MOGON Login

How to connect with MOGON via SSH

Onboarding - Last Step:
  • Ask your PI to add your JGU account to an HPC project.
  • Generate your SSH keys using Windows or Linux/macOS .
  • Add your public SSH key to your JGU account as demonstrated here .
  • Prepare your smartphone for 2FA by installing freeOTP or privacyIDEA.
  • Send an to the HPC Group from your JGU account.
  • Complete the privacyIDEA configuration with an HPC admin.
  • Log in to MOGON via SSH using our jump host.

Connecting on Windows

  1. Before being able to transparently proxy your connection to MOGON service nodes through the HPCGATE, you need to connect to the host manually once and accept the SSH host key:

    Open PuTTY and enter <username>@hpcgate.zdv.uni-mainz.de in the Host Name field and use Port 22. Click on Open afterwards. When PuTTY prompts you for host key validation, accept it. Then close the window again.

  1. Start the application and click on the Session button to start a new session.

Using the MobaXterm SSH agent

  1. Start MobaXterm and click on Settings

  1. Verify that the ssh-agent is running:

    Get-Service ssh-agent

    If the shh-agent is not running, start it with:

    Start-Service ssh-agent

    To have ssh-agent automatically start with Windows, you can execute (from elevated prompt):

    Set-Service ssh-agent -StartupType Automatic
  2. Add your new SSH key to the ssh-agent.

    ssh-add <YourNewPrivateKey>

    Be sure to specify the correct path to the SSH key or go to the directory of the key before executing the command.

  3. Verify that the ssh-agent utilizes the SSH key

    ssh-add -l
  4. Create the following file .ssh/config with an editor and add the following lines:

    Host hpcgate
      User <username>
      HostName hpcgate.zdv.uni-mainz.de
      Port 22
      IdentityFile C:/Users/<username>/.ssh/<YourNewPrivateKey>
    
    Host mogon
      HostName miil03.zdv.uni-mainz.de
      User <username>
      Port 22
      IdentityFile C:/Users/<username>/.ssh/<YourNewPrivateKey>
      ProxyCommand ssh.exe -W %h:%p -q hpcgate

    The path to your IdentitiyFile may be different. Please make sure the path is correct before you save the file.

  5. Start a new Session to a MOGON service node. For example, you can now simply use:

    ssh mogon
  6. Done. You should now be able to log in to the various MOGON service nodes. You can add each login node to your ~/.ssh/config file. A list of MOGON Service Nodes can be found here .

Connecting on Linux/macOS

For testing purposes, or if you only need to do this occasionally, you could use this command to connect to the MOGON NHR or MOGON KI cluster:

ssh -J <username>@hpcgate.zdv.uni-mainz.de <username>@mogon-nhr-01

or in case you want to access MOGON II:

ssh -J <username>@hpcgate.zdv.uni-mainz.de <username>@mogon

Simply replace <username> with your JGU-username. Instead of mogon, which will distribute users amongst login nodes, you could also supply the MOGON service-node directly, if you want to access a specific login node. An overview of the MOGON service nodes is given here .

You can also explicitly specify the SSH key for the connection:

ssh -i ~/Path/To/Private/Key -J <username>@hpcgate.zdv.uni-mainz.de -i ~/Path/To/Private/Key <username>@mogon

The SSH key for the jump host and the MOGON service node do not necessarily need to be identical. However, the SSH keys must have been added to your JGU account and have the correct properties.

OpenSSH below version 7.3

The ProxyJump option was added in OpenSSH 7.3 and is basically shorthand for the ProxyCommand. For OpenSSH versions below 7.3. you can use the following command:

ssh -o ProxyCommand="ssh -W %h:%p <username>@hpcgate.zdv.uni-mainz.de" <username>@mogon

Simply replace <username> with your JGU-username and <service-node> with the MOGON service-node you want to access. You can find an overview of the MOGON service nodes here .

Check your SSH Client Version with ssh -V

If you connect to a new remote location for the first time, you will be asked to confirm the identity of the server you are communicating with.

