Creating Password-less ssh keys

 

An important step to creating a high performance compute cluster is to enable the head node to be able to login into all of the compute nodes without the use of a password.

 

In order for a cluster to be able to run MPI jobs, the head node must be able to ssh into all the machines without the need to authenticate with a passwords. This is accomplished with password-less ssh login for all the nodes. Security concerns aside, you'll only need to create the key on one machine and copy it to the other nodes.

 

User Accounts

Before you create the login keys for the cluster, you will also need to make sure that all of nodes have the exact same user account name.

 

Getting Started

If you want to start fresh (if you want, you can skip this step) with each machine, delete the ".ssh" directory that resides in the home directory for each machine. "cd" to the home directory and remove the ssh directory

 

cd /user_account/

rm -r .ssh

 

To create the key, go to the ssh directory and enter the following at the terminal:

 

ssh-keygen -t dsa

 

Important: Don't enter a passphrase, just press the enter key. This will generate a password-less key file under the ".ssh" directory. You should get two files: id_dsa and id_dsa.pub

 

Once the key is generated, you can copy the file id_dsa.pub to authorized_keys2

 

cp id_dsa.pub authorized_keys2

 

Copy this file "authorized_keys2" to each of the nodes under the ".ssh" directory (essentially replacing the original "authorized_keys2" file if one exists). Below is an example of copying the key to other machines IF you were using root as your common directory:

 

scp /var/root/.ssh/authorized_keys2 node1:/var/root/.ssh/authorized_keys2

 

Note: When copying keys to the other machines, if you did not start out by deleting your old ".ssh" directory and are appending keys to your existing "authorized_keys2" file, be sure that there is only one key per line. If you copy and paste the key from terminal, remove the end of the lines. The keys will otherwise not work properly.

 

Testing Password-less ssh

The nodes are now set up for password-less login from each other. Now lets test the password-less login before we run the MPI stuff. To do this:

 

ssh to every machine on in the cluster (including itself) and then log off. Because all of the user accounts are the same for all the nodes, you don not have to use the username to login. It would look something like:

 

ssh 192.168.0.1     

 

Answer, "yes" to add the RSA key fingerprint for each machine. This should not ask you for a password (it will only ask you if you want to add the RSA key fingerprint). If the machines still ask you to type in the password, then we messed up somehow and password-less ssh is not setup correctly.

 

If you have a lot of machines and donÕt want to log into everyone individually, you can edit the /etc/ssh_config file.

 

sudo vi /etc/ssh_config

 

You will want to uncomment and change the following line of the ssh_config file:

 

#   StrictHostKeyChecking ask

 

to

 

StrictHostKeyChecking no

 

If everything worked right with your password-less ssh login, you will now be set to install MPI to run parallel jobs on your compute cluster!