Logging in to HPCI using GSI-OpenSSH for MacOS

0. Change Log

0.1 Major changes

2024.09.09

• Changed tarball to gsi-openssh-for-macOS-20240902.tar.gz

2024.04.05

• The wording of the login procedure has been partially changed to match the user’s environment.

2023.07.31

• The wording and structure of some items have been arranged.

• The text version of this document has been discontinued.

2023.05.09

• Added “1.2 Software restrictions”

2023.04.28

• Corrected the URL of the referenced document.

2023.01.10

• Added Apple Silicon compatibility

• Changed tarball to gsi-openssh-for-macOS-20230110.tar.gz

• Revised text of “3.3 Caveats”

• Added “4. Update Procedure for GSI-OpenSSH for MacOS”

2022.12.19

• Changed title

2022.07.15

• Created an English version of the document

2022.01.31

• Initial release

1. Overview

This document is for those using macOS, and explains how to log in to the HPCI environment using GSI-OpenSSH for macOS.

GSI-OpenSSH for macOS is built on macOS using the following software, and does not use Docker images.

• OpenSSL

  • openssl-3.0.14

• Grid Community Toolkit

  • GCT version 6.2.20240202 (gsi-openssh-9.3p1c を含む)

Grid Community Toolkit is referred to as “GCT” in the remainder of this document.

1.1 Operating environment

Mac with Intel chip

• macOS 12 or newer (Monterey, Ventura, Sonoma).

  • HPCI has used Monterey for operational tests in its test environment.

Mac with Apple silicon

• macOS 12 or newer (Monterey, Ventura, Sonoma).

  • HPCI has used Monterey for operational tests in its test environment.

1.2 Software restrictions

• Does not provide server functionality.

  • GSI-OpenSSH for macOS provides client functionality only. Operation of the server function is not guaranteed.

2. Installing GSI-OpenSSH for macOS

2.1 Download

1. Download the tarball from the following URL.

   This is a universal binary and will run on Intel Macs and Apple Silicon Macs.

• gsi-openssh-for-macOS-20240902.tar.gz (18,028,601 byte)

  • SHA256 hash of tarball : 8332154e58c2855af664677456f4e4f253d4b73bf9cc849517d5c069c398f244

  • SHA512 hash of tarball : 7c7a9508604613048c781396410e4d5aaeebf344b962bb64e56598f881a70214f4ad12349ddb26e89fcd7d0005df067ab54db8ad5f5fdec108cf6b0fcc53fb92

2.2 Installation procedure

1. Launch the Terminal application. The rest of this procedure will be in the terminal.

2. Create /usr/local.globus-6 as an installation target directory. Set the owner and group of globus-6 to match the user’s account.

% sudo mkdir /usr/local/globus-6
% sudo chown <your-uid>:<your-gid> /usr/local/globus-6

3. Expand the downloaded file to /usr/local.globus-6

% cd /usr/local/globus-6
% tar zxvf /path/of/gsi-openssh-for-macOS-20240902.tar.gz

2.3 Post-installation setup

Environment settings

The script globus-user-env.sh will set the environment variables needed for using GCT. Read this in using the personal environment settings (~/.zprofile) for your login shell (zsh)

Also, since it is preferable to use OpenSSL (contained in the tarball) rather than MacOS’ standard SSL (LibreSSL), change your path settings.

1. Launch the Terminal application.

2. Append the following to ~/.zprofile:

GLOBUS_LOCATION=/usr/local/globus-6
if [ -f $GLOBUS_LOCATION/share/globus-user-env.sh ] ; then
        . $GLOBUS_LOCATION/share/globus-user-env.sh
        PATH=$GLOBUS_LOCATION/openssl/bin:$PATH
fi

3. Quit and restart the terminal to cause your settings to be updated.

4. Confirm your path settings have been changed by checking the gsissh version.

% gsissh -V
OpenSSH_9.3p1c-GSI GSI-hpn15v2, OpenSSL 3.0.14 4 Jun 2024
%

Set your CA certificate

Download the HPCI Certificate Authority’s Office’s CA certificate and place it in the directory /usr/local/globus-6/share/certificates

1. Run the following command.

% /usr/local/globus-6/share/hpci/set-cacert.sh

Periodically update the CRL

The HPCI Certificate Authority’s CRL is periodically updated, so set the following to periodically get the CRL.

