All Linux servers run “secure shell” - 'ssh'. Anyone with a CS account may log into these servers.

On Grounds, you can simply 'ssh' to CS servers.

Off Grounds, you are not able to 'ssh' directly into most CS servers except portal.cs.virginia.edu.

You must use your CS domain userid (identical to your UVA userid) and password to 'ssh' to portal. For example:

ssh -l abc1de portal.cs.virginia.edu. Alternatively, ssh abc1de@portal.cs.virginia.edu

Most users on a Mac or Windows PC will use a Terminal application like SecureCRT, Cmder, KiTTY, or Putty (Windows), Terminal or iTerm2 (Mac) to 'ssh' to our linux servers.

Note that your username on the Mac or PC may be different from your CS/UVA userid. So be sure to include your userid on the 'ssh' command line.

If you'd like to use a graphical windowing interface to department servers, see: NX Linux Remote Desktop Cluster

Use one of these options to access CS servers from outside of UVA.

If you are outside of the UVA network (off grounds) then you can first start a VPN session to UVA using the UVA VPN. Once the VPN is established, you can 'ssh' to CS servers directly. Note that you should use the UVA “Anywhere” VPN, not the “More Secure” VPN.

You can ssh directly into portal.cs.virginia.edu without having to use the UVA VPN. Once you are logged into the portal cluster, you can then ssh to other CS servers.

[abc1de@outside-uva ~]$ ssh -l abc1de portal.cs.virginia.edu
abc1de@portal.cs.virginia.edu's password: 
Last login: Mon Jul 29 14:12:10 2019
abc1de@portal04 ~ $ hostname
portal04                                               <-- We are logged into portal cluster
abc1de@portal04 ~ $ ssh gpusrv01                       <-- We can now 'ssh' to gpusrv01
abc1de@gpusrv01's password:
....
abc1de@gpusrv01 ~ $

The ssh client has an option -J to specify a host to use as a “jumphost” that lets you access other servers directly with one command. This combines two steps (for example, ssh into portal.cs.virginia.edu and then ssh to gpusrv01) into one single command.

Here is how we use this option to “jump” from portal.cs to another CS server. Let's repeat the example of logging in to gpusrv01

[abc1de@outside-uva ~]$ ssh abc1de@gpusrv01 -J abc1de@portal.cs.virginia.edu
abc1de@portal04.cs.virginia.edu's password:                  <-- first asked to authenticate to portal
abc1de@gpusrv01's password:                                  <-- immediately able to log into gpusrv01
....
abc1de@gpusrv01 ~ $

Computer Science hosts its own DNS server with authority over the cs.virginia.edu domain space. Any server in CS will have a fully qualified domain name (fqdn) of hostname.cs.virginia.edu.

If you are inside of the Computer Science network then use the hostname of a server instead of its fully qualified name. For example, if you are logged into a CS server, you can ping another server by its hostname alone.

abc1de@portal01:~$ ping portal03
PING portal03.cs.virginia.edu (128.143.67.43) 56(84) bytes of data.
64 bytes from portal03.cs.virginia.edu (128.143.67.43): icmp_seq=1 ttl=64 time=0.149 ms
64 bytes from portal03.cs.virginia.edu (128.143.67.43): icmp_seq=2 ttl=64 time=0.123 ms

This will not work from outside of the CS network unless you modify your DNS search path to contain cs.virginia.edu.

To log into a server from another computer running Linux/Unix/MacOS, run the following from a shell:

abc1de@host ~ $ ssh username@gpusrv04.cs.virginia.edu
abc1de@gpusrv04's password:                              <- Enter Password
...
[abc1de@gpusrv04 ~]$

In Mac OS the Terminal app can be found in the Utilities folder under Applications.

For information about SSH clients for Windows, see the article SSH from Windows

For a listing of generally available servers in CS, see the article Computing Resources

We want to give all of our users fair and equal access to whatever computing resources we have to offer. We do not restrict login access to certain servers. However, there are a number of servers that still have access restrictions in place. This article is to show users with sudo privileges how to edit /etc/security/time.conf to allow user logins.

There are several configuration files located in /etc/security on Linux servers. In this directory, we can use time.conf to restrict ssh login to a specific set of user accounts.

By default, access rules in time.conf are not used unless a PAM module (pluggable authentication module) is configured to read them. This is done by adding a line to the sshd PAM module file.

Add the following line to the file to the end /etc/pam.d/sshd:

account             required                pam_time.so

Now that PAM is configured to read time.conf we can now put in a rule. Here is an example rule from time.conf:

sshd;*;!root&abc1de&fgh1ij&klm1no;!Al0000-2400

This line is formatted such that the users listed are separated by ampersand & characters. This entry will allow the users root, abc1de, fgh1ij and klm1no are allowed access. Be sure to always include yourself and root in this rule. Failure to do so may result in everyone becoming locked out.

If we wanted to add the user pqr1st to this rule above, we would insert the string &pqr1st like this:

sshd;*;!root&abc1de&fgh1ij&klm1no&pqr1st;!Al0000-2400

Changes to this file take effect immediately, no services need to be restarted. When editing this file, be sure that you keep at least one active ssh connection until you have tested your changes. This will prevent becoming locked out if any errors are made!