This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
linux_ssh_access [2019/07/29 19:16]
linux_ssh_access [2022/03/23 13:56] (current)
Line 1: Line 1:
-====== Linux SSH Access ​======+==== Linux Server ​Access ====
-All Linux servers ​in CS run an SSH server on port 22.  Anyone with a CS account may log into these servers.+All Linux servers run "​secure shell" (//ssh//).  Anyone with a CS account may log into the department'​s ​servers. ​
-**Update 07/29/19** We are now blocking SSH traffic for connections from outside of the UVA network This means that you are no longer ​able to SSH directly into CS hosts from outside of UVA.  However connections to ''​%%portal.cs.virginia.edu%%'' ​are still allowed from outside of UVA.+On Grounds, you can simply ​//ssh// to CS serversOff Grounds, ​you are not able to //​ssh// ​directly into most CS servers except ​''​%%portal.cs.virginia.edu%%''​.
-===== Access from Outside ​UVA =====+Use your CS domain userid (identical to your UVA userid) and password to //ssh// to ''​%%portal%%''​. For example:
-If you are outside of the UVA network (off campus) then you must use the [[https://virginia.service-now.com/​its?​id=itsweb_kb_article&​sys_id=f24e5cdfdb3acb804f32fb671d9619d0|UVA VPN]] to access CS servers via SSH.+''​%%ssh -l abc1de portal.cs.virginia.edu%%''​Alternatively,​ ''​%%ssh abc1de@portal.cs.virginia.edu%%''​
-If you need to access CS servers from outside of UVA you can SSH directly into ''​%%portal.cs.virginia.edu%%''​ without having to use the VPN.  Once you are logged into the ''​%%portal%%''​ clusteryou can then access other CS servers ​via SSH.+Users on a Windows PC can use a Terminal application like //SecureCRTCmder, KiTTY, or Putty// to //ssh// to our servers.
-==== Example using portal.cs ====+Users on a Mac can use an application like //​Terminal//​ or //iTerm2// to //ssh// to our servers.
-<​code>​ +(Note that your username on the Mac or PC may be different from your CS/UVA userid. So be sure to include your userid on the //ssh// command line).
-[ktm5j@outside-uva ~]$ ssh -l ktm5j power3.cs.virginia.edu+
-^C                                                     <​-- Direct ssh access ​to power3 is denied +If you'd like to use a graphical windowing interface to our servers, see: [[nx_lab|Nomachine Remote Desktops]]
-[ktm5j@outside-uva ~]$ ssh -l ktm5j portal.cs.virginia.edu +
-ktm5j@portal.cs.virginia.edu'​s password:  +
-Last login: Mon Jul 29 14:12:10 2019 +
-ktm5j@portal04 ~ $ hostname +
-portal04 ​                                              <​-- We are logged into portal cluster +
-ktm5j@portal04 ~ $ ssh power3 ​                         <-- We can now access power3 +
-ktm5j@power3'​s password: +
-.... +
-ktm5j@power3 ~ $ +
-==== SSH Jumphost Options ====+=== Access from off Grounds ​===
-The OpenSSH ssh client has an option ''​%%-J%%'' ​to specify a host to use as a "​jumphost"​ that lets us access ​other servers ​inside ​of a firewalled network. ​ This combines two steps from the example above (ssh into portal.cs.virginia.edu and then ssh to power3) into one single command. ​ From the manpages:+**Use one of these options ​to access ​CS servers ​from outside ​of UVA:**
-<​code>​ +=== Option 1: VPN access ===
-     -J destination +
-             ​Connect to the target host by first making a ssh connection to +
-             the jump host described by destination and then establishing a +
-             TCP forwarding to the ultimate destination from there. ​ Multiple +
-             jump hops may be specified separated by comma characters. ​ This +
-             is a shortcut to specify a ProxyJump configuration directive. +
-             Note that configuration directives supplied on the command-line +
-             ​generally apply to the destination host and not any specified +
-             jump hosts. ​ Use ~/​.ssh/​config to specify configuration for jump +
-             ​hosts. +
-Here is how we use this option ​to "​jump"​ from portal.cs to another ​CS server ​Let'​s repeat ​the example of logging in to ''​%%power3%%''​+Start a VPN session ​to UVA using the [[https://​virginia.service-now.com/​its?​id=itsweb_kb_article&​sys_id=f24e5cdfdb3acb804f32fb671d9619d0|UVA VPN]]. Once the VPN is established,​ you can //​ssh// ​to CS servers directlyNote that you should use the UVA "​Anywhere"​ VPN, not the "More Secure"​ VPN.
