-
Notifications
You must be signed in to change notification settings - Fork 315
(3.7.0 – 3.13.2) Cannot SSH into LoginNodes with a Key that differs from the HeadNode’s
LoginNodes/Pools/Ssh/KeyName will be deprecated since ParallelCluster version 3.14.0.
Users are unable to SSH into LoginNodes when the cluster has LoginNodes enabled and different SSH key pairs are specified for the HeadNode and LoginNodes.
Both HeadNode and LoginNodes write their public keys to /home/$USER/.ssh/authorized_keys. But /home is exported from the HeadNode and mounted by every LoginNode. So authorized_keys from the HeadNode overwrites those configured for LoginNodes and the LoginNode’s SSH daemon rejects authentication attempts that use the LoginNodes key.
ParallelCluster 3.7.0 - 3.13.2, all released versions support LoginNodes are affected.
The mitigation consists in using the same keypair for the HeadNode and LoginNodes. To this aim you can either explicitly set the LoginNodes key to the same value used for the HeadNode:
HeadNode:
...
Ssh:
KeyName: my-cluster-key
LoginNodes:
Pools:
- ...
Ssh:
KeyName: my-cluster-key # must match above
Or, alternatively, you can leave LoginNodes/Ssh/KeyName unset, it will inherit the HeadNode’s key.
HeadNode:
...
Ssh:
KeyName: my-cluster-key
LoginNodes:
Pools:
- ...
# Leave LoginNodes/Pools/Ssh/KeyName unset, it will inherit the HeadNode’s key.