HPSS Mass StorageRelated InformationHPSS Software DownloadsHPSS Collaboration |
User Accounts - pftp/ftp AuthenticationThe ftp protocol is used by many NERSC users to transfer files to NERSC's HPSS systems. For example, the client applications ftp and pftp both use the ftp protocol. The problem is that the ftp protocol sends the username and password across the internet in plain text. NERSC has developed a secure method of remote automatic authentication to HPSS. It replaces sending the clear text password across the internet. Authentication for archive.nersc.govFor the archive.nersc.gov system, both your username and password are encrypted by the NERSC Authentication Server and these encrypted strings are used instead of your actual name and password. They can be either entered interactively or placed in a .netrc file. Plain text names and passwords are no longer accepted. Each encrypted pair is only valid for access from the site from which it was generated (see below). Additional encrypted pairs must be generated for each site from that you want to use pftp/ftp to connect to HPSS. Encrypting your passwordThe process described here requires the use of two windows (xterms are recommended) on the machine from which access to HPSS is desired. (In the example to follow, this machine is named "highline".) Special encrypted username/password strings (called "encrypted_strings" below) are generated and put into a file named ".netrc". Please note:
Generating and Using Encrypted Identity InformationIn the following steps, all text the user must type is shown in red.
Step 1
module help WWW Note that this special login/password pair is only for initial access to the authentication server and is not to be confused with your DCE/HPSS login and password that you will be encrypting.
Step 2
highline 10: ssh auth.nersc.gov -l {special login} auth@mover2.nersc.gov's password: {special password} <Login notice info removed> You are in an authentication shell Type help to list the commands you can run [auth]: Now you are in a restricted shell that will accept only a few commands. Among them is "ftppass", which will be used in step 3. You can see the allowed commands via the "help" command: [auth]: help The following commands are the only ones recognized: ftppass ftpproxy chpass help h quit q exit For abbreviated help on commands type 'help commandname' The commands: q, quit and exit will all exit auth [auth]:
Step 3
[auth]: ftppass DCE Principal: your_HPSS_username DCE Password: your_HPSS_password login [encrypted_string] password [encrypted_string] [auth]: exit Bye Connection to auth.nersc.gov closed. The encrypted_strings are those returned in the lines beginning with "login" and "password"; these lines will be used in step 4. Proxy ServersInstead of the ftppass command, use the ftpproxy command to connect to auth.nersc.gov from one network and generate keys for another network. You may need to use this if you are behind a firewall and make pftp/ftp connections through a proxy server. The syntax for a proxy server with address 123.45.56.78 is [auth]: ftpproxy 123.45.56.78 Replace the IP address above with that of your IP proxy server.
Step 4
machine archive.nersc.gov login [encrypted_string] password [encrypted_string] machine archive login [encrypted_string] password [encrypted_string] Multiple pftp/ftp hosts can be put in the .netrc file, separated by blank lines.
Step 5
highline 9: chmod 600 .netrc highline 10: ls -l .netrc -rw------- 1 user staff 75 Mar 16 10:03 .netrc This completes the generation of an encrypted identity. Now, whenever pftp/ftp is used by this user from this workstation to connect to either of the HPSS systems, the encrypted_strings in the ".netrc" file will provide authentication, as shown in the next step.
Step 6
highline 11: ftp archive.nersc.gov Connected to archive-g0.nersc.gov. ... <Login notice info removed> 331 User: user - Password Required. 230 User /.../dce.nersc.gov/user logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> At this point, any pftp/ftp command may be given, interactively or via a here-doc in a script. When you have stored your encrypted_strings in your .netrc file, you will not need to type in your username/password combination to gain pftp/ftp access to HPSS. Authentication for hpss.nersc.govThe hpss.nersc.gov system has a special encrypted password for ftp and pftp, but HSI and HTAR currently use the same password and .netrc file. See special process for encrypting username/password pairs. for screenshots and instructions on how to setup a password or .netrc file. |
Page last modified: Tue, 09 Sep 2008 22:53:58 GMT Page URL: http://www.nersc.gov/nusers/systems/hpss/accounts_passwords_ftp.php Web contact: webmaster@nersc.gov Computing questions: consult@nersc.gov Privacy and Security Notice |