Access
Usage Policies
Use of systems at the NCCS is subject to the usage policies found on the general access page.
Connection Utilities
To avoid risks associated with using plain-text communication, the only supported remote client on NCCS systems is a secure shell (SSH) client, which encrypts the entire session between the NCCS systems and the client system. Currently, the only authentication method supported is one-time passwords (OTPs); static passwords and private-key authentication are no longer supported.
For example, to connect to Jaguar from a UNIX-based system, you’d use the following:
ssh userid@jaguar.ccs.ornl.gov
SSH clients are also available for Windows-based systems.
Note that your SSH client must support protocol version 2 (supported by all modern SSH clients). Several security vulnerabilities exist in version 1, and access using a version 1 client is no longer allowed.
Your SSH client must allow keyboard-interactive authentication to access NCCS systems.
For UNIX-based SSH clients, the following line should be in either the default ssh_config
file or your $HOME/.ssh/config
file:
PreferredAuthentications keyboard-interactive,password
The line may also contain other authentication methods, but keyboard-interactive
must be included.
For recent SecureCRT versions, the change can be made through the connection properties menu.
RSA Key Fingerprints
Occasionally, you may receive an error message upon logging in to a system such as the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
This can be a result of normal system maintenance that changes an RSA public key or could be an actual security incident. If these fingerprints do not match what your SSH/secure copy (SCP)/secure file transfer (SFTP) client shows you, do not continue authentication; instead, contact help@nccs.gov.
NCCS RSA Key Fingerprints
Host | Key |
---|---|
hawk | f8:af:0c:35:ec:b6:bb:0a:f8:bc:ae:84:76:74:6b:93 |
home | 12:9b:10:f7:b9:c7:1b:a2:b0:52:5e:13:e2:b9:b2:8c |
jaguar | 0d:c9:db:37:55:da:41:26:55:4a:80:bb:71:55:dd:01 |
phoenix | 5b:a9:1d:bb:65:14:dc:b3:1b:0e:0b:04:38:50:fa:5f |
robin | 93:54:17:6d:c4:b0:33:6e:1c:c1:11:f5:d4:33:5d:1d |
ram | 6c:c2:c3:ac:b7:b2:f4:8f:ce:13:58:2c:70:33:2a:27 |
smoky | e3:88:b9:ba:fe:3a:fd:99:00:24:fc:e6:9d:5c:69:2b |
lens | cc:6e:ef:84:7e:7c:dc:72:71:7b:76:7f:f3:46:57:2b |
One-Time Password Authentication
All NCCS systems currently use OTPs as their authentication method. To log in to NCCS systems, an RSA SecurID key fob is required.
To activate your new SecurID key fob, do the following:
-
Call 865-241-6536 to activate your SecurID fob.
-
Initiate an SSH connection to home.ccs.ornl.gov.
-
When prompted for a PASSCODE, enter the token code shown on the fob.
-
You will be asked if you are ready to set your PIN. Answer with “Y.”
-
You will be prompted to enter a PIN. Enter a 4- to 6-digit number you can remember. You will then be prompted to reenter your PIN.
-
You will then be prompted to wait until the next token code appears on your fob and to enter your PASSCODE, which is now your PIN + 6-digit token code displayed on your fob.
-
Your PIN is now set, and your fob is activated and ready for use.
To use your fob, do the following:
When prompted for your PASSCODE, enter your PIN + 6-digit token code shown on the fob. For example, if your pin is 1234 and the token code is 987654, enter 1234987654 when you are prompted for a PASSCODE.
File Transfer Utilities
The SSH-based SCP and SFTP utilities can be used to transfer files to and from NCCS systems.
For larger files, the multistreaming transfer utility BaBar copy program (BBCP) may be used. The BBCP utility is capable of breaking up your transfer into multiple simultaneously transferring streams, thereby transferring data faster than single-streaming utilities such as SCP and SFTP.
For more information on data transfers, see the data transfer page in the general support section.
X11 Tunneling
Automatic forwarding of the X11 display to a remote computer is possible with the use of SSH and a local X server. To set up automatic X11 tunneling with SSH, you can do one of the following:
-
Command line: Invoke
ssh
with the-X
option,ssh -X <host>
. Note that use of the-x
(lowercase “x”) option will disable X11 forwarding. -
Configuration file: Edit (or create) the
.ssh/config
file to have the following line in it:
OR
ForwardX11 yes
All X11 programs will go through the encrypted channel, and the connection to the real X server will be made from the local machine.
The DISPLAY
value set by SSH will point to the remote machine but with a display number greater than zero. This is normal and happens because SSH creates a proxy X server on the remote machine for forwarding the connections over the encrypted channel. The user should not manually set the DISPLAY
variable because then a non-encrypted channel could be used.
Changing Your Default Shell
Please contact the NCCS User Assistance Group to request a different default shell.