ACCESS/ROSE cannot access to Gadi

Hi all,

I occur an environment issue when running ACCESS-CM2 on Gadi.

When I’m set up mosrs on accessdev using the command mosrs-setup. I received the following error:

Testing Rose can be accessed on Gadi…
Host key verification failed.
WARN: Unable to connect to Gadi
WARN: Follow the instructions at https://accessdev.nci.org.au/trac/wiki/Guides/SSHto set up a SSH agent

That’s mean my ROSE on accessdev cannot be connected to Gadi, which causes all jobs I submitted to Gadi from accessdev failed. All methods suggested on Guides/SSH – Access Development have been tried but didn’t work properly.

Does anyone has suggestion for this?

By the way, I’m using Mac with M1 chip. I cannot send my public key from my MAC to accessdev. Otherwise I received following error:

cat ~/.ssh/test10May2023.pub | ssh myuser@accessdev.nci.org.au “mkdir -p ~/.ssh/; cat >> ~/.ssh/authorized_keys”
Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

However, the public key generated using the same command can be sent to Gadi. Since I cannot access accessdev from my local MAC, I generate a key at my Gadi account and then sent it to accessdev. So if I want to login accessdev, I have to login Gadi firstly, then login accessdev from gads. I’m not sure if this is causing the problem?

Thank you for any assistance provided.

Cheers,

Zhaohui

1 Like

Hi Zhaohui,

This is not what is causing the problem, but is an issue to be addressed anyway.

The reason why you cannot ssh to accessdev from your local machine seems to be the lack of a supported ssh-key algorithm/protocol. Accessdev is an old system and its ssh implementation does not support newer ssh algorithms/protocols, so you will have to use an RSA key type and re-enable an old ssh protocol (RSA/SHA1, that was superseded by newer ones due to safety reasons) to be able to connect.

  1. Supposedly, you already have an RSA type key.
    To check, you can run:
    ssh-keygen -l -f <your_ssh_key_for_accessdev>
    The key type is written at the end of the line in parenthesis. There should be (RSA) in your case. If you have that then you can skip the next step and go to point 3.

  2. If you don’t have an RSA type, I would suggest creating a new ssh-key on your local machine specifically to connect to accessdev:
    ssh-keygen -t rsa -f ~/.ssh/id_rsa_accessdev
    and then you will get asked to enter the passphrase twice.
    You will then have to add the newly generated public key (content of ~/.ssh/id_rsa_accessdev.pub) to the ~/.ssh/authorized_keys on accessdev.

  3. To re-enable the RSA/SHA1 protocol for the ssh connection, you will have to add two options to your ~/.ssh/config file: HostkeyAlgorithms +ssh-rsa and PubkeyAcceptedKeyTypes +ssh-rsa.
    Your ~/.ssh/config file for accessdev should look like this:

Host accessdev
    Hostname accessdev.nci.org.au
    User <your_user> 
    IdentityFile ~/.ssh/<your_ssh_key_for_accessdev>
    ForwardX11 yes
    ForwardX11Trusted yes
    HostkeyAlgorithms +ssh-rsa 
    PubkeyAcceptedKeyTypes +ssh-rsa

This will let you connect to accessdev from your local machine.

To run ACCESS-CM2 there needs to be mutual communication between accessdev and Gadi. This means that from accessdev you should be able to connect to Gadi (on accessdev ssh <your_user>@gadi.nci.org.au should work) and from Gadi you should be able to connect to accessdev (on Gadi ssh <your_user>@accessdev.nci.org.au should work).

From what you said above, you already seem to have the connection from Gadi to accessdev.

To make sure the connection from accessdev to Gadi works, you have to create an ssh-key on accessdev to connect to Gadi, following the steps in https://accessdev.nci.org.au/trac/wiki/Guides/SSH.
In general, on accessdev, you have to:

  • Create a new ssh-key by running:
    ssh-keygen -t rsa -f ~/.ssh/<your_ssh_key_name_for_gadi>
    and then inserting the passphrase twice.

  • Add the public key to Gadi’s authorized keys. To do this step I would suggest to manually copy your newly created public key (content of ~/.ssh/<your_ssh_key_name_for_gadi>.pub) to the ~/.ssh/authorized_keys on Gadi. Just make sure not to include any new lines after you paste the content.

Finally, on accessdev, run accessdev-gadi-setup. All lines should be successful.

This should solve your problems.

Davide

2 Likes

Hi Davide,

Thank you so much for your detailed and professional response! It solved my problem perfectly.

Cheers,
Zhaohui

1 Like