Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
linux_ssh_access [2020/03/30 20:09]
pgh5a
linux_ssh_access [2020/09/01 18:02]
pgh5a
Line 1: Line 1:
-====== Linux SSH Access ​======+==== Linux Server ​Access ====
  
-All Linux servers run '​ssh'​. ​ Anyone with a CS account may log into these servers. From inside UVA, you can simply '​ssh'​ to CS servers.+All Linux servers run "​secure shell" - '​ssh'​. ​ Anyone with a CS account may log into these servers. ​
  
-From outside UVA, you are not able to '​ssh' ​directly into CS servers.  However connections to ''​%%portal.cs.virginia.edu%%''​ are still allowed from outside of UVA.+On Grounds, you can simply ​'​ssh' ​to CS servers ​typically by using a Terminal application like HyperTerm (Windows) or Terminal (Mac).
  
-===== Access ​from Outside UVA =====+Off Grounds, you are not able to '​ssh'​ directly into CS servers. ​ However connections to ''​%%portal.cs.virginia.edu%%''​ are allowed ​from off Grounds.
  
-==== Option 1VPN access ====+You must use your CS domain userid (identical to your UVA userid) and password to '​ssh'​ to portal. For example:
  
 +''​%%ssh -l abc1de portal.cs.virginia.edu%%''​. Alternatively,​ ''​%%ssh abc1de@portal.cs.virginia.edu%%''​
  
-If you are outside of the UVA network (off grounds) then you can use the [[https://​virginia.service-now.com/​its?​id=itsweb_kb_article&​sys_id=f24e5cdfdb3acb804f32fb671d9619d0|UVA VPN]] to access CS servers via SSH.+Note that if you are opening a terminal application on your Mac or PC, your username on the Mac or PC may be different from your CS/UVA useridSo be sure to include your userid on the '​ssh'​ command line.
  
-==== Option 2Access via portal.cs.virginia.edu ====+If you'd like to use a graphical windowing interface to department servers, see[[nx_lab|NX Linux Remote Desktop Cluster]]
  
-If you need to access CS servers ​from outside of UVA you can ssh directly into ''​%%portal.cs.virginia.edu%%''​ without having to use the VPN.  Once you are logged into the ''​%%portal%%''​ cluster, you can then access other CS servers via SSH.+=== Access ​from off Grounds ===
  
-=== Example using portal.cs ===+**Use one of these options to access CS servers from outside of UVA.**
  
-<​code>​ +=== Option 1: VPN access ===
-[ktm5j@outside-uva ~]$ ssh -l ktm5j power3.cs.virginia.edu+
  
-^C                                                     <-- Direct ​ssh access ​to power3 is denied + 
-[ktm5j@outside-uva ~]$ ssh -l ktm5j portal.cs.virginia.edu +If you are outside of the UVA network (off grounds) then you can first start a VPN session to UVA using the [[https://​virginia.service-now.com/​its?​id=itsweb_kb_article&​sys_id=f24e5cdfdb3acb804f32fb671d9619d0|UVA VPN]]. Once the VPN is established,​ you can 'ssh' ​to CS servers directly. 
-ktm5j@portal.cs.virginia.edu'​s password: ​+ 
 +=== Option 2: Access via portal.cs.virginia.edu === 
 + 
 +You can ssh directly into ''​%%portal.cs.virginia.edu%%''​ without having to use the UVA VPN.  Once you are logged into the ''​%%portal%%''​ cluster, you can then ssh to other CS servers. 
 + 
 +<​code>​ 
 +[abc1de@outside-uva ~]$ ssh -l abc1de ​portal.cs.virginia.edu 
 +abc1de@portal.cs.virginia.edu'​s password: ​
 Last login: Mon Jul 29 14:12:10 2019 Last login: Mon Jul 29 14:12:10 2019
-ktm5j@portal04 ~ $ hostname+abc1de@portal04 ~ $ hostname
 portal04 ​                                              <​-- We are logged into portal cluster portal04 ​                                              <​-- We are logged into portal cluster
-ktm5j@portal04 ~ $ ssh gpusrv01 ​                        <​-- We can now access gpusrv01 +abc1de@portal04 ~ $ ssh gpusrv01 ​                        <​-- We can now access gpusrv01 
-ktm5j@gpusrv01'​s password:+abc1de@gpusrv01'​s password:
 .... ....
-ktm5j@gpusrv01 ~ $+abc1de@gpusrv01 ~ $
 </​code>​ </​code>​
  