-<​code>​ +=== Option 2: Access via portal.cs.virginia.edu ​===
-[ktm5j@outside-uva ~]$ ssh -l ktm5j power3 -J portal.cs.virginia.edu +
-ktm5j@portal04.cs.virginia.edu'​s password: ​                           <-- first asked to authenticate to portal +
-ktm5j@power3'​s password: ​                                             <-- immediately able to log into power3 +
-.... +
-ktm5j@power3 ~ $ +
-This process ​can be made even easier with the use of password-less ​ssh keys.  When keys are set up properly you can log in (even using the -J jumphost options) without needing to type in a password. +You can //ssh// directly into ''​%%portal.cs.virginia.edu%%'' ​without having to use the UVA VPN.  ​Once you are logged ​into the ''​%%portal%%'' ​cluster, you can then //ssh// to other CS servers.
- +
-===== Server Domain Names ===== +
- +
-Computer Science hosts its own DNS server with authority over the ''​%%cs.virginia.edu%%'' ​domain space.  ​Any server in CS will have a fully qualified domain name (fqdn) of ''​%%hostname.cs.virginia.edu%%''​. +
- +
-If you want to log into a server named ''​%%gpusrv04%%'', ​then the domain address should be ''​%%gpusrv04.cs.virginia.edu%%''​. +
- +
-==== Short Names ==== +
- +
-If you are inside of the Computer Science network ​then you can simply use the hostname of a server instead of its fully qualified name.  For example, if you are logged into a CS server, you can ping another server by its hostname alone.+
 +For example:
 <​code>​ <​code>​
-username@power5:~$ ping power3 +[abc1de@outside-uva ​~]ssh abc1de@portal.cs.virginia.edu 
-PING power3.cs.virginia.edu ​( 56(84) bytes of data. +abc1de@portal.cs.virginia.edu's password:  
-64 bytes from power3.cs.virginia.edu ​( ttl=64 time=0.149 ms +Last loginMon Jul 29 14:12:10 2021 
-64 bytes from power3.cs.virginia.edu ( ttl=64 time=0.123 ms+abc1de@portal04 ~ $ hostname 
 +portal04 ​                                              <​-- you are logged into the portal cluster 
 +abc1de@portal04 ~ $ ssh gpusrv01 ​                      <​-- you can now ssh to gpusrv01 
 +abc1de@gpusrv01'​s password: 
 +abc1de@gpusrv01 ~ $                                    <-- you are logged into gpusrv01
 </​code>​ </​code>​
-This will not work from outside of the CS network unless you modify your DNS search path to contain ''​%%cs.virginia.edu%%''​.+=== Jumphost Option ===
-===== Login =====+The //ssh// command has an option ''​%%-J%%''​ to specify a server to use as a "​jumphost"​ that lets you access other servers directly with one command. ​ This combines two steps (for example, //ssh// into //​portal.cs.virginia.edu//​ and then //ssh// to //​gpusrv01//​).
-==== From Linux/Mac OS ==== +Here is how we use this option to "​jump" ​from //portal// to another CS server. ​ Let's repeat ​the example of logging in to //​gpusrv01//​.
