A. PCDS recommended procedure to configure "on-" and "off-site" dotfiles (SSH, bashrc, git, ...)

Read and follow the instructions here: https://github.com/pcdshub/shared-dotfiles

Quite exhaustive documentation can be found here: SSH, Kerberos, Keys, Certificates, Encryption and all that

Specifically for LCLS, this is all we need to know! Linux/macOS: How to configure SSH tunneling and jump hosts for easy access to PCDS resources

Note:

  • there is no passwordless solution around pslogin BUT multiplexing can work with only one password request (see above)!
  • Proxy jumping to mfx-daq as mfxopr through pslogin won't work: it'll ask for mfxopr password...  ECS-3742 - Getting issue details... STATUS

B. Minimal use cases

ssh to mfx-daq in one step

Step 1. on your local machine, add this to your ~/.ssh/config file:

Host pslogin
  Hostname pslogin.slac.stanford.edu
  ForwardAgent yes
  ForwardX11Trusted yes
  ControlMaster auto
  ControlPath ~/.SSH-%r@%h:%p
Host psbuild-rhel7
  HostName psbuild-rhel7-01
  ForwardAgent yes
  ForwardX11Trusted yes
  ProxyJump %r@${PS_JUMP_HOST=pslogin}
Host mfx-daq
  ForwardX11Trusted yes
  ProxyJump %r@psbuild-rhel7

Step 2. Execute the following command in the terminal - you might be prompted for your password on pslogin:

ssh mfx-daq 

git push and pull from mfx-daq

Setp 1. on any PCDS machine (e.g. pslogin or psbuild-rhel7), add this to your ~/.ssh/config file:

Match host github.com exec "echo ${http_proxy} | grep psproxy"
    ProxyJump psproxy.pcdsn

Host github.com
    HostName github.com
    User git
    ForwardAgent no
    ForwardX11 no
    ForwardX11Trusted no
    PreferredAuthentications=publickey
    RequestTTY no
    UpdateHostKeys yes

Host *
    ForwardAgent yes
    ForwardX11 yes
    ForwardX11Trusted yes
    PreferredAuthentications=gssapi-with-mic,publickey,password

Step 2. and this to your ~/.bashrc:

# Configure web proxy settings on a per-host basis.
# Tools like ``wget`` or ``curl`` will use the environment variable settings to
# proxy requests through the host "psproxy.pcdsn".
case $(hostname -s) in
    # Hosts with direct Internet access
    psbuild-* | pslogin* | cent7* )
        unset http_proxy;
        unset https_proxy;
        ;;

    # Hosts with no access to psproxy.pcdsn
     mcclogin | lcls-* )
        unset http_proxy;
        unset https_proxy;
        ;;

    # Other hosts likely do not have direct Internet access
    * )
        export http_proxy=http://psproxy.pcdsn:3128;
        export https_proxy=http://psproxy.pcdsn:3128;
        ;;
esac

Step 3. now you can push and pull with git, for example to update the hutch python code:

[fpoitevi@mfx-daq mfx]$ pwd
/reg/g/pcds/pyps/apps/hutch-python/mfx
[fpoitevi@mfx-daq mfx]$ git push origin-ssh master
Warning: Permanently added 'psproxy.pcdsn' (ED25519) to the list of known hosts.
Counting objects: 9, done.
Delta compression using up to 32 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (5/5), 524 bytes | 0 bytes/s, done.
Total 5 (delta 2), reused 0 (delta 0)
remote: Resolving deltas: 100% (2/2), completed with 2 local objects.
remote: Killed by signal 1.
To git@github.com:pcdshub/mfx.git
   1c9b2bb..2d41ae9  master -> master