Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
linux_ssh_access [2020/10/06 12:47]
pgh5a
linux_ssh_access [2021/11/04 14:20] (current)
Line 1: Line 1:
 ==== Linux Server Access ==== ==== Linux Server Access ====
  
-All Linux servers run "​secure shell" ​- 'ssh'.  Anyone with a CS account may log into these servers. ​+All Linux servers run "​secure shell" ​(//ssh//).  Anyone with a CS account may log into the department'​s ​servers. ​
  
-On Grounds, you can simply ​'ssh' ​to CS servers ​typically by using a Terminal application like HyperTerm (Windows) or Terminal (Mac).+On Grounds, you can simply ​//ssh// to CS servers. Off Grounds, you are not able to //ssh// directly into most CS servers except ''​%%portal.cs.virginia.edu%%''​.
  
-Off Grounds, you are not able to '​ssh'​ directly into CS servers. ​ However connections to ''​%%portal.cs.virginia.edu%%''​ are allowed from off Grounds. +Use your CS domain userid (identical to your UVA userid) and password to //ssh// to ''%%portal%%''​. For example:
- +
-You must use your CS domain userid (identical to your UVA userid) and password to 'ssh' ​to portal. For example:+
  
 ''​%%ssh -l abc1de portal.cs.virginia.edu%%''​. Alternatively,​ ''​%%ssh abc1de@portal.cs.virginia.edu%%''​ ''​%%ssh -l abc1de portal.cs.virginia.edu%%''​. Alternatively,​ ''​%%ssh abc1de@portal.cs.virginia.edu%%''​
  
-Note that if you are opening a terminal application ​on your Mac or PC, your username on the Mac or PC may be different from your CS/UVA userid. So be sure to include your userid on the 'ssh' command line.+Users on a Windows ​PC can use a Terminal application like //​SecureCRT,​ Cmder, KiTTY, or Putty// to //ssh// to our servers.
  
-If you'd like to use a graphical windowing interface to department ​servers, see: [[nx_lab|NX Linux Remote Desktop Cluster]]+Users on a Mac can use an application like //​Terminal//​ or //iTerm2// to //ssh// to our servers. 
 + 
 +(Note that your username on the Mac or PC may be different from your CS/UVA userid. So be sure to include your userid on the //ssh// command line). 
 + 
 +If you'd like to use a graphical windowing interface to our servers, see: [[nx_lab|NX Linux Remote Desktop Cluster]]
  
 === Access from off Grounds === === Access from off Grounds ===
  
-**Use one of these options to access CS servers from outside of UVA.**+**Use one of these options to access CS servers from outside of UVA:**
  
 === Option 1: VPN access === === Option 1: VPN access ===
  
- +Start a VPN session to UVA using the [[https://​virginia.service-now.com/​its?​id=itsweb_kb_article&​sys_id=f24e5cdfdb3acb804f32fb671d9619d0|UVA VPN]]. Once the VPN is established,​ you can //ssh// to CS servers directly. Note that you should use the UVA "​Anywhere"​ VPN, not the "More Secure"​ VPN.
-If you are outside of the UVA network (off grounds) then you can first start a VPN session to UVA using the [[https://​virginia.service-now.com/​its?​id=itsweb_kb_article&​sys_id=f24e5cdfdb3acb804f32fb671d9619d0|UVA VPN]]. Once the VPN is established,​ you can 'ssh' ​to CS servers directly.+
  
 === Option 2: Access via portal.cs.virginia.edu === === Option 2: Access via portal.cs.virginia.edu ===
  
-You can ssh directly into ''​%%portal.cs.virginia.edu%%''​ without having to use the UVA VPN.  Once you are logged into the ''​%%portal%%''​ cluster, you can then ssh to other CS servers.+You can //ssh// directly into ''​%%portal.cs.virginia.edu%%''​ without having to use the UVA VPN.  Once you are logged into the ''​%%portal%%''​ cluster, you can then //ssh// to other CS servers.
  