- +
-To log into this server ​from another computer running Linux/Unix/MacOS, run the following from a shell:+
 <​code>​ <​code>​
-username@host ~ $ ssh username@gpusrv04.cs.virginia.edu +[abc1de@outside-uva ​~]$ ssh abc1de@gpusrv01 -J abc1de@portal.cs.virginia.edu 
-username@gpusrv04's password: ​                             <- Enter Password +abc1de@portal04.cs.virginia.edu's password: ​                 <-- first asked to authenticate to portal 
-... +abc1de@gpusrv01'​s password: ​                                 <-- immediately able to log into gpusrv01 
-[username@gpusrv04 ​~]$+abc1de@gpusrv01 ​~ $                                          <​-- you are logged into gpusrv01
 </​code>​ </​code>​
-In Mac OS the Terminal app can be found in the Utilities folder under Applications.+=== Host Names depend upon your network connection ===
-==== From Windows ====+If you are on the Computer Science network just use the hostname of a server (ex. //​portal//​). If you are outside of the CS network (on wireless for example), use the hostname'​s fully qualified name (ex. //​portal.cs.virginia.edu//​). ​
-For information about SSH clients for Windows, see the article [[windows_ssh|SSH from Windows]]+=== Available Servers ===
-===== Servers ===== +For a listing of generally available servers in CS, see [[compute_resources|Computing Resources]]
- +
-For a listing of generally available servers in CS, see the article ​[[compute_resources|General Purpose Nodes]] +
- +
-===== Login Restrictions (Info for Faculty) ===== +
- +
-Here in CS we want to give all of our users fair and equal access to whatever computing resources we have to offer. ​ For this reason we are discontinuing the practice of restricting login access to certain servers. ​ However, there are a number of servers that still have access restrictions in place. ​ This article is to show users with ''​%%sudo%%''​ privileges how to edit ''​%%/​etc/​security/​time.conf%%''​ to allow user logins. +
- +
-There are several configuration files located in ''​%%/​etc/​security%%''​ on Linux servers. ​ In this directory, we can use ''​%%time.conf%%''​ to restrict ssh login to a specific set of user accounts. +
- +
-==== PAM Setup ==== +
- +
-This section can be skipped over if your server has already been configured with login restrictions. +
- +
-By default, access rules in ''​%%time.conf%%''​ are not used unless a //PAM module// (pluggable authentication module) is configured to read them.  This is done by adding a line to the ''​%%sshd%%''​ //PAM// module file.   +
- +
-Add the following line to the file to the end ''​%%/​etc/​pam.d/​sshd%%'':​ +
- +
-<​code>​ +
-account ​            ​required ​               pam_time.so +
-</​code>​ +
- +
-==== time.conf ==== +
- +
-Now that //PAM// is configured to read ''​%%time.conf%%''​ we can now put in a rule.  Here is an example rule from ''​%%time.conf%%'':​ +
- +
-<​code>​ +
-sshd;​*;​!root&​fls4t&​ejs3s&​pgh5a;​!Al0000-2400 +
-</​code>​ +
- +
-This line is formatted such that the users listed are separated by ampersand ''​%%&​%%''​ characters. ​ This entry will allow the users ''​%%root%%'',​ ''​%%fls4t%%'',​ ''​%%ejs3s%%''​ and ''​%%pgh5a%%''​ are allowed access. ​ **Be sure to always include yourself and root in this rule.  Failure to do so may result in everyone becoming locked out.** +
- +
-If we wanted to add the user ''​%%ktm5j%%''​ to this rule above, we would insert the string ''​%%&​ktm5j%%''​ like this: +
- +
-<​code>​ +
-sshd;​*;​!root&​fls4t&​ejs3s&​pgh5a&​ktm5j;​!Al0000-2400 +
-Changes to this file take effect immediately,​ no services need to be restarted. ​ When editing this file, be sure that you keep at least one active ssh connection until you have tested your changes. ​ This will prevent becoming locked out if any errors are made! 
  • linux_ssh_access.1564427778.txt.gz
  • Last modified: 2019/07/29 19:16
  • by ktm5j