Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
linux_ssh_access [2020/07/13 17:40]
pgh5a [Linux SSH Access]
linux_ssh_access [2020/09/01 18:02] (current)
pgh5a
Line 1: Line 1:
-====== Linux SSH Access ​======+==== Linux Server ​Access ====
  
-All Linux servers run '​ssh'​. ​ Anyone with a CS account may log into these servers. ​+All Linux servers run "​secure shell" - '​ssh'​. ​ Anyone with a CS account may log into these servers. ​
  
-From inside UVA, you can simply '​ssh'​ to CS servers typically by using a Terminal application like HyperTerm (Windows) or Terminal (Mac).+On Grounds, you can simply '​ssh'​ to CS servers typically by using a Terminal application like HyperTerm (Windows) or Terminal (Mac).
  
-From outside UVA, you are not able to '​ssh'​ directly into CS servers. ​ However connections to ''​%%portal.cs.virginia.edu%%''​ are still allowed from outside of UVA.+Off Grounds, you are not able to '​ssh'​ directly into CS servers. ​ However connections to ''​%%portal.cs.virginia.edu%%''​ are allowed from off Grounds.
  
 You must use your CS domain userid (identical to your UVA userid) and password to '​ssh'​ to portal. For example: You must use your CS domain userid (identical to your UVA userid) and password to '​ssh'​ to portal. For example:
  
-ssh -l jsp9ew ​portal.cs.virginia.edu. Alternatively,​ ssh jsp9ew@portal.cs.virginia.edu+''​%%ssh -l abc1de ​portal.cs.virginia.edu%%''​. Alternatively, ​''​%%ssh abc1de@portal.cs.virginia.edu%%''​
  
-Note that if you are opening a terminal application on your Mac or PC, your username on the Mac or PC may be different from your CS domain ​userid. So be sure to include your CS domain ​userid on the '​ssh'​ command line.+Note that if you are opening a terminal application on your Mac or PC, your username on the Mac or PC may be different from your CS/UVA userid. So be sure to include your userid on the '​ssh'​ command line.
  
 If you'd like to use a graphical windowing interface to department servers, see: [[nx_lab|NX Linux Remote Desktop Cluster]] If you'd like to use a graphical windowing interface to department servers, see: [[nx_lab|NX Linux Remote Desktop Cluster]]
  
-===== Access from Outside UVA =====+=== Access from off Grounds ​===
  
 **Use one of these options to access CS servers from outside of UVA.** **Use one of these options to access CS servers from outside of UVA.**
  
-==== Option 1: VPN access ​====+=== Option 1: VPN access ===
  
  
-If you are outside of the UVA network (off grounds) then you can use the [[https://​virginia.service-now.com/​its?​id=itsweb_kb_article&​sys_id=f24e5cdfdb3acb804f32fb671d9619d0|UVA VPN]] to access ​CS servers ​via SSH.+If you are outside of the UVA network (off grounds) then you can first start a VPN session to UVA using the [[https://​virginia.service-now.com/​its?​id=itsweb_kb_article&​sys_id=f24e5cdfdb3acb804f32fb671d9619d0|UVA VPN]]. Once the VPN is established,​ you can '​ssh' ​to CS servers ​directly.
  
-==== Option 2: Access via portal.cs.virginia.edu ​====+=== Option 2: Access via portal.cs.virginia.edu ===
  
-If you need to access CS servers from outside of UVA you can ssh directly into ''​%%portal.cs.virginia.edu%%''​ without having to use the VPN.  Once you are logged into the ''​%%portal%%''​ cluster, you can then access ​other CS servers ​via SSH. +You can ssh directly into ''​%%portal.cs.virginia.edu%%''​ without having to use the UVA VPN.  Once you are logged into the ''​%%portal%%''​ cluster, you can then ssh to other CS servers.
- +
-=== Example using portal.cs ===+
  
 <​code>​ <​code>​
-[ktm5j@outside-uva ~]$ ssh -l ktm5j power3.cs.virginia.edu +[abc1de@outside-uva ~]$ ssh -l abc1de ​portal.cs.virginia.edu 
- +abc1de@portal.cs.virginia.edu'​s password: ​
-^C                                                     <​-- Direct ssh access to power3 is denied +
-[ktm5j@outside-uva ~]$ ssh -l ktm5j portal.cs.virginia.edu +
-ktm5j@portal.cs.virginia.edu'​s password: ​+
 Last login: Mon Jul 29 14:12:10 2019 Last login: Mon Jul 29 14:12:10 2019
-ktm5j@portal04 ~ $ hostname+abc1de@portal04 ~ $ hostname
 portal04 ​                                              <​-- We are logged into portal cluster portal04 ​                                              <​-- We are logged into portal cluster
-ktm5j@portal04 ~ $ ssh gpusrv01 ​                        <​-- We can now access gpusrv01 +abc1de@portal04 ~ $ ssh gpusrv01 ​                        <​-- We can now access gpusrv01 
-ktm5j@gpusrv01'​s password:+abc1de@gpusrv01'​s password:
 .... ....
-ktm5j@gpusrv01 ~ $+abc1de@gpusrv01 ~ $
 </​code>​ </​code>​
  
-=== SSH Jumphost ​Options ​===+=== Jumphost ​Option ​===
  
-The OpenSSH ​ssh client has an option ''​%%-J%%''​ to specify a host to use as a "​jumphost"​ that lets us access other servers ​inside of a firewalled network.  This combines two steps from the example ​above (ssh into portal.cs.virginia.edu and then ssh to power3) into one single command. ​ From the manpages:+The ssh client has an option ''​%%-J%%''​ to specify a host to use as a "​jumphost"​ that lets you access other servers ​directly, in one step.  This combines two steps (for examplessh into portal.cs.virginia.edu and then ssh to gpusrv01) into one single command. ​ From the //man// page:
  
 <​code>​ <​code>​
Line 65: Line 60:
  
 <​code>​ <​code>​
-[ktm5j@outside-uva ~]$ ssh -l ktm5j gpusrv01 -J portal.cs.virginia.edu +[abc1de@outside-uva ~]$ ssh -l abc1de ​gpusrv01 -J portal.cs.virginia.edu 
-ktm5j@portal04.cs.virginia.edu'​s password: ​                           <-- first asked to authenticate to portal +abc1de@portal04.cs.virginia.edu'​s password: ​                           <-- first asked to authenticate to portal 
-ktm5j@gpusrv01'​s password: ​                                             <-- immediately able to log into gpusrv01+abc1de@gpusrv01'​s password: ​                                             <-- immediately able to log into gpusrv01
 .... ....
-ktm5j@gpusrv01 ~ $+abc1de@gpusrv01 ~ $
 </​code>​ </​code>​
  
-This process can be made even easier with the use of password-less ssh keys.  When keys are set up properly you can log in (even using the -J jumphost options) without needing to type in a password. +=== Server Domain Names ===
- +
-===== Server Domain Names =====+
  
 Computer Science hosts its own DNS server with authority over the ''​%%cs.virginia.edu%%''​ domain space. ​ Any server in CS will have a fully qualified domain name (fqdn) of ''​%%hostname.cs.virginia.edu%%''​. Computer Science hosts its own DNS server with authority over the ''​%%cs.virginia.edu%%''​ domain space. ​ Any server in CS will have a fully qualified domain name (fqdn) of ''​%%hostname.cs.virginia.edu%%''​.
  
-If you want to log into a server named ''​%%gpusrv04%%'',​ then the domain address should be ''​%%gpusrv04.cs.virginia.edu%%''​.+=== Short Names ===
  
-==== Short Names ==== +If you are inside of the Computer Science network then use the hostname of a server instead of its fully qualified name.  For example, if you are logged into a CS server, you can ping another server by its hostname alone.
- +
-If you are inside of the Computer Science network then you can simply ​use the hostname of a server instead of its fully qualified name.  For example, if you are logged into a CS server, you can ping another server by its hostname alone.+
  
 <​code>​ <​code>​
-username@power5:~$ ping power3 +abc1de@portal01:~$ ping portal03 
-PING power3.cs.virginia.edu (128.143.67.43) 56(84) bytes of data. +PING portal03.cs.virginia.edu (128.143.67.43) 56(84) bytes of data. 
-64 bytes from power3.cs.virginia.edu (128.143.67.43):​ icmp_seq=1 ttl=64 time=0.149 ms +64 bytes from portal03.cs.virginia.edu (128.143.67.43):​ icmp_seq=1 ttl=64 time=0.149 ms 
-64 bytes from power3.cs.virginia.edu (128.143.67.43):​ icmp_seq=2 ttl=64 time=0.123 ms+64 bytes from portal03.cs.virginia.edu (128.143.67.43):​ icmp_seq=2 ttl=64 time=0.123 ms
 </​code>​ </​code>​
  
 This will not work from outside of the CS network unless you modify your DNS search path to contain ''​%%cs.virginia.edu%%''​. This will not work from outside of the CS network unless you modify your DNS search path to contain ''​%%cs.virginia.edu%%''​.
  
-===== Login =====+=== Login to other servers ​===
  
-==== From Linux/Mac OS ====+=== From Linux/Mac OS ===
  
-To log into this server from another computer running Linux/​Unix/​MacOS,​ run the following from a shell:+To log into server from another computer running Linux/​Unix/​MacOS,​ run the following from a shell:
  
 <​code>​ <​code>​
-username@host ~ $ ssh username@gpusrv04.cs.virginia.edu +abc1de@host ~ $ ssh username@gpusrv04.cs.virginia.edu 
-username@gpusrv04'​s password: ​                             <- Enter Password+abc1de@gpusrv04'​s password: ​                             <- Enter Password
 ... ...
-[username@gpusrv04 ~]$+[abc1de@gpusrv04 ~]$
 </​code>​ </​code>​
  
 In Mac OS the Terminal app can be found in the Utilities folder under Applications. In Mac OS the Terminal app can be found in the Utilities folder under Applications.
  
-==== From Windows ​====+=== From Windows ===
  
 For information about SSH clients for Windows, see the article [[windows_ssh|SSH from Windows]] For information about SSH clients for Windows, see the article [[windows_ssh|SSH from Windows]]
  
-===== Servers ​=====+=== Servers ===
  
 For a listing of generally available servers in CS, see the article [[compute_resources|General Purpose Nodes]] For a listing of generally available servers in CS, see the article [[compute_resources|General Purpose Nodes]]
  
-===== Login Restrictions (Info for Faculty) ​=====+=== Login Restrictions (Info for Faculty) ===
  
-Here in CS we want to give all of our users fair and equal access to whatever computing resources we have to offer. ​ For this reason we are discontinuing the practice of restricting ​login access to certain servers. ​ However, there are a number of servers that still have access restrictions in place. ​ This article is to show users with ''​%%sudo%%''​ privileges how to edit ''​%%/​etc/​security/​time.conf%%''​ to allow user logins.+We want to give all of our users fair and equal access to whatever computing resources we have to offer. ​We do not restrict ​login access to certain servers. ​ However, there are a number of servers that still have access restrictions in place. ​ This article is to show users with ''​%%sudo%%''​ privileges how to edit ''​%%/​etc/​security/​time.conf%%''​ to allow user logins.
  
 There are several configuration files located in ''​%%/​etc/​security%%''​ on Linux servers. ​ In this directory, we can use ''​%%time.conf%%''​ to restrict ssh login to a specific set of user accounts. There are several configuration files located in ''​%%/​etc/​security%%''​ on Linux servers. ​ In this directory, we can use ''​%%time.conf%%''​ to restrict ssh login to a specific set of user accounts.
- 
-==== PAM Setup ==== 
- 
-This section can be skipped over if your server has already been configured with login restrictions. 
  
 By default, access rules in ''​%%time.conf%%''​ are not used unless a //PAM module// (pluggable authentication module) is configured to read them.  This is done by adding a line to the ''​%%sshd%%''​ //PAM// module file.  ​ By default, access rules in ''​%%time.conf%%''​ are not used unless a //PAM module// (pluggable authentication module) is configured to read them.  This is done by adding a line to the ''​%%sshd%%''​ //PAM// module file.  ​
Line 133: Line 120:
 account ​            ​required ​               pam_time.so account ​            ​required ​               pam_time.so
 </​code>​ </​code>​
- 
-==== time.conf ==== 
  
 Now that //PAM// is configured to read ''​%%time.conf%%''​ we can now put in a rule.  Here is an example rule from ''​%%time.conf%%'':​ Now that //PAM// is configured to read ''​%%time.conf%%''​ we can now put in a rule.  Here is an example rule from ''​%%time.conf%%'':​
  • linux_ssh_access.1594662042.txt.gz
  • Last modified: 2020/07/13 17:40
  • by pgh5a