FAQ:
Running jobs under rsh/ssh

Yes. The method to do this has changed over the different versions of Open MPI.

If you are using rsh to launch processes on remote nodes,

There are multiple ways.

Note that there are two mainstream versions of ssh. One is the freeware package OpenSSH; the other is SSH, a commercial package from SSH Communications Security Corp.

This documentation provides an overview for using user keys and the OpenSSH 2.x key management agent (if your OpenSSH only supports 1.x key management, you should upgrade). See the OpenSSH documentation for more details and a more thorough description. The process is essentially the same for the commercial SSH, but the command names and filenames are slightly different. Consult the SSH documentation for more details.

References to ssh in this text refer to OpenSSH.

Normally, when you use ssh to connect to a remote host, it will prompt you for your password. However, in order for lamboot and recon to work properly, you need to be able to execute jobs on remote nodes without typing in a password. In order to do this, you will need to set up RSA (ssh 1.x and 2.x) or DSA (ssh 2.x) authentication. We recomend using DSA authentication as it is generally "better" (i.e., more secure) than RSA authentication. As such, this text will describe the process for DSA setup -- RSA setup is analogous, but takes slightly different commands and filenames.

This text will briefly show you the steps involved in doing this, but the ssh documentation is authorative on these matters should be consulted for more information.

The first thing that you need to do is generate an DSA key pair to use with ssh-keygen:

shell$ ssh-keygen -t dsa

Accept the default value for the file in which to store the key ([$HOME/.ssh/id_dsa]) and enter a passphrase for your keypair. You may choose to not enter a passphrase and therefore obviate the need for using the ssh-agent. However, this weakens the authentication that is possible, because your secret key is potentially vulnerable to compromise because it is unencrypted. See the ssh documentation.

Next, copy the $HOME/.ssh/id_dsa.pub file generated by ssh-keygen to $HOME/.ssh/authorized_keys:

shell$ cd $HOME/.ssh
shell$ cp id_dsa.pub authorized_keys

In order for DSA authentication to work, you need to have the $HOME/.ssh directory in your home directory on all the machines you are running Open MPI on. If your home directory is on a common filesystem, this is already taken care of. If not, you will need to copy the $HOME/.ssh directory to your home directory on all Open MPI nodes (be sure to do this in a secure manner -- perhaps using the scp command), particularly if your secret key is not encrypted).

ssh is very particular about file permissions. Ensure that your home directory on all your machines is set to mode 755, your $HOME/.ssh directory is also set to mode 755, and that the following files inside $HOME/.ssh have the following permissions:

-rw-r--r--  authorized_keys
-rw-------  id_dsa
-rw-r--r--  id_dsa.pub
-rw-r--r--  known_hosts

You are now set up to use DSA authentication. However, when you ssh to a remote host, you will still be asked for your DSA passphrase (as opposed to your normal password). This is where the ssh-agent program comes in. It allows you to type in your DSA passphrase once, and then have all successive invocations of ssh automatically authenticate you against the remote host. To start up the ssh-agent, type:

shell$ eval `ssh-agent`

You will probably want to start the ssh-agent before you start X, so that all your windows will inherit the environment variables set by this command. Note that some sites invoke ssh-agent for each user upon login automatically; be sure to check and see if there is an ssh-agent running for you already.

Once the ssh-agent is running, you can tell it your passphrase by running the ssh-add command:

shell$ ssh-add $HOME/.ssh/id_dsa

At this point, if you ssh to a remote host that has the same $HOME/.ssh directory as your local one, you should not be prompted for a password. If you are, a common problem is that the permissions in your $HOME/.ssh directory are not as they should be.

Note that this text has covered the ssh commands in very little detail. Please consult the ssh documentation for more information.

NOTE: OSCAR users should already have passwordless-[ssh] setup, and should not need to perform any of the above steps.

If you are using rsh to launch processes on remote nodes, you will probably need to have a $HOME/.rhosts file.

This file allows you to execute commands on remote nodes without being prompted for a password. The permissions on this file usually must be 0644 ([rw-r--r--]). It must exist in your home directory on every node that you plan to use Open MPI with.

Each line in the .rhosts file indicates a machine and user that programs may be launched from. For example, if the user steve wishes to launch programs from the machine stevemachine to the machines alpha, beta, and gamma, there must be a .rhosts file on each of the three remote machines ([alpha], beta, and gamma) with at least the following line in it:

stevemachine steve

The first field indicates the name of the machine where jobs may originate from; the second field indicates the user ID who may originate jobs from that machine. It is better to supply a fully-qualified domain name for the machine name (for security reasons -- there may be many machines named stevemachine on the internet). So the above example should be:

stevemachine.example.com steve

If rsh does not find a matching line in the $HOME/.rhosts file, it will prompt you for a password. Open MPI requires the password-less execution of commands; if rsh prompts for a password, mpirun will fail.

NOTE: Some implementations of rsh are very picky about the format of text in the .rhosts file. In particular, some do not allow leading white space on each line in the .rhosts file, and will give a misleading "permission denied" error if you have white space before the machine name.

NOTE: It should be noted that rsh is not considered "secure" or "safe" -- .rhosts authentication is considered fairly weak. The Open MPI Team recommends that you use ssh ("Secure Shell") to launch remote programs as it uses a much stronger authentication system.

No!

While there are a very small number of cases where using "+" in your .rhosts file may be acceptable, the Open MPI Team highly recommends that you do not.

Using a "+" in your .rhosts file indicates that you will allow any machine and/or any user to connect as you. This is extremely dangerous, especially on machines that are connected to the internet. Consider the fact that anyone on the internet can connect to your machine (as you) -- it should strike fear into your heart.