Skip to content

How to Automate Login in Leonardo

This guide shows you how to set up automated SSH login for Leonardo at CINECA.

Prerequisites

  • A Leonardo account
  • SSH client installed on your local machine
  • Basic knowledge of terminal/command line

Get a valid certificate for 12 hours:

step ca bootstrap --ca-url=https://sshproxy.hpc.cineca.it --fingerprint 2ae1543202304d3f434bdc1a2c92eff2cd2b02110206ef06317e70c1c1735ecd

Login to the machine

When you connect to the Leonardo HPC system, its host key will be added to your known_hosts file. If the provision step gives you a different login node the host key changes, you may encounter an error when logging in, requiring you to manually remove the old key.

Preventing Host Key Issues

To prevent this issue, you can disable strict host key checking by adding -o StrictHostKeyChecking=no to your SSH command:

step ssh login "<YOUR EMAIL ADDRESS>" --provisioner cineca-hpc 
ssh -o StrictHostKeyChecking=no <USERNAME>@login.leonardo.cineca.it

Alternatively, you can automate the process by adding the following configuration to your ~/.ssh/config file. This method also streamlines the provisioning process. Replace <USERNAME> and <YOUR EMAIL ADDRESS> with your actual credentials:

### CINECA - Leonardo HPC Configuration
#
Host leonardo
    HostName login.leonardo.cineca.it
    User <USERNAME>

    # Certificate-based authentication
    CertificateFile ~/.step/ssh/<YOUR EMAIL ADDRESS>-cert.pub
    IdentityFile ~/.step/ssh/<YOUR EMAIL ADDRESS>

    # Automatically renew SSH certificate before connecting
    ProxyCommand bash -c 'step ssh login "<YOUR EMAIL ADDRESS>" --provisioner cineca-hpc >/dev/null 2>&1; nc %h %p'
    #Auth 
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    # Basic crypto settings
    KexAlgorithms diffie-hellman-group14-sha1
    Ciphers aes128-ctr
    MACs hmac-sha2-256,hmac-sha2-512
    # Disable EtM MACs
    MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
    # Host key settings
    HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512

Once the configuration is in place, you can log in simply by running:

ssh leonardo

This setup ensures a seamless login experience by automating certificate provisioning and avoiding host key verification issues.

Troubleshooting

  • If connection fails, check your key permissions: chmod 600 ~/.ssh/id_ed25519
  • Verify the public key was uploaded: cat ~/.ssh/authorized_keys on Leonardo
  • Check system status at CINECA Status Page

Tags

#ssh #security #leonardo