• Do this by setting the script /usr/local/globus-6/share/hpci/fetch-crl.sh to run periodically.

• You will use cron to run the script periodically. Use the script /usr/local/globus-6/share/hpci/set-fetch-crl.sh to register the above script with cron.

1. Run the following command.

% /usr/local/globus-6/share/hpci/set-fetch-crl.sh on

• When you run this, the contents of crontab will be sent to STDOUT (this will output everything, including standard entries). Confirm that it includes an entry that runs /usr/local/globus-6/share/hpci/fetch-crl.sh.

• This will output the contents before changes to the backup file crontab.bak in the current directory. You can delete this if not needed.

This completes post-installation setup.

2.3 Uninstallation procedure

When GSI-OpenSSH for macOS is no longer needed, you can uninstall it using the following procedure.

1. Delete fetch-crl.sh from crontab by running the following command.

% /usr/local/globus-6/share/hpci/set-fetch-crl.sh off

• When you run this, the contents of crontab will be sent to STDOUT (this will output everything, including standard entries). Confirm that it includes an entry that runs /usr/local/globus-6/share/hpci/fetch-crl.sh.

• This will output the contents before changes to the backup file crontab.bak in the current directory. You can delete this if not needed.

2. Delete the directory /usr/local/globus-6 by running the following commands.

% cd /usr/local/
% rm -rf globus-6/*
% sudo rmdir globus-6

3. Logging in to the HPCI environment

Using the environment where GSI-OpenSSH for macOS is installed, use the terminal to run the myproxy-logon and gsissh commands without modification. Follow the instructions in the HPCI Login Manual.

3.1 Launch the Terminal

Launch the Terminal application.

3.2 Log in to the login server

This section provides an overview of the login procedure. See User’s Guide, HPCI Login Manual for details.

Issue a proxy certificate

First, a proxy certificate must be issued using HPCI Certificate Issuing System and stored in the proxy certificate repository.

Attention

• Proxy certificates are valid for up to 168 hours.

• It should be issued (stored) each time it expires.

• Refer to the following document for the issuing (storing) procedure.

  • User’s Guide, HPCI Login Manual, “2.2. Storing the Proxy Certifdicate”

Download a proxy certificate

Download the proxy certificate to terminal .

• For details on the procedure, refer to the following document.

  • User’s Guide, HPCI Login Manual , “2.3.2. Download with myproxy-logon”

• If you are unable to download a proxy certificate, refer to the following document.

  • User’s Guide, HPCI Login Manual , “2.3.2.2. Troubleshooting”

  • トラブルシューティング - GSI-SSHシステム管理関連 in the HPCI information-sharing CMS. (Note: There is no English translation page.)

1. Download the proxy certificate using the myproxy-logon command.

[hpciuser@XXXXXXXXXXXX ~]$ myproxy-logon -s portal.hpci.nii.ac.jp -l [HPCI-ID]
Enter MyProxy pass phrase: ********
A credential has been received for user <HPCI-ID> in /tmp/x509up_up2000.
[hpciuser@XXXXXXXXXXXX ~]$

2. Verify the information in the resulting proxy certificate using the grid-proxy-info command.

[hpciuser@XXXXXXXXXXXX ~]$ grid-proxy-info
subject  : /C=JP/O=NII/OU=HPCI/CN=user/CN=proxy/CN=proxy/CN=proxy/CN=proxy
issuer   : /C=JP/O=NII/OU=HPCI/CN=user/CN=proxy/CN=proxy/CN=proxy
identity : /C=JP/O=NII/OU=HPCI/CN=user
type     : RFC 3820 compliant impersonation proxy
strength : 2048 bits
path     : /tmp/x509up_u2000
timeleft : 12:01:15
[hpciuser@XXXXXXXXXXXX ~]$

Log in to the login server

• For details on the procedure, refer to the following document.

