Connecting to CCS Systems
Contents
The CCS plans to move from static passwords to one-time passwords (OTPs)
using RSA SecurID tokens. The transition to OTPs will occur in the
following stages.
- A small number of CCS test users who are ORNL staff will start
using OTPs on each major system as the system becomes capable of
supporting OTPs.
- After all major CCS systems support OTPs, all CCS users who are
ORNL staff will begin using OTPs for authentication to all CCS
systems.
- As we are able to process, ship, and activate RSA SecurID tokens
for external CCS users, they will start using OTPs for authentication
to all CCS systems.
- Once all active CCS users have RSA SecurID tokens, support for
static passwords will be disabled on all CCS systems.
During the transition, some users will use OTPs while others will
continue to use static passwords. We will communicate to each user
when their authentication method is about to change.
The signal that your authentication method has actually changed on a given
system is the following.
- Before the change, you will be asked for a password
when you connect with SSH, like so:
user's password:
- After the change, you will be asked for a PASSCODE,
like so:
Enter PASSCODE:
The CCS is currently in the first stage of the OTP transition. We will
provide more information on schedule and usage once we are further
along in the transition.
The CCS systems use the Distributed Computing Environment (DCE)
for user authentication. With DCE, all user information is
centralized in the "registry", so every node of every system with
native DCE does not require a separate copy of each user's login
information ("/etc/passwd"). However, not every node
has native DCE. Due to this limitation, users can only change
their passwords on systems with native DCE, such as
Home, Cheetah, and Eagle.
CCS passwords require a mixture of alphabetic characters,
numeric characters, and at least one special character.
Note that you cannot use paired parentheses
in your password.
To avoid risks associated with using plaintext communication,
the only supported remote client on CCS systems is SSH, which encrypts the entire
session between the CCS systems and the client system.
The only authentication method currently supported is static
passwords; private-key authentication is no longer supported. As
described above, the CCS is in the process of
moving to one-time passwords.
Note that your SSH client must support protocol version 2 (supported by
all modern SSH clients).
Several security vulnerabilities exist in version 1, and access using
a version 1 client is no longer allowed.
Your ssh client must allow keyboard interactive authentication to access NCCS systems at ORNL.
For UNIX based ssh clients keyboard-interactive should be a preferred authentication.
For example the following line can be in either the default ssh_config file or your $HOME/.ssh/config file:
PreferredAuthentications keyboard-interactive,password
The line may also contain other authentication methods, but keyboard-interactive must be included.
For SecureCRT the change can be made with the following steps:
1) Select "Connect..." from the File menu. The Connect Dialog will appear.
2) Right-click on the session and select "Properties" from the context
menu. The Session Options dialog will appear.
3) Select the "Connection" Category
4) Select "Keyboard Interactive" as the primary authentication type.
The above steps have been tested on version 3.2.9 and may be slightly different for other versions.
SCP is a secure remote copy, based on SSH. SCP only works with CCS
systems if your per-process initialization files produce no
output. The means that ".cshrc" or ".kshrc" must not
issue any commands that write to standard output. If you would like
for this file to write to standard output for interactive sessions,
you must edit the file so that it does so only for interactive
sessions.
For "ksh", use the following template.
TTY=`/usr/bin/tty`
if [ $? = 0 ]; then
/usr/bin/echo "interactive stuff goes here"
fi
For "csh", use the following template.
( /usr/bin/tty ) > /dev/null
if ( $status == 0 ) then
/usr/bin/echo "interactive stuff goes here"
endif
Feel free to contact the CCS consultants with questions
about using SCP or SSH.
Automatic forwarding of the X11 display to a remote computer is
possible with the use of SSH and a local X server.
To set up automatic X11 tunneling with SSH you can do one of the following:
- command line: Invoke "ssh" with the "-X" option, i.e.,
"ssh -X host". Note that use of the "-x" (lower-case x)
option will disable X11 forwarding.
- configuration file: Edit (or create) the ".ssh/config" file to have
the following line in it:
"ForwardX11 yes"
All X11 programs will go through the encrypted channel, and the connection
to the real X server will be made from the local machine.
The "DISPLAY" value set by SSH will point to the server machine, but with a
display number greater than zero. This is normal, and happens because
SSH creates a proxy X server on the server machine for forwarding the
connections over the encrypted channel. The user should not manually set
the "DISPLAY" variable, because then a
non-encrypted channel will be used.
To change your default shell, for example to "tcsh" or "bash", you must
execute the commands below on one of the native-DCE systems (Home, Cheetah, Eagle).
Do the following.
- First enter "dcecp". This will present a prompt, "dcecp>".
- Modify the shell as follows.
Notice that you need to know the full path of the shell executable, which can be found with
"which shell-name".
Warning: If you change your shell to something that does not exist, like
"/usr/local/bin/csh", you will no longer be able to log in
because you have no valid shell. Contact
"consult@ccs.ornl.gov" if you have any problems.
If backspace produces "^?" instead of what you expect, do the
following to fix it at the command prompt:
stty erase press backspace key
You can put this in your
".profile" ("ksh") or ".login"
("csh") file so upon logging it will be set
automatically. This "stty" command should also only be executed
for interactive shells, not batch. Edit your
file as indicated above to test for interactive use.
Another tactic is to change the configuration of your SSH client.
For instance, if you are using Putty SSH from a Windows system, the
default backspace key is control-?.
This can be changed by going to the "keyboard" category and changing
backspace to be control-H.
|
