These instructions presume you are starting from scratch. If you have an existing configuration that hits these points, you’ll be good to go.
Following these steps will allow you to authenticate an SSH session to GCE once, and allow subsequent connections to use that connection as long as it’s active. This will avoid having to do an MFA action for each new connection.
- Create a directory to store your control channel information. If you do not do this step, everything else will fail.
mkdir -p ~/.ssh/.control_channels
- Ensure you have the following in your ~/.ssh/config file. Putting it at the top of the file is a good idea. The first line tells your SSH client to forward your SSH agent holding your SSH keys through any connection (more on this below). The second line is useful for preventing inadvertent disconnections due to some residential internet routers killing idle connections.
ForwardAgent yes ServerAliveInterval 60
- Add the following block for CELS GCE login nodes. If you already have one for the login nodes, ensure any missing components are there.
Host login-gce Hostname logins.cels.anl.gov ControlPath ~/.ssh/.control_channels/%h:%p:%r ControlMaster Auto ControlPersist 0
- You should add your SSH key to your SSH agent if you OS doesn’t do this for you. ssh-add with no arguments will do this, or you can specify the path to a key if what you are adding is not a standard key name. It will ask for the encryption passphrase for any keys before adding them to the agent.
The above is the minimal requirement. If you have the configuration above, you would then access a GCE home node like this:
ssh -J login-gce homes.cels.anl.gov
(If your laptop/desktop username is different than your Argonne username, use username@login-gce and username@homes.cels.anl.gov in the above example.)
You will be asked to authenticate against Duo MFA during this first connection, but any subsequent connections from you using “login-gce” would go over that same connection and not require a new Duo MFA login. For example:
ssh -J login-gce compute-02.cels.anl.gov
would connect you through without a Duo prompt.
If your logins are hanging your control channel may need to be reset. To clear the control channel you can either remove the offending file from “.ssh/.control_channels” or ssh -O exit HOSTNAME where HOSTNAME is the fully qualified name of the host. In the example above, that would be logins.cels.anl.gov.
You can fine tune your .ssh/config file to be able to use other short names and remove the need for the “-J login-gce” step following the instructions at the Configuration Examples page.