-=== SSH Jumphost ​Options ​===+=== Jumphost ​Option ​===
  
-The OpenSSH ​ssh client has an option ''​%%-J%%''​ to specify a host to use as a "​jumphost"​ that lets us access other servers ​inside of a firewalled network.  This combines two steps from the example ​above (ssh into portal.cs.virginia.edu and then ssh to power3) into one single command. ​ From the manpages:+The ssh client has an option ''​%%-J%%''​ to specify a host to use as a "​jumphost"​ that lets you access other servers ​directly, in one step.  This combines two steps (for examplessh into portal.cs.virginia.edu and then ssh to gpusrv01) into one single command. ​ From the //man// page:
  
 <​code>​ <​code>​
Line 53: Line 60:
  
 <​code>​ <​code>​
-[ktm5j@outside-uva ~]$ ssh -l ktm5j gpusrv01 -J portal.cs.virginia.edu +[abc1de@outside-uva ~]$ ssh -l abc1de ​gpusrv01 -J portal.cs.virginia.edu 
-ktm5j@portal04.cs.virginia.edu'​s password: ​                           <-- first asked to authenticate to portal +abc1de@portal04.cs.virginia.edu'​s password: ​                           <-- first asked to authenticate to portal 
-ktm5j@gpusrv01'​s password: ​                                             <-- immediately able to log into gpusrv01+abc1de@gpusrv01'​s password: ​                                             <-- immediately able to log into gpusrv01
 .... ....
-ktm5j@gpusrv01 ~ $+abc1de@gpusrv01 ~ $
 </​code>​ </​code>​
  
-This process can be made even easier with the use of password-less ssh keys.  When keys are set up properly you can log in (even using the -J jumphost options) without needing to type in a password. +=== Server Domain Names ===
- +
-===== Server Domain Names =====+
  
 Computer Science hosts its own DNS server with authority over the ''​%%cs.virginia.edu%%''​ domain space. ​ Any server in CS will have a fully qualified domain name (fqdn) of ''​%%hostname.cs.virginia.edu%%''​. Computer Science hosts its own DNS server with authority over the ''​%%cs.virginia.edu%%''​ domain space. ​ Any server in CS will have a fully qualified domain name (fqdn) of ''​%%hostname.cs.virginia.edu%%''​.
  
-If you want to log into a server named ''​%%gpusrv04%%'',​ then the domain address should be ''​%%gpusrv04.cs.virginia.edu%%''​.+=== Short Names ===
  
-==== Short Names ==== +If you are inside of the Computer Science network then use the hostname of a server instead of its fully qualified name.  For example, if you are logged into a CS server, you can ping another server by its hostname alone.
- +
-If you are inside of the Computer Science network then you can simply ​use the hostname of a server instead of its fully qualified name.  For example, if you are logged into a CS server, you can ping another server by its hostname alone.+
  
 <​code>​ <​code>​
-username@power5:~$ ping power3 +abc1de@portal01:~$ ping portal03 
-PING power3.cs.virginia.edu (128.143.67.43) 56(84) bytes of data. +PING portal03.cs.virginia.edu (128.143.67.43) 56(84) bytes of data. 
-64 bytes from power3.cs.virginia.edu (128.143.67.43):​ icmp_seq=1 ttl=64 time=0.149 ms +64 bytes from portal03.cs.virginia.edu (128.143.67.43):​ icmp_seq=1 ttl=64 time=0.149 ms 
-64 bytes from power3.cs.virginia.edu (128.143.67.43):​ icmp_seq=2 ttl=64 time=0.123 ms+64 bytes from portal03.cs.virginia.edu (128.143.67.43):​ icmp_seq=2 ttl=64 time=0.123 ms
 </​code>​ </​code>​
  
 This will not work from outside of the CS network unless you modify your DNS search path to contain ''​%%cs.virginia.edu%%''​. This will not work from outside of the CS network unless you modify your DNS search path to contain ''​%%cs.virginia.edu%%''​.
  
