Skip to content

How to Automate Leonardo Access with SSH Configuration

Overview

This guide shows you how to set up automated SSH access to the Leonardo supercomputer at CINECA, eliminating the need to manually run authentication commands each time you want to connect.

Prerequisites

  • A valid CINECA account with Leonardo access
  • Linux or macOS system
  • Basic familiarity with SSH and terminal commands

Step 1: Install the SmallStep Client

First, install the SmallStep CLI tool following the official guide:

Install SmallStep Client

Step 2: Bootstrap the Certificate Authority

Set up the SmallStep client to trust Leonardo's certificate authority:

step ca bootstrap --ca-url=https://sshproxy.hpc.cineca.it \
  --fingerprint 2ae1543202304d3f434bdc1a2c92eff2cd2b02110206ef06317e70c1c1735ecd

This command configures your local SmallStep client to communicate with Leonardo's authentication infrastructure.

Step 3: Test Manual Authentication

Before setting up automation, verify that manual authentication works:

step ssh login "<YOUR_EMAIL>" --provisioner cineca-hpc
ssh -o StrictHostKeyChecking=no <USERNAME>@login.leonardo.cineca.it

Replace <YOUR_EMAIL> with your CINECA email address and <USERNAME> with your Leonardo username.

If this works successfully, you're ready to set up automation.

Step 4: Configure SSH for Automation

Edit your SSH configuration file to enable automated login:

nano ~/.ssh/config

Add the following configuration block:

Host leonardo
  HostName login.leonardo.cineca.it
  User <USERNAME>
  CertificateFile ~/.step/ssh/<EMAIL>-cert.pub
  IdentityFile ~/.step/ssh/<EMAIL>
  ProxyCommand bash -c 'step ssh login "<EMAIL>" --provisioner cineca-hpc >/dev/null 2>&1; nc %h %p'
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

Configuration Explanation

  • Host leonardo: Creates an alias "leonardo" for the connection
  • HostName: The actual Leonardo login node address
  • User: Your Leonardo username
  • CertificateFile: Path to your SSH certificate (automatically generated by SmallStep)
  • IdentityFile: Path to your SSH private key
  • ProxyCommand: Automatically runs the authentication command before connecting
  • StrictHostKeyChecking no: Skips host key verification (common in HPC environments)
  • UserKnownHostsFile /dev/null: Prevents storing host keys

Important: Replace Placeholders

Make sure to replace: - <USERNAME> with your actual Leonardo username - <EMAIL> with your CINECA email address (appears twice in the config)

Step 5: Test Automated Connection

Now you can connect to Leonardo with a simple command:

ssh leonardo

The first time you run this command, you may be prompted for your CINECA credentials. The authentication will happen automatically in the background, and you'll be connected to Leonardo.

Troubleshooting

Common Issues

Authentication Fails - Verify your email and username are correct in the SSH config - Check that you can manually authenticate using Step 3 - Ensure your CINECA account has Leonardo access

Certificate Expired - SmallStep certificates have limited lifetimes - Re-run the manual authentication process if you get certificate errors - The automated config will handle certificate renewal for subsequent connections

Connection Timeouts - Check your internet connection - Verify that the Leonardo login nodes are accessible - Try connecting from a different network if you're behind restrictive firewalls

Debugging Connection Issues

To see detailed connection information, use verbose SSH output:

ssh -v leonardo

This will show you exactly what's happening during the authentication and connection process.

Security Considerations

Certificate Lifecycle

  • SmallStep certificates are automatically managed and have limited lifespans
  • The ProxyCommand ensures fresh authentication for each session
  • No long-lived credentials are stored on your system

Network Security

  • All authentication happens through CINECA's secure infrastructure
  • SSH tunneling provides end-to-end encryption
  • The configuration disables host key checking for HPC convenience, but connections remain encrypted

Advanced Configuration

SSH Agent Integration

For even smoother operation, you can add your SmallStep keys to SSH agent:

ssh-add ~/.step/ssh/<EMAIL>

Usage Examples

Once configured, you can use your automated connection for various tasks:

Direct Command Execution

ssh leonardo "squeue -u $USER"

File Transfer with SCP

scp myfile.py leonardo:$WORK/

File Transfer with rsync

rsync -av --progress ./local_dir/ leonardo:$WORK/remote_dir/

Port Forwarding for Jupyter

ssh -L 8888:localhost:8888 leonardo

Conclusion

With this automated SSH configuration, you can: - Connect to Leonardo with a simple ssh leonardo command - Use all standard SSH tools (scp, rsync, port forwarding) seamlessly - Avoid repetitive manual authentication steps - Maintain security through SmallStep's certificate-based authentication

This setup significantly improves your workflow efficiency when working with Leonardo, especially for frequent access or automated scripts.