. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/user/.ssh/known_hosts:4 ECDSA host key for hpc-login has changed and you have requested strict checking. Host key verification failed.
It is safe to accept the new key. We are working on a permanent solution to avoid this problem in the future, but you will need to remove the corresponding entry for hpc-login or ecs-login on your ~/ssh/known_hosts file. For example, you may use the following command to remove the entries for hpc-login:
ssh-keygen -R hpc-login
A similar command may be run for other hostnames with the same problem. After that, a new connection should prompt you to accept the new key.
You can connect for the first time via SSH from another ECMWF platform. If you do so from ECGATE or the Cray HPCF you will not need a password to log in.
$> ssh hpc-login # or for users with no formal access to HPC service: $> ssh ecs-login
From outside ECMWF, you may use Teleport through our gateway in Bologna, jump.ecmwf.int.
$> tsh login --proxy=jump.ecmwf.int $> ssh -J user@jump.ecmwf.int user@hpc-login # or for users with no formal access to HPC service: $> ssh -J user@jump.ecmwf.int user@ecs-login
For all the details of this connection method please see the Teleport documentation, where you will find how to best configure your SSH settings.
Note that direct access through ECACCESS service is not available.
See also HPC2020: Persistent interactive job with ecinteractive if you wish to customise the resource limits of your interactive session.
Upon logging in, please take a look at the message of the day displayed on the login nodes (or review /etc/motd).
Password access
If you have not changed your password since 18 January 2021, password access may not work.
List of main entry points
You can use the hpc-* or hpc2020-* names in the table below if you just need to use the default HPCF complex, or the specific names for each of the complexes. For ECS, you may use the ecs-* names. Your usual interface to connect would be the *-login names, and for remote submission of jobs we would recommend using the *-batch names as they are dedicated login nodes for job submissions. If you need to set up a cronjob, then the *-cron names are to be used.
Generic names | Per-complex | |
---|---|---|
HPCF Interactive Login | hpc-login hpc2020-login | aa-login ab-login ac-login ad-login |
ECS Interactive Login | ecs-login | ecs-login |
HPCF Remote batch job submission | hpc-batch hpc2020-batch | aa-batch ab-batch ac-batch ad-batch ecs-batch |
ECS Remote batch job submission | ecs-batch | ecs-batch |
HPCF Cron jobs | hpc-cron hpc2020-cron | - |
ECS Cron jobs | ecs-cron | - |
Password-less access from / to other platforms
If connecting from a different platform at ECMWF and to enable password-less connections and transfers between different platforms, you will need to enable ssh key authentication.
Check if you have an existing ssh key pair on other ECMWF platforms:
$> ls ~/.ssh/id_* ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
If you don't, you may generate them like so:
$> ssh-keygen # press 'enter' 3 more times
Make sure it is added into the different platforms to be used
If the key was already present in the
~/.ssh/authorized_keys
file, it will be duplicated.$> ssh-copy-id -i ~/.ssh/id_rsa.pub ecgate # also gives access to lxc and linux workstation $> ssh-copy-id -i ~/.ssh/id_rsa.pub cca $> ssh-copy-id -i ~/.ssh/id_rsa.pub hpc-login # or for users with no formal access to HPC service: $> ssh-copy-id -i ~/.ssh/id_rsa.pub ecs-login
Copy your key pair onto those platforms so you can make the connections in both directions:
$> rsync -av ~/.ssh/id_rsa* cca:.ssh/ $> rsync -av ~/.ssh/id_rsa* hpc-login:.ssh/ # or for users with no formal access to HPC service: $> rsync -av ~/.ssh/id_rsa* ecs-login:.ssh/