Using the proxy_command option with ssh¶
This page explains how to use the
proxy_command feature of
ssh. This feature
is needed when you want to connect to a computer
B, but you are not allowed to
connect directly to it; instead, you have to connect to computer
A first, and then
perform a further connection from
The idea is that you ask
ssh to connect to computer
B by using
a proxy to create a sort of tunnel. One way to perform such an
operation is to use
netcat, a tool that simply takes the standard input and
redirects it to a given TCP port.
Therefore, a requirement is to install
netcat on computer A.
You can already check if the
nc command is available
on you computer, since some distributions include it (if it is already
installed, the output of the command:
will return the absolute path to the executable).
If this is not the case, you will need to install it on your own.
Typically, it will be sufficient to look for a netcat distribution on
the web, unzip the downloaded package,
cd into the folder and
execute something like:
./configure --prefix=. make make install
This usually creates a subfolder
bin, containing the
Write down the full path to
nc that we will need later.
You can now test the proxy command with
ssh. Edit the
~/.ssh/config file on the computer on which you installed AiiDA
(or create it if missing) and add the following lines:
Host FULLHOSTNAME_B Hostname FULLHOSTNAME_B User USER_B ProxyCommand ssh USER_A@FULLHOSTNAME_A ABSPATH_NETCAT %h %p
where you have to replace:
FULLHOSTNAMEBwith the fully-qualified hostnames of computer
Bis the computer you want to actually connect to, and
Ais the intermediate computer to which you have direct access)
USER_Bare the usernames on the two machines (that can possibly be the same).
ABSPATH_NETCATis the absolute path to the
ncexecutable that you obtained in the previous step.
Remember also to configure passwordless ssh connections using ssh keys
both from your computer to
A, and from
Once you add this lines and save the file, try to execute:
which should allow you to directly connect to
There are several versions of netcat available on the web.
We found at least one case in which the executable wasn’t working
At the end of the connection, the
netcat executable might still be
running: as a result, you may rapidly
leave the cluster with hundreds of opened
ssh connections, one for
every time you connect to the cluster
Therefore, check on both computers
B that the number of
ssh are disappearing if you close the
To check if such processes are running, you can execute:
ps -aux | grep <username>
Remember that a cluster might have more than one login node, and the
connection will randomly connect to any of them.
If the above steps work, setup and configure now the computer as explained here.
If you properly set up the
~/.ssh/config file in the previous
step, AiiDA should properly parse the information in the file and
provide the correct default value for the
proxy_command during the
verdi computer configure step.
Some notes on the
- In the
~/.ssh/configfile, you can leave the
%pplaceholders, that are then automatically replaced by ssh with the hostname and the port of the machine
Bwhen creating the proxy. However, in the AiiDA
proxy_commandoption, you need to put the actual hostname and port. If you start from a properly configured
~/.ssh/configfile, AiiDA will already replace these placeholders with the correct values. However, if you input the
proxy_commandvalue manually, remember to write the hostname and the port and not
- In the
~/.ssh/configfile, you can also insert stdout and stderr redirection, e.g.
2> /dev/nullto hide any error that may occur during the proxying/tunneling. However, you should only give AiiDA the actual command to be executed, without any redirection. Again, AiiDA will remove the redirection when it automatically reads the
~/.ssh/configfile, but be careful if entering manually the content in this field.