 +For example:
 <​code>​ <​code>​
-[abc1de@outside-uva ~]$ ssh -l abc1de portal.cs.virginia.edu+[abc1de@outside-uva ~]$ ssh abc1de@portal.cs.virginia.edu
 abc1de@portal.cs.virginia.edu'​s password: ​ abc1de@portal.cs.virginia.edu'​s password: ​
-Last login: Mon Jul 29 14:​12:​10 ​2019+Last login: Mon Jul 29 14:​12:​10 ​2021
 abc1de@portal04 ~ $ hostname abc1de@portal04 ~ $ hostname
-portal04 ​                                              <​-- ​We are logged into portal cluster +portal04 ​                                              <​-- ​you are logged into the portal cluster 
-abc1de@portal04 ~ $ ssh gpusrv01 ​                        ​<​-- ​We can now access ​gpusrv01+abc1de@portal04 ~ $ ssh gpusrv01 ​                      ​<​-- ​you can now ssh to gpusrv01
 abc1de@gpusrv01'​s password: abc1de@gpusrv01'​s password:
-.... +abc1de@gpusrv01 ~ $                                    <​-- you are logged into gpusrv01
-abc1de@gpusrv01 ~ $+
 </​code>​ </​code>​
  
 === Jumphost Option === === Jumphost Option ===
  
-The ssh client ​has an option ''​%%-J%%''​ to specify a host to use as a "​jumphost"​ that lets you access other servers directly, in one step.  This combines two steps (for example, ssh into portal.cs.virginia.edu and then ssh to gpusrv01) into one single command. ​ From the //man// page:+The //ssh// command ​has an option ''​%%-J%%''​ to specify a server ​to use as a "​jumphost"​ that lets you access other servers directly ​with one command.  This combines two steps (for example, ​//ssh// into //portal.cs.virginia.edu// and then //ssh// to //gpusrv01//).
  
-<​code>​ +Here is how we use this option to "​jump"​ from //portal// to another CS server. ​ Let's repeat the example of logging in to //gpusrv01//.
-     -J destination +
-             ​Connect to the target host by first making a ssh connection to +
-             the jump host described by destination and then establishing a +
-             TCP forwarding to the ultimate destination from there. ​ Multiple +
-             jump hops may be specified separated by comma characters. ​ This +
-             is a shortcut to specify a ProxyJump configuration directive. +
-             Note that configuration directives supplied on the command-line +
-             ​generally apply to the destination host and not any specified +
-             jump hosts. ​ Use ~/​.ssh/​config to specify configuration for jump +
-             ​hosts. +
-</​code>​ +
- +
-Here is how we use this option to "​jump"​ from portal.cs to another CS server. ​ Let's repeat the example of logging in to ''​%%gpusrv01%%''​+
  
 <​code>​ <​code>​
-[abc1de@outside-uva ~]$ ssh -l abc1de gpusrv01 -J portal.cs.virginia.edu +[abc1de@outside-uva ~]$ ssh abc1de@gpusrv01 -J abc1de@portal.cs.virginia.edu 
-abc1de@portal04.cs.virginia.edu'​s password: ​                           <-- first asked to authenticate to portal +abc1de@portal04.cs.virginia.edu'​s password: ​                 <-- first asked to authenticate to portal 
-abc1de@gpusrv01'​s password: ​                                             <-- immediately able to log into gpusrv01 +abc1de@gpusrv01'​s password: ​                                 <-- immediately able to log into gpusrv01 
-.... +abc1de@gpusrv01 ~ $                                          <​-- you are logged into gpusrv01
-abc1de@gpusrv01 ~ $+
 </​code>​ </​code>​
  
-=== Server Domain ​Names ===+=== Host Names depend upon your network connection ​===
  
-Computer Science ​hosts its own DNS server ​with authority over the ''​%%cs.virginia.edu%%'' domain space. ​ Any server in CS will have a fully qualified ​domain ​name (fqdn) of ''​%%hostname.cs.virginia.edu%%''​.+If you are on the Computer Science ​network just use the hostname of a server ​(ex//portal//)If you are outside of the CS network (on wireless for example), use the hostname'fully qualified name (ex. //portal.cs.virginia.edu//)
  
