Access

Usage Policies

Use of systems at the NCCS is subject to the usage policies found on the general access page.

Connection Utilities

To avoid risks associated with using plain-text communication, the only supported remote client on NCCS systems is a secure shell (SSH) client, which encrypts the entire session between the NCCS systems and the client system. Currently, the only authentication method supported is one-time passwords (OTPs); static passwords and private-key authentication are no longer supported.

For example, to connect to Jaguar from a UNIX-based system, you’d use the following:

ssh userid@jaguar.ccs.ornl.gov

SSH clients are also available for Windows-based systems.

Note that your SSH client must support protocol version 2 (supported by all modern SSH clients). Several security vulnerabilities exist in version 1, and access using a version 1 client is no longer allowed.

Your SSH client must allow keyboard-interactive authentication to access NCCS systems.

For UNIX-based SSH clients, the following line should be in either the default ssh_config file or your $HOME/.ssh/config file:

 PreferredAuthentications keyboard-interactive,password

The line may also contain other authentication methods, but keyboard-interactive must be included.

For recent SecureCRT versions, the change can be made through the connection properties menu.

RSA Key Fingerprints

Occasionally, you may receive an error message upon logging in to a system such as the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

This can be a result of normal system maintenance that changes an RSA public key or could be an actual security incident. If these fingerprints do not match what your SSH/secure copy (SCP)/secure file transfer (SFTP) client shows you, do not continue authentication; instead, contact help@nccs.gov.

NCCS RSA Key Fingerprints

Host Key
hawk f8:af:0c:35:ec:b6:bb:0a:f8:bc:ae:84:76:74:6b:93
home 12:9b:10:f7:b9:c7:1b:a2:b0:52:5e:13:e2:b9:b2:8c
jaguar 0d:c9:db:37:55:da:41:26:55:4a:80:bb:71:55:dd:01
phoenix 5b:a9:1d:bb:65:14:dc:b3:1b:0e:0b:04:38:50:fa:5f
robin 93:54:17:6d:c4:b0:33:6e:1c:c1:11:f5:d4:33:5d:1d
ram 6c:c2:c3:ac:b7:b2:f4:8f:ce:13:58:2c:70:33:2a:27
smoky e3:88:b9:ba:fe:3a:fd:99:00:24:fc:e6:9d:5c:69:2b
lens cc:6e:ef:84:7e:7c:dc:72:71:7b:76:7f:f3:46:57:2b

One-Time Password Authentication

All NCCS systems currently use OTPs as their authentication method. To log in to NCCS systems, an RSA SecurID key fob is required.

RSA Keyfob

To activate your new SecurID key fob, do the following:

  • Call 865-241-6536 to activate your SecurID fob.

  • Initiate an SSH connection to home.ccs.ornl.gov.

  • When prompted for a PASSCODE, enter the token code shown on the fob.

  • You will be asked if you are ready to set your PIN. Answer with “Y.”

  • You will be prompted to enter a PIN. Enter a 4- to 6-digit number you can remember. You will then be prompted to reenter your PIN.

  • You will then be prompted to wait until the next token code appears on your fob and to enter your PASSCODE, which is now your PIN + 6-digit token code displayed on your fob.

  • Your PIN is now set, and your fob is activated and ready for use.

To use your fob, do the following:

When prompted for your PASSCODE, enter your PIN + 6-digit token code shown on the fob. For example, if your pin is 1234 and the token code is 987654, enter 1234987654 when you are prompted for a PASSCODE.

File Transfer Utilities

The SSH-based SCP and SFTP utilities can be used to transfer files to and from NCCS systems.

For larger files, the multistreaming transfer utility BaBar copy program (BBCP) may be used. The BBCP utility is capable of breaking up your transfer into multiple simultaneously transferring streams, thereby transferring data faster than single-streaming utilities such as SCP and SFTP.

For more information on data transfers, see the data transfer page in the general support section.

X11 Tunneling

Automatic forwarding of the X11 display to a remote computer is possible with the use of SSH and a local X server. To set up automatic X11 tunneling with SSH, you can do one of the following:

  1. Command line: Invoke ssh with the -X option, ssh -X <host>. Note that use of the -x (lowercase “x”) option will disable X11 forwarding.

    2. OR

  2. Configuration file: Edit (or create) the .ssh/config file to have the following line in it:

ForwardX11 yes

All X11 programs will go through the encrypted channel, and the connection to the real X server will be made from the local machine.

The DISPLAY value set by SSH will point to the remote machine but with a display number greater than zero. This is normal and happens because SSH creates a proxy X server on the remote machine for forwarding the connections over the encrypted channel. The user should not manually set the DISPLAY variable because then a non-encrypted channel could be used.

Changing Your Default Shell

Please contact the NCCS User Assistance Group to request a different default shell.