Automation in the context of multifactor authentication: Difference between revisions

{{Command|rsync -a datadir/a robot:scratch/testdata}}

When connecting to the robot node the SSH client on your computer may choose to use the '''IPv6 addressing''' over the older '''IPv4'''.

This seems to be more probably in Windows environment.  

matches the type your computer will be using when connecting to the node.

You can check your addresses using this web site: https://test-ipv6.com/ .

* An IPv4 address would look like '''199.241.166.5'''.

* An IPv6 address could be similar to '''2620:123:7002:4::5'''.

The possible problem is that if you put the IPv4 address mask, '''199.241.166.*''' into the CCDB SSH key, and  

your SSH client will be connecting the the robot node using IPv6 address, the source address will not match the mask in the key

and the key will not be accepted by the robot node.  

If you are having difficulties to make the SSH connection to a robot node working.

Try this test command:

  ssh -i ~/.ssh/automation_key -vvv username@robot.graham.alliancecan.ca "ls -l"  

This command tries to connect to the robot node on Graham cluster and execute the <code>ls -l</code> command  

using the <code>~/.ssh/automation_key</code> SSH key.

Then it prints the list of files in your home directory on Graham to screen.

This command will produce a lot of debug output due to the <code>-vvv</code> option (be Very Very Verbose).

Look for the '''Connecting to...''' message there.

  debug1: Connecting to robot.graham.alliancecan.ca [199.241.166.5] port 22.

it means the IPv4 is being used.

If the message is similar to  

  debug1: Connecting to robot.graham.alliancecan.ca [2620:123:7002:4::5] port 22.

then IPv6 is being used to make the connection.

* You can make the SSH client to '''explicitly use either IPv4 or IPv6''' using the <code>-4</code> and <code>-6</code> options, respectively, to match the format you used for the key in CCDB.

* You can try using an '''IP address instead of the name''' to point to the robot node. Using Graham example, try using the  

: <code>ssh -i ~/.ssh/automation_key -vvv username@199.241.166.5 "ls -l"</code>

: instead, to force SSH to use the IPv4 addresses.

* You can try to '''disable the IPv6 addressing''' for your system, to make sure that only IPv4 is used.

: Currently, there should not be any negative impact on your system. However, Microsoft does not recommend this, and this should be your '''last resort''' method, if nothing else works.

: How to disable IPv6 will depend on your system and the operating system.

If you are using the [https://www.paramiko.org/index.html Paramiko Python module] to automate your workflow, this is how you can make it work with the robot nodes:

<source lang=python>

# ====================================================================================================

key = paramiko.Ed25519Key.from_private_key_file("/home/username/.ssh/cc_allowed")

user = "username"

host = "robot.graham.alliancecan.ca"

ssh = paramiko.SSHClient()

# If the host is not known, it is OK.

ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

ssh.connect(hostname=host, username=user, pkey=key)

cmd = "ls -l"

stdin, stdout, stderr = ssh.exec_command(cmd)

print("".join(stdout.readlines()))

ssh.close()

# ====================================================================================================

Then prints the list to the screen.

Note, that it is important to install '''paramiko''' with the

  $ pip install paramiko[all]

command. This will make sure that the support for the '''Ed25519''' key type will also be installed.

</translate>