-===== Login =====+=== Login to other servers ​===
  
-==== From Linux/Mac OS ====+=== From Linux/Mac OS ===
  
-To log into this server from another computer running Linux/​Unix/​MacOS,​ run the following from a shell:+To log into server from another computer running Linux/​Unix/​MacOS,​ run the following from a shell:
  
 <​code>​ <​code>​
-username@host ~ $ ssh username@gpusrv04.cs.virginia.edu +abc1de@host ~ $ ssh username@gpusrv04.cs.virginia.edu 
-username@gpusrv04'​s password: ​                             <- Enter Password+abc1de@gpusrv04'​s password: ​                             <- Enter Password
 ... ...
-[username@gpusrv04 ~]$+[abc1de@gpusrv04 ~]$
 </​code>​ </​code>​
  
 In Mac OS the Terminal app can be found in the Utilities folder under Applications. In Mac OS the Terminal app can be found in the Utilities folder under Applications.
  
-==== From Windows ​====+=== From Windows ===
  
 For information about SSH clients for Windows, see the article [[windows_ssh|SSH from Windows]] For information about SSH clients for Windows, see the article [[windows_ssh|SSH from Windows]]
  
-===== Servers ​=====+=== Servers ===
  
 For a listing of generally available servers in CS, see the article [[compute_resources|General Purpose Nodes]] For a listing of generally available servers in CS, see the article [[compute_resources|General Purpose Nodes]]
  
-===== Login Restrictions (Info for Faculty) ​=====+=== Login Restrictions (Info for Faculty) ===
  
-Here in CS we want to give all of our users fair and equal access to whatever computing resources we have to offer. ​ For this reason we are discontinuing the practice of restricting ​login access to certain servers. ​ However, there are a number of servers that still have access restrictions in place. ​ This article is to show users with ''​%%sudo%%''​ privileges how to edit ''​%%/​etc/​security/​time.conf%%''​ to allow user logins.+We want to give all of our users fair and equal access to whatever computing resources we have to offer. ​We do not restrict ​login access to certain servers. ​ However, there are a number of servers that still have access restrictions in place. ​ This article is to show users with ''​%%sudo%%''​ privileges how to edit ''​%%/​etc/​security/​time.conf%%''​ to allow user logins.
  
 There are several configuration files located in ''​%%/​etc/​security%%''​ on Linux servers. ​ In this directory, we can use ''​%%time.conf%%''​ to restrict ssh login to a specific set of user accounts. There are several configuration files located in ''​%%/​etc/​security%%''​ on Linux servers. ​ In this directory, we can use ''​%%time.conf%%''​ to restrict ssh login to a specific set of user accounts.
- 
-==== PAM Setup ==== 
- 
-This section can be skipped over if your server has already been configured with login restrictions. 
  
 By default, access rules in ''​%%time.conf%%''​ are not used unless a //PAM module// (pluggable authentication module) is configured to read them.  This is done by adding a line to the ''​%%sshd%%''​ //PAM// module file.  ​ By default, access rules in ''​%%time.conf%%''​ are not used unless a //PAM module// (pluggable authentication module) is configured to read them.  This is done by adding a line to the ''​%%sshd%%''​ //PAM// module file.  ​
Line 121: Line 120:
 account ​            ​required ​               pam_time.so account ​            ​required ​               pam_time.so
 </​code>​ </​code>​
- 
-==== time.conf ==== 
  
 Now that //PAM// is configured to read ''​%%time.conf%%''​ we can now put in a rule.  Here is an example rule from ''​%%time.conf%%'':​ Now that //PAM// is configured to read ''​%%time.conf%%''​ we can now put in a rule.  Here is an example rule from ''​%%time.conf%%'':​
  • linux_ssh_access.txt
  • Last modified: 2020/10/06 12:48
  • by pgh5a