-=== Short Names ===+=== Available Servers ​===
  
-If you are inside of the Computer Science network then use the hostname of a server instead of its fully qualified name.  For example, if you are logged into a CS server, you can ping another server by its hostname alone. +For a listing of generally available servers in CS, see [[compute_resources|Computing Resources]]
- +
-<​code>​ +
-abc1de@portal01:​~$ ping portal03 +
-PING portal03.cs.virginia.edu (128.143.67.43) 56(84) bytes of data. +
-64 bytes from portal03.cs.virginia.edu (128.143.67.43):​ icmp_seq=1 ttl=64 time=0.149 ms +
-64 bytes from portal03.cs.virginia.edu (128.143.67.43):​ icmp_seq=2 ttl=64 time=0.123 ms +
-</​code>​ +
- +
-This will not work from outside of the CS network unless you modify your DNS search path to contain ''​%%cs.virginia.edu%%''​. +
- +
-=== Login to other servers === +
- +
-=== From Linux/Mac OS === +
- +
-To log into a server from another computer running Linux/​Unix/​MacOS,​ run the following from a shell: +
- +
-<​code>​ +
-abc1de@host ~ $ ssh username@gpusrv04.cs.virginia.edu +
-abc1de@gpusrv04'​s password: ​                             <- Enter Password +
-... +
-[abc1de@gpusrv04 ~]$ +
-</​code>​ +
- +
-In Mac OS the Terminal app can be found in the Utilities folder under Applications. +
- +
-=== From Windows === +
- +
-For information about SSH clients for Windows, see the article [[windows_ssh|SSH from Windows]] +
- +
-=== Servers === +
- +
-For a listing of generally available servers in CS, see the article ​[[compute_resources|General Purpose Nodes]] +
- +
-=== Login Restrictions (Info for Faculty) === +
- +
-We want to give all of our users fair and equal access to whatever computing resources we have to offer. We do not restrict login access to certain servers. ​ However, there are a number of servers that still have access restrictions in place. ​ This article is to show users with ''​%%sudo%%''​ privileges how to edit ''​%%/​etc/​security/​time.conf%%''​ to allow user logins. +
- +
-There are several configuration files located in ''​%%/​etc/​security%%''​ on Linux servers. ​ In this directory, we can use ''​%%time.conf%%''​ to restrict ssh login to a specific set of user accounts. +
- +
-By default, access rules in ''​%%time.conf%%''​ are not used unless a //PAM module// (pluggable authentication module) is configured to read them.  This is done by adding a line to the ''​%%sshd%%''​ //PAM// module file.   +
- +
-Add the following line to the file to the end ''​%%/​etc/​pam.d/​sshd%%'':​ +
- +
-<​code>​ +
-account ​            ​required ​               pam_time.so +
-</​code>​ +
- +
-Now that //PAM// is configured to read ''​%%time.conf%%''​ we can now put in a rule.  Here is an example rule from ''​%%time.conf%%'':​ +
- +
-<​code>​ +
-sshd;​*;​!root&​abc1de&​fgh1ij&​klm1no;​!Al0000-2400 +
-</​code>​ +
- +
-This line is formatted such that the users listed are separated by ampersand ''​%%&​%%''​ characters. ​ This entry will allow the users ''​%%root%%'',​ ''​%%abc1de%%'',​ ''​%%fgh1ij%%''​ and ''​%%klm1no%%''​ are allowed access. ​ **Be sure to always include yourself and root in this rule.  Failure to do so may result in everyone becoming locked out.** +
- +
-If we wanted to add the user ''​%%pqr1st%%''​ to this rule above, we would insert the string ''​%%&​pqr1st%%''​ like this: +
- +
-<​code>​ +
-sshd;​*;​!root&​abc1de&​fgh1ij&​klm1no$pqr1st;​!Al0000-2400 +
-</​code>​+
  
-Changes to this file take effect immediately,​ no services need to be restarted. ​ When editing this file, be sure that you keep at least one active ssh connection until you have tested your changes. ​ This will prevent becoming locked out if any errors are made! 
  • linux_ssh_access.1601988473.txt.gz
  • Last modified: 2020/10/06 12:47
  • by pgh5a