Table of Contents

Lab Ethernet Network

Connect in SSH to auth@130.136.201.254

  • Enter your @studio.unibo.it email
  • Enter your unibo password
  • Check if your mac address is the same as the one proposed
  • Enter the number of hours you want to be connected

N.B. If disconnected for more than 10 minutes the authentication is lost

Cluster

The bastion saragozza and all proxmox nodes pve{n} allow access via the internal LDAP system, either via password or via ssh keys. The root user on all these machines has the ssh keys available for all users.

Proxmox machines are also not accessible in any way other than passing through the bastion. As a result, you always need to SSH Jump to saragozza to connect to a node. We can give aliases to machines using SSH Config. In this way, we can connect by jumping using a simobilic name (i.e. pve1). Furthermore, the config also specifies a set of LocalForward for all ports of the services present on saragozza and the various pve{n}.

This is an example of a recommended SSH config.

Host adm-saragozza
	HostName saragozza.students.cs.unibo.it
	User mario

Host adm-pve1
	ProxyJump adm-saragozza
	HostName pve1.students.cs.unibo.it
	User mario
	LocalForward 8006 localhost:8006

Host adm-pve2
	ProxyJump adm-saragozza
	HostName pve2.students.cs.unibo.it
	User mario
	LocalForward 8006 localhost:8006

Host adm-pve3
	ProxyJump adm-saragozza
	HostName pve3.students.cs.unibo.it
	User mario
	LocalForward 8006 localhost:8006

Host adm-pve4
	ProxyJump adm-saragozza
	HostName pve4.students.cs.unibo.it
	User mario
	LocalForward 8006 localhost:8006

Host adm-pve5
	ProxyJump adm-saragozza
	HostName pve5.students.cs.unibo.it
	User mario
	LocalForward 8006 localhost:8006

Host adm-salvatore
	ProxyJump adm-saragozza
	HostName salvatore.students.cs.unibo.it
	User mario
	LocalForward 8007 localhost:8007

Remember to replace every occurrence of user with the name of own user on LDAP.

For example, if my username is not mario but luca, I need to use:

$ sed -i 's/mario/luca/g' ~/.ssh/config

The cluster authentication

When someone tries to login with ssh, the ssh daemon tries to fetch the ssh key in the ldap server for the user. If a key is present and match the login public key, the user is allow to login in, otherwise the connection is refused. For the more technical details read the base/tasks/pam.yaml ansible.

In order to login in proxmox, the ldap server must be added as realm. This could be only done by root and it’s done in the web ui. Please refer to the proxmox guide

Ldap certificate

In order to install the ldap certificate:

curl https://ldap.students.cs.unibo.it/ipa/config/ca.crt > /usr/local/share/ca-certificates/ipa.crt && update-ca-certificates