Access to the system


Access to Caléndula is performed using the SSH (Secure Shell) protocol. This protocol is used for accessing remote machines over a network. It allows remote work through a command interpreter and also enables redirecting graphical program traffic from the remote machine to the local machine's screen.

SSH uses encryption techniques that prevent third parties from accessing the content of communications. As it is a secure protocol, concepts such as public/private keys and fingerprints come into play. While it's not the purpose of this manual to delve into these concepts in detail, a brief description is necessary to fully understand the connection process and ensure the confidentiality of traffic between the user's system and SCAYLE's system.

The concept of a unique fingerprint or public key is an alphanumeric string of characters that identifies a specific server and helps us ensure that the server responding is indeed the one we intended to connect to.

The URL calendula.scayle.es is the access point to the supercomputer, but behind this address, there are actually two distinct servers (called frontend11 and frontend12) that handle remote user login requests. This allows the distribution of the number of users simultaneously accessing Caléndula between the two servers. However, this solution presents the inconvenience that the two servers have different public keys, even though they respond to the same address externally. This poses a problem with SSH public keys because the first time a connection is made, the key of one frontend is saved, and in subsequent sessions, when switching to the other frontend, a security alert may appear warning of a possible 'man-in-the-middle' attack.

The file ecdsa_keys_calendula.txt contains the keys for both frontends. Users can copy the contents of this file to the $HOME/.ssh/known_hosts file of their local machine or SSH connection program used to connect to Caléndula.

The fingerprints of the two frontends are:

Clave ECDSA frontend11. Formato MD5: e1:b4:0c:06:07:97:64:61:ca:94:fb:b7:95:b4:01:e2
Clave ECDSA frontend11. Formato SHA256: ENVK4Jkwgx1452ZXzho6kz9CDzAHu1nVwOve4tAWy1Q

Clave ECDSA frontend12. Formato MD5: 23:af:ce:0c:c3:f4:ef:43:37:da:e3:45:17:d3:87:e5
Clave ECDSA frontend12. Formato SHA256: zEDXH07QlixqR3sJ0jHb/n8c87NGX1sXF433R4iYgLE

In compliance with the National Security Framework, SCAYLE only accepts keys with the ECDSA signature algorithm and a NIST P-521 curve.

To access Caléndula, it is necessary to have an active user account (which will have been provided by SCAYLE) and its corresponding password. Additionally, users will need to generate public/private key pairs for each device/application they intend to use to access Caléndula and transfer the generated public keys to SCAYLE to enable access. Instructions for performing this transfer are provided further down on this page.

Windows operating systems do not install by default any utility that allows remote access to other systems using the SSH protocol.
SCAYLE recommends the following programs to establish a connection to our systems:

  • PuTTY. It is a free, lightweight utility that is very easy to install on any of the latest versions of Windows.
  • MobaXterm. This tool is much more powerful than the previous one and includes multiple tools such as SFTP browser, X11 server, etc.
  • Windows Subsystem for Linux. Compatibility layer created by Microsoft to run Linux natively on Windows. There are different distributions Linux that can be installed (Ubuntu, OpenSUSE, Debian,...).

Once one of the above programs has been installed, the configuration values for access to Calendula are as follows:

Host Name (or IP address): calendula.scayle.es
Port: 22
Connection type: SSH

Accessing Caléndula from Linux or macOS operating systems is simpler because these operating systems (at least the vast majority of distributions) come with the necessary programs already installed. Usually, both in the case of macOS and various Linux distributions, the program is called Terminal.
To connect from these systems to Caléndula, it is only necessary to enter the following command in the Terminal program:

ssh 

It will ask for our user password, and we will start the session.
As with the connection using Windows tools, access via ssh checks that the public key of the system we are connecting to matches the one it has stored. As mentioned above, to avoid the security warning, you must copy the keys of the system's frontends to the file.

