By default ubuntu distributions do not create a directly usable root account. Instead they grant the first user created sudo privileges for increased security. For convenience, we will enable the root account by setting a password, and to mitigate security implications we will require keys for root login over ssh.
hpcstudent@nano:~$ sudo passwd
[sudo] password for hpcstudent:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
For the first password request above, use the initial user's password you created on the first boot. For the second and third requests, use the new password for the root account. Note that 'sudo' is required above - otherwise you will be changing the initial user's password.
By default, sshd does not allow remote root logins without a key (see SSH keys below). One way to set up key access it to temporarily allow root logins with a password. This can be done by modifying the /etc/ssh/sshd_config file. In the Authentication section find the line for 'PermitRootLogin prohibit-password', and immediately after add the line 'PermitRootLogin yes':
For now, set up root accounts on the compute nodes the same as on the master node, including setting up sshd to allow root logins.
SSH Keys
On the master node, set up a key pair for the root account.
Do not assign a password to the private key - leave it blank to allow non-interactive logins.
root@nano:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Uq34+RrH/Br9kejTVv5F7jRXqVU//txwq/SgHq+Lpe4 root@nano
The key's randomart image is:
+---[RSA 2048]----+
| |
| . |
| . . .|
| o . +|
| o S ++|
| o + . .+++|
| + =oo=+=*|
| +++*.=BO|
| +E+*==ooB|
+----[SHA256]-----+
root@nano:~#
We will use the same key pair on all nodes and the master. To allow compute nodes to initiate sessions on the master, you can append the public key to the master node root account's authorized_keys file:
Test for passwordless login by opening an ssh connection, in this case to localhost. You should be able to establish a connection without being prompted for a password.
root@nano:~# ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:5H/UOG3SLt4VTizh60fQUwdg9+u3AUH1ctBrivgFsVc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.9.140-tegra aarch64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
6 updates are security updates.
root@nano:~#
The next step is to transfer the private key and public key (the latter into the authorized_keys file) to the compute nodes. We'll use ssh-copy-id to copy the public key:
root@nano:~# ssh-copy-id 10.0.0.101
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.0.0.101 (10.0.0.101)' can't be established.
ECDSA key fingerprint is SHA256:CK4/WNgfq4jORRlMrhPoSK8q4ypp1Tm/Ef3fQYE5L1M.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.101's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '10.0.0.101'"
and check to make sure that only the key(s) you wanted were added.
root@nano:~#
Repeat the above for each of the nodes. Once the authorized_keys file is set up on each node, transferring the private key should be much easier: