Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
linux_ssh_access [2020/08/31 18:25] pgh5a |
linux_ssh_access [2023/03/15 16:57] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ==== Linux Server Access ==== | ==== Linux Server Access ==== | ||
| - | All Linux servers run "secure shell" - 'ssh'. Anyone with a CS account may log into these servers. | + | All Linux servers run "secure shell" (//ssh//). Anyone with a CS account may log into the department's servers. |
| - | On Grounds, you can simply 'ssh' to CS servers typically by using a Terminal application like HyperTerm (Windows) or Terminal (Mac). | + | Users on a Windows PC can use a Terminal application like //SecureCRT, Cmder, KiTTY, or Putty// to //ssh// to our servers. |
| - | Off Grounds, you are not able to 'ssh' directly into CS servers. However connections to ''%%portal.cs.virginia.edu%%'' are allowed from off Grounds. | + | Users on a Mac can use an application like //Terminal// or //iTerm2// to //ssh// to our servers. |
| - | You must use your CS domain userid (identical to your UVA userid) and password to 'ssh' to portal. For example: | + | If you'd like to use a graphical windowing interface to our servers, see: [[nx_lab|Nomachine Remote Desktops]] |
| - | ''%%ssh -l abc1de portal.cs.virginia.edu%%''. Alternatively, ''%%ssh abc1de@portal.cs.virginia.edu%%'' | + | === On Grounds === |
| + | You can //ssh// to CS servers. | ||
| - | Note that if you are opening a terminal application on your Mac or PC, your username on the Mac or PC may be different from your CS/UVA userid. So be sure to include your userid on the 'ssh' command line. | + | Use your CS domain userid (identical to your UVA userid) and password to //ssh// to ''%%portal%%''. For example: |
| - | If you'd like to use a graphical windowing interface to department servers, see: [[nx_lab|NX Linux Remote Desktop Cluster]] | + | ''%%ssh -l abc1de portal.cs.virginia.edu%%''. Alternatively, ''%%ssh abc1de@portal.cs.virginia.edu%%'' |
| - | === Access from off Grounds === | + | === Off Grounds: Option 1: VPN access === |
| - | **Use one of these options to access CS servers from outside of UVA.** | + | Start a VPN session to UVA using the [[https://virginia.service-now.com/its?id=itsweb_kb_article&sys_id=f24e5cdfdb3acb804f32fb671d9619d0|UVA VPN]]. Once the VPN is established, you can //ssh// to CS servers directly. Note that you should use the UVA "Anywhere" VPN, not the "More Secure" VPN. |
| - | === Option 1: VPN access === | + | === Off Grounds: Option 2: ssh to portal.cs.virginia.edu === |
| + | You can //ssh// directly into ''%%portal.cs.virginia.edu%%'' without having to use the UVA VPN. Once you are logged into the ''%%portal%%'' cluster, you can then //ssh// to other CS servers. //Your username on the Mac or PC may be different from your CS/UVA userid. So be sure to include your CS/UVA userid on the ''ssh'' command line.// | ||
| - | If you are outside of the UVA network (off grounds) then you can first start a VPN session to UVA using the [[https://virginia.service-now.com/its?id=itsweb_kb_article&sys_id=f24e5cdfdb3acb804f32fb671d9619d0|UVA VPN]]. Once the VPN is established, you can 'ssh' to CS servers directly. | + | For example: |
| - | + | ||
| - | === Option 2: Access via portal.cs.virginia.edu === | + | |
| - | + | ||
| - | You can ssh directly into ''%%portal.cs.virginia.edu%%'' without having to use the UVA VPN. Once you are logged into the ''%%portal%%'' cluster, you can then ssh to other CS servers. //Note! From off grounds, you can ONLY ssh into portal without using the VPN. You cannot ssh directly into other department servers.// | + | |
| <code> | <code> | ||
| - | [abc1de@outside-uva ~]$ ssh -l abc1de portal.cs.virginia.edu | + | [abc1de@outside-uva ~]$ ssh abc1de@portal.cs.virginia.edu |
| abc1de@portal.cs.virginia.edu's password: | abc1de@portal.cs.virginia.edu's password: | ||
| - | Last login: Mon Jul 29 14:12:10 2019 | + | Last login: Mon Jul 29 14:12:10 2021 |
| abc1de@portal04 ~ $ hostname | abc1de@portal04 ~ $ hostname | ||
| - | portal04 <-- We are logged into portal cluster | + | portal04 <-- you are logged into the portal cluster |
| - | abc1de@portal04 ~ $ ssh gpusrv01 <-- We can now access gpusrv01 | + | abc1de@portal04 ~ $ ssh gpusrv01 <-- you can now ssh to gpusrv01 |
| abc1de@gpusrv01's password: | abc1de@gpusrv01's password: | ||
| - | .... | + | abc1de@gpusrv01 ~ $ <-- you are logged into gpusrv01 |
| - | abc1de@gpusrv01 ~ $ | + | |
| </code> | </code> | ||
| - | === SSH Jumphost Options === | + | === Jumphost Option === |
| - | The OpenSSH ssh client has an option ''%%-J%%'' to specify a host to use as a "jumphost" that lets you access other servers directly, in one step. This combines two steps (for example, ssh into portal.cs.virginia.edu and then ssh to gpusrv01) into one single command. From the manpages: | + | The //ssh// command has an option ''%%-J%%'' to specify a server to use as a "jumphost" that lets you access other servers directly with one command. This combines two steps (for example, //ssh// into //portal.cs.virginia.edu// and then //ssh// to //gpusrv01//). |
| - | <code> | + | Here is how we use this option to "jump" from //portal// to another CS server. Let's repeat the example of logging in to //gpusrv01//. |
| - | -J destination | + | |
| - | Connect to the target host by first making a ssh connection to | + | |
| - | the jump host described by destination and then establishing a | + | |
| - | TCP forwarding to the ultimate destination from there. Multiple | + | |
| - | jump hops may be specified separated by comma characters. This | + | |
| - | is a shortcut to specify a ProxyJump configuration directive. | + | |
| - | Note that configuration directives supplied on the command-line | + | |
| - | generally apply to the destination host and not any specified | + | |
| - | jump hosts. Use ~/.ssh/config to specify configuration for jump | + | |
| - | hosts. | + | |
| - | </code> | + | |
| - | + | ||
| - | Here is how we use this option to "jump" from portal.cs to another CS server. Let's repeat the example of logging in to ''%%gpusrv01%%'' | + | |
| <code> | <code> | ||
| - | [abc1de@outside-uva ~]$ ssh -l abc1de gpusrv01 -J portal.cs.virginia.edu | + | [abc1de@outside-uva ~]$ ssh abc1de@gpusrv01 -J abc1de@portal.cs.virginia.edu |
| - | abc1de@portal04.cs.virginia.edu's password: <-- first asked to authenticate to portal | + | abc1de@portal04.cs.virginia.edu's password: <-- first asked to authenticate to portal |
| - | abc1de@gpusrv01's password: <-- immediately able to log into gpusrv01 | + | abc1de@gpusrv01's password: <-- immediately able to log into gpusrv01 |
| - | .... | + | abc1de@gpusrv01 ~ $ <-- you are logged into gpusrv01 |
| - | abc1de@gpusrv01 ~ $ | + | |
| </code> | </code> | ||
| - | === Server Domain Names === | + | === Host Names depend upon your network connection === |
| - | Computer Science hosts its own DNS server with authority over the ''%%cs.virginia.edu%%'' domain space. Any server in CS will have a fully qualified domain name (fqdn) of ''%%hostname.cs.virginia.edu%%''. | + | If you are on the Computer Science network just use the hostname of a server (ex. //portal//). If you are outside of the CS network (on wireless for example), use the hostname's fully qualified name (ex. //portal.cs.virginia.edu//). |
| - | === Short Names === | + | === Available Servers === |
| - | If you are inside of the Computer Science network then use the hostname of a server instead of its fully qualified name. For example, if you are logged into a CS server, you can ping another server by its hostname alone. | + | For a listing of generally available servers in CS, see [[compute_resources|Computing Resources]] |
| - | + | ||
| - | <code> | + | |
| - | username@portal01:~$ ping portal03 | + | |
| - | PING portal03.cs.virginia.edu (128.143.67.43) 56(84) bytes of data. | + | |
| - | 64 bytes from portal03.cs.virginia.edu (128.143.67.43): icmp_seq=1 ttl=64 time=0.149 ms | + | |
| - | 64 bytes from portal03.cs.virginia.edu (128.143.67.43): icmp_seq=2 ttl=64 time=0.123 ms | + | |
| - | </code> | + | |
| - | + | ||
| - | This will not work from outside of the CS network unless you modify your DNS search path to contain ''%%cs.virginia.edu%%''. | + | |
| - | + | ||
| - | === Login to other servers === | + | |
| - | + | ||
| - | === From Linux/Mac OS === | + | |
| - | + | ||
| - | To log into this server from another computer running Linux/Unix/MacOS, run the following from a shell: | + | |
| - | + | ||
| - | <code> | + | |
| - | username@host ~ $ ssh username@gpusrv04.cs.virginia.edu | + | |
| - | username@gpusrv04's password: <- Enter Password | + | |
| - | ... | + | |
| - | [username@gpusrv04 ~]$ | + | |
| - | </code> | + | |
| - | + | ||
| - | In Mac OS the Terminal app can be found in the Utilities folder under Applications. | + | |
| - | + | ||
| - | === From Windows === | + | |
| - | + | ||
| - | For information about SSH clients for Windows, see the article [[windows_ssh|SSH from Windows]] | + | |
| - | + | ||
| - | === Servers === | + | |
| - | + | ||
| - | For a listing of generally available servers in CS, see the article [[compute_resources|General Purpose Nodes]] | + | |
| - | + | ||
| - | === Login Restrictions (Info for Faculty) === | + | |
| - | + | ||
| - | Here in CS we want to give all of our users fair and equal access to whatever computing resources we have to offer. For this reason we are discontinuing the practice of restricting login access to certain servers. However, there are a number of servers that still have access restrictions in place. This article is to show users with ''%%sudo%%'' privileges how to edit ''%%/etc/security/time.conf%%'' to allow user logins. | + | |
| - | + | ||
| - | There are several configuration files located in ''%%/etc/security%%'' on Linux servers. In this directory, we can use ''%%time.conf%%'' to restrict ssh login to a specific set of user accounts. | + | |
| - | + | ||
| - | === PAM Setup === | + | |
| - | + | ||
| - | This section can be skipped over if your server has already been configured with login restrictions. | + | |
| - | + | ||
| - | By default, access rules in ''%%time.conf%%'' are not used unless a //PAM module// (pluggable authentication module) is configured to read them. This is done by adding a line to the ''%%sshd%%'' //PAM// module file. | + | |
| - | + | ||
| - | Add the following line to the file to the end ''%%/etc/pam.d/sshd%%'': | + | |
| - | + | ||
| - | <code> | + | |
| - | account required pam_time.so | + | |
| - | </code> | + | |
| - | + | ||
| - | === time.conf === | + | |
| - | + | ||
| - | Now that //PAM// is configured to read ''%%time.conf%%'' we can now put in a rule. Here is an example rule from ''%%time.conf%%'': | + | |
| - | + | ||
| - | <code> | + | |
| - | sshd;*;!root&fls4t&ejs3s&pgh5a;!Al0000-2400 | + | |
| - | </code> | + | |
| - | + | ||
| - | This line is formatted such that the users listed are separated by ampersand ''%%&%%'' characters. This entry will allow the users ''%%root%%'', ''%%fls4t%%'', ''%%ejs3s%%'' and ''%%pgh5a%%'' are allowed access. **Be sure to always include yourself and root in this rule. Failure to do so may result in everyone becoming locked out.** | + | |
| - | + | ||
| - | If we wanted to add the user ''%%ktm5j%%'' to this rule above, we would insert the string ''%%&ktm5j%%'' like this: | + | |
| - | + | ||
| - | <code> | + | |
| - | sshd;*;!root&fls4t&ejs3s&pgh5a&ktm5j;!Al0000-2400 | + | |
| - | </code> | + | |
| - | Changes to this file take effect immediately, no services need to be restarted. When editing this file, be sure that you keep at least one active ssh connection until you have tested your changes. This will prevent becoming locked out if any errors are made! | ||