The authenticity of host 'hpcgate.zdv.uni-mainz.de (2001:4c80:40:63c:4:86ff:fe5d:b22d)' can't be established.
ECDSA key fingerprint is SHA256:pzKsg8DkGkzAxDw2n8Uggk/jbboSpNYi5w47LcXjTxk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? █

You can check the SSH Fingerprints of our service nodes in the table below. Confirm by typing yes or pasting the relevant fingerprint for an automatic verification.

SSH Fingerprints

On establishing a connection for the first time, you will be asked to confirm the identity of the server you are communicating with. Please compare indicated fingerprints to the ones listed below.

CipherHashFingerprint
RSAMD5
SHA256
92:8b:0d:af:53:27:09:b9:c0:13:a5:7c:47:5f:18:10
5/h9wmWi44ViIpMm1I/7Ox/vXZ/JYR2tM3QJ7QbFNDA
ECDSAMD5
SHA256
e9:d9:54:5d:a3:ba:0e:d5:ce:e5:02:c0:70:8e:05:d2
pzKsg8DkGkzAxDw2n8Uggk/jbboSpNYi5w47LcXjTxk
ED25519MD5
SHA256
63:67:65:76:5f:ad:fb:20:f2:68:92:cf:d5:49:2c:dc
CNbkj04hEuJ9IwgGkTBXbF1WtE/Nb46kPVSejKUGfRU
CipherHashFingerprint
RSAMD5
SHA256
39:38:c3:a0:3b:a4:7b:13:03:88:70:35:ca:3c:bd:48
MFyTochFLM9iue2D6qWreoQaJrtXITqyvAcXMQuI/ck
ECDSAMD5
SHA256
da:e8:86:93:88:99:44:a5:1a:fb:5d:43:00:23:cc:08
4j1nbNKmElz7QbAkMokyoKPLAIjB7V4GVqJITObiFYA
ED25519MD5
SHA256
68:e5:29:01:18:93:de:f4:0e:e0:54:48:1e:10:ed:51
i9ArPjn5yKQeIydO5FxQgO/A5xlnVkN4sPfMKUlXF0s
CipherHashFingerprint
RSAMD5
SHA256
23:fc:f8:0d:5c:5b:f4:c2:5b:93:c0:a3:6a:2c:c5:a7
tSQKQ05IAPWTj0MKyZzSAqDAtotjWkCWr2s3XtvTiS0
ECDSAMD5
SHA256
fd:94:b7:64:15:e4:e9:64:b4:96:87:1f:64:b9:06:f2
nncHWMQPjZyzupZ7sAdNDSJpqB12Fl4DXoyq4s474ss
ED25519MD5
SHA256
7f:a1:4c:5b:4e:47:ad:76:8c:be:63:c2:90:e5:aa:da
9leujhC1P8sOaWTEMF+eS8wldofFt15jrFp7sq+XIB0

Successful Connection Attempt

If your SSH setup is correct and enough time has passed for your uploaded public key to be spread throughout our system, a successful connection attempt is going to end with the prompt for your privacyIDEA password (TOTP value).

ssh mogon
6-digit-Verification-Code: █

To continue, you must have complete the second step of the onboarding process (setup of a mobile authenticator). Please enter the 6-digit TOTP value displayed on your phone.

Don’t use the same code more than once, in case you should ever be asked for the verification code twice. Sometimes privacyIDEA requests two successive TOTP values to automatically resynchronize your token.

Failed login attempts
Your TOTP token will be deactivated as a brute force prevention measure after you have entered a wrong TOTP value ten times in a row.

Troubleshooting

In case of issues there are a few checks you might want to run before contacting us for further advice:

Is your SSH agent running?Usually this happens automatically once you open the terminal, but you can start the SSH agent manually using the command eval $(ssh-agent -s) on Linux or Get-Service ssh-agent on Windows.
Does your SSH agent find your key?On Linux the command ssh-add -l or ssh-add -L displays identified keys. In case you did not deposit your key at the standard location, you can use this command to pass your key to the agent and avoid entering your passphrase again for this session.
Has enough time passed for the public key to be known to MOGON?Outside of working hours and on weekends it might take up to 1 or 2 hours before your key is registered.

Logging for PuTTY

The Logging configuration panel allows you to save log files of your PuTTY sessions, for debugging, analysis or future reference.

  1. To access the PuTTY logging configuration panel click on Logging under the Session-section