  • User’s Guide, HPCI Login Manual , “2.4. Login to the Login Server”

• If you are unable to log in to the login server, refer to the following document.

  • User’s Guide, HPCI Login Manual , “2.4.2. Troubleshooting”

  • トラブルシューティング - GSI-SSHシステム管理関連 in the HPCI information-sharing CMS. (Note: There is no English translation page.)

1. Log in to the login server. In the following example, we are logging in to the login server at the Tokyo Institute of Technology, login.t3.gsic.titech.ac.jp.

[hpciuser@XXXXXXXXXXXX ~]$ gsissh -p 2222 login.t3.gsic.titech.ac.jp
Last login: Tue Jan 24 11:09:13 2023 from xxx.xxx.xxx.xxx
--------------------------------------------------------------------
Last modified: 2023-04-06 17:00:00 JST

 ** Do not run heavy programs like ISVs on login nodes login[01]. **

    (The current TSUBAME 3.0 operational status)
    https://www.t3.gsic.titech.ac.jp/      Twitter:@Titech_TSUBAME
--------------------------------------------------------------------
<HPCI-ID>@login1:~>

2. When you exit the login server, you will return to the terminal shell .

<HPCI-ID>@login1:~> exit
logout
Connection to login.t3.gsic.titech.ac.jp closed.
[hpciuser@XXXXXXXXXXXX ~]$

3.3 Caveats

Attention

This section was deleted on Dec 28, 2022.

Currently, connections to RIKEN’s R-CCS will result in an error.

% gsissh -p 2222 hpciss04.r-ccs.riken.jp
ssh_packet_read: read: Connection reset by peer
%

To avoid this problem, do as follows.

• Add the option -oGSSAPIKexAlgorithms=gss-gex-sha1- to the command.

  % gsissh -p 2222 -oGSSAPIKexAlgorithms=gss-gex-sha1- hpciss04.r-ccs.riken.jp
  

• Append the following to your personal ssh settings file $HOME/.ssh/config.

  Host *.r-ccs.riken.jp
  GSSAPIKexAlgorithms gss-gex-sha1-
  

  You can abbreviate this at the command line as follows

  % gsissh -p 2222 hpciss04.r-ccs.riken.jp
  

4. Update Procedure for GSI-OpenSSH for MacOS

This section describes the procedure for updating the previous version of GSI-OpenSSH for macOS with the latest version.

This section refers to the following versions specifically; replace them with the versions you are actually using.

	tarball name
New version	Changed tarball to gsi-openssh-for-macOS-20240902.tar.gz
Old version	gsi-openssh-for-macOS-20230110.tar.gz

4.1 Update procedure

1. Launch the Terminal application. The rest of this procedure will be in the terminal.

2. If any applications in the directory /usr/local/globus-6 are running (e.g., /usr/local/globus-6/bin/gsissh), quit them.

3. Delete fetch-crl.sh from crontab by running the following command.

% /usr/local/globus-6/share/hpci/set-fetch-crl.sh off

• When you run this, the contents of crontab will be sent to STDOUT (this will output everything, including standard entries). Confirm that it includes an entry that runs /usr/local/globus-6/share/hpci/fetch-crl.sh.

• This will output the contents before changes to the backup file crontab.bak in the current directory. You can delete this if not needed.

3. To save the directory /usr/local/globus-6 in which the old version is installed, rename it. Here, we are changing its name to /usr/local/globus-6.20230110.

% cd /usr/local/
% sudo mv globus-6 globus-6.20230110

4. Following the procedure in ” 2.2 Installation procedure ” , expand gsi-openssh-for-macOS-20240902.tar.gz to /usr/local/globus-6.

5. The CA certificate files used by the old version, in /usr/local/globus-6.20230110/share/certificates, should be copied to /usr/local/globus-6/share/certificates/ if needed.

6. If you have made any changes to the ssh_config settings file used by the old version, copy those changes to the new version of ssh_config.

7. Following the procedure in ” Periodically update the CRL “, periodically update the HPCI Certificate Authority’s CRL.

8. Delete the saved old version:

% cd /usr/local/
% rm -rf globus-6.20230110

This completes the update process.