$HOME/.ssh/know_hosts

In this guide, you will learn how to securely and automatically upload your public key to Caléndula. This process ensures that only authorized users can add keys to specific servers, maintaining the security and integrity of the system. We will use the ECDSA (Elliptic Curve Digital Signature Algorithm) with the NIST P-521 curve to generate and manage public keys.

Step 1: Obtain the Public Key
First, you must obtain your public key in the appropriate format for the ECDSA algorithm using the NIST P-521 curve, known as ecdsa-sha2-nistp521.
If you're using programs that provide a terminal emulator or command line such as Terminal, iTerm2 (both on macOS), WSL, PuTTY, MobaXterm (on Windows), the way to generate the public/private key pair is by using the command:

ssh-keygen -t ecdsa -b 521

This command will create, within the root or local $HOME directory of the program used, a directory called .ssh and within it, two files commonly named:

id_ecdsa
id_ecdsa.pub

The content of the latter, with the .pub extension, is the public key that you need to transfer to SCAYLE.

In the case of using MobaXterm, it's important to note that, by default, the HOME directory where the key files generated with the previous command are created is a temporary directory. This means that each time the program is closed, the directory and all its contents are deleted. This would require generating and transferring new keys each time MobaXterm is opened.

First. To avoid this behavior, select the Configuration option within the Settings menu. In the window that opens, the first option that appears in the General section called Persistent home directory indicates the path where the HOME directory of the MobaXterm user will be stored.
Select a path to save that directory on your disk and click the OK button. For example,
mobaxterm

Second. In MobaXterm, we open a new terminal. To do this, we'll select Terminal and Open new tab.
Third. We'll execute the following command: ssh-keygen -t ecdsa -b 521
Fourth. Access the Settings option, Configuration, SSH, and here check the box Use internal SSH agent MobAgent and add the generated key in the following box.
Fifth. Now it will be time to send the generated public key to SCAYLE so that it can be added to your HOME directory in Caléndula.

In the case of using file transfer programs to or from Caléndula, such as Filezilla, WinSCP, CyberDuck, Bitvise, etc., it is also necessary to configure the public/private key pair.

Each of these programs has a different way of configuring the connection to Caléndula to add the generated keys. Consult the documentation of the program you're using, and in case of difficulty, contact us through for help with the configuration.

For this purpose, the puttygen program can be useful as it allows the generation of the key pair for use with any of the above programs that need to be configured.

Step 2: Send the Public Key by Email
Next, copy your public key and send an email with the following characteristics:

From: the email must be sent from the email account linked to SCAYLE's supercomputing (HPC) service and with which you requested the creation of the access account.
To: 
Subject: calendula
Body: Text of the generated public key file (id_ecdsa.pub) (without watermarks, signatures, or any other text). Do not share anything else with SCAYLE other than the contents of that file.

formatoClave

Step 3: Process Confirmation
After sending the email, you will receive a response from the server indicating the status of the process. The possible results are:

  1. SUCCESS:
    Confirmation: Public key added successfully.

  2. FAILURE:
    Error: the connection to the server has failed. Try again after some time. If the error persists, contact .
    Error: incorrect public key. Make sure the public key format is correct and that the email body contains only the public key text, without signatures or greetings.
    Error: incorrect subject. Make sure the email subject is "calendula".

  3. NOTHING:
    If you don't receive any email, make sure the sending email is the one linked to SCAYLE, as only these emails will be accepted to access the cluster. Also check the spam folder of your email program.

When the system prompts you to enter the password, it's important to note that no symbols (*, #, ...) will appear on the screen. This is to prevent an external observer from having any indication of the length of the password entered.

Once the connection to our system is established, you enter one of the two login nodes (frontends) from which you can transfer data, edit your job submission scripts, work with the file system, etc.

IMPORTANT: No calculation activity is allowed on these nodes. Please note that these are servers shared among all users, and activities that demand a large amount of memory or CPU time will adversely affect the work of other users. Therefore, there are established limits on CPU time and the number of processes a user can open.