NERSC logo National Energy Research Scientific Computing Center
  A DOE Office of Science User Facility
  at Lawrence Berkeley National Laboratory 		Site Map | Help | Search
Login
Home About News & Publications HPC Users Projects
Systems Services Analytics Status & Statistics Help

HPC Users

Systems

HPSS Mass Storage


Accounts
HPSS Charging (SRUs)
HPSS Passwords
Accessing HPSS
HSI
HTAR
ftp/pftp
gridFTP
Batch Jobs
Project Directories
Sleepers
Usage examples

Announcements
For New Users

HPSS Statistics

printer
Printable HPSS Docs

Related Information

HPSS Software Downloads
HPSS Collaboration
Navigation column
for this page:

 

User Accounts - pftp/ftp Authentication

The ftp protocol is used by many NERSC users to transfer files to NERSC's HPSS systems. For example, the client applications ftp and pftp both use the ftp protocol. The problem is that the ftp protocol sends the username and password across the internet in plain text.

NERSC has developed a secure method of remote automatic authentication to HPSS. It replaces sending the clear text password across the internet.

Authentication for archive.nersc.gov

For the archive.nersc.gov system, both your username and password are encrypted by the NERSC Authentication Server and these encrypted strings are used instead of your actual name and password. They can be either entered interactively or placed in a .netrc file. Plain text names and passwords are no longer accepted.

Each encrypted pair is only valid for access from the site from which it was generated (see below). Additional encrypted pairs must be generated for each site from that you want to use pftp/ftp to connect to HPSS.

Encrypting your password

The process described here requires the use of two windows (xterms are recommended) on the machine from which access to HPSS is desired. (In the example to follow, this machine is named "highline".) Special encrypted username/password strings (called "encrypted_strings" below) are generated and put into a file named ".netrc".

Please note:

  • The encrypted_strings can be inserted in .netrc files, or entered manually (either directly in interactive pftp/ftp sessions or edited into pftp/ftp "here-docs" in shell scripts). They can also be used in pftp/ftp access via web browsers.
  • On PC's, GUI-based ftp clients may not use .netrc files; thus, the encrypted_strings must be entered manually.
  • An HPSS user can generate multiple encrypted_strings for use on different machines. For example, you will need an encrypted_string for your workstation in your office and another one for access from the NERSC supercomputers. Additional encrypted_strings may be necessary depending on the topology of your network.
  • Encrypted_strings generated on a particular workstation can be used in accessing all NERSC Production Mass Storage systems from that workstation.
  • You can use the encrypted_strings as often as you want. At any time, you can re-generate a new encrypted_string.

Generating and Using Encrypted Identity Information

In the following steps, all text the user must type is shown in red.

Step 1
You need to log on to the authentication server, "auth.nersc.gov. to encrypt your username/password. If you don't know the special login/password pair to log on to this server, the information can be obtained by logging into seaborg, jacquard, davinci or PDSF and typing the command: 

      module help WWW

Note that this special login/password pair is only for initial access to the authentication server and is not to be confused with your DCE/HPSS login and password that you will be encrypting.

Step 2
In a window (xterm) on your workstation, connect via ssh to the NERSC authentication server, "auth.nersc.gov".

  highline 10: ssh auth.nersc.gov -l {special login}
  auth@mover2.nersc.gov's password: {special password}
  <Login notice info removed>
  You are in an authentication shell
  Type help to list the commands you can run
  [auth]:

Now you are in a restricted shell that will accept only a few commands. Among them is "ftppass", which will be used in step 3. You can see the allowed commands via the "help" command:

  [auth]: help
  The following commands are the only ones recognized:
 
  ftppass    ftpproxy   chpass     help       h
  quit       q          exit
 
  For abbreviated help on commands type 'help commandname'
  The commands: q, quit and exit will all exit auth
 
  [auth]:

Step 3
Use the "ftppass" command to generate an encrypted_string combo of your HPSS username and password; these will be used to access pftp/ftp instead of your usual HPSS login id and password. 

  [auth]: ftppass
  DCE Principal: your_HPSS_username
  DCE Password: your_HPSS_password
 
  login [encrypted_string]
  password [encrypted_string]
  
  [auth]: exit
 
  Bye
  Connection to auth.nersc.gov closed.

The encrypted_strings are those returned in the lines beginning with "login" and "password"; these lines will be used in step 4.

Proxy Servers

Instead of the ftppass command, use the ftpproxy command to connect to auth.nersc.gov from one network and generate keys for another network. You may need to use this if you are behind a firewall and make pftp/ftp connections through a proxy server.

The syntax for a proxy server with address 123.45.56.78 is 

        [auth]: ftpproxy 123.45.56.78

Replace the IP address above with that of your IP proxy server.

Step 4
In another window (xterm) on your workstation, edit a file named "~/.netrc", and insert three lines for each of the storage systems you wish to connect to:

  1. The first of the three lines specifies the name of a storage system;
  2. The next two lines are the "login" and "password" lines returned by auth.nersc.gov, in step 2. The easiest thing to do is to copy and paste the two encrypted_string lines into this file. The file's contents should look something like this: 
  machine archive.nersc.gov
  login [encrypted_string]
  password [encrypted_string]
 
  machine archive
  login [encrypted_string]
  password [encrypted_string]

Multiple pftp/ftp hosts can be put in the .netrc file, separated by blank lines.

Step 5
Change the permissions for the ".netrc" file to "600" or "Owner Read-Write"; if they are anything else, the file will not be used by pftp/ftp and the process will not work:

  highline 9: chmod 600 .netrc
  highline 10: ls -l .netrc
  -rw-------  1 user staff  75 Mar 16 10:03 .netrc

This completes the generation of an encrypted identity. Now, whenever pftp/ftp is used by this user from this workstation to connect to either of the HPSS systems, the encrypted_strings in the ".netrc" file will provide authentication, as shown in the next step.

Step 6
Connect to one of the HPSS systems via FTP from the workstation that was used in the previous steps. For example: 

  highline 11: ftp archive.nersc.gov
  Connected to archive-g0.nersc.gov.
  ...
  <Login notice info removed>
  331 User: user - Password Required.
  230 User /.../dce.nersc.gov/user logged in.
  Remote system type is UNIX.
  Using binary mode to transfer files.
  ftp>

At this point, any pftp/ftp command may be given, interactively or via a here-doc in a script.

When you have stored your encrypted_strings in your .netrc file, you will not need to type in your username/password combination to gain pftp/ftp access to HPSS.

Authentication for hpss.nersc.gov

The hpss.nersc.gov system has a special encrypted password for ftp and pftp, but HSI and HTAR currently use the same password and .netrc file. See special process for encrypting username/password pairs. for screenshots and instructions on how to setup a password or .netrc file.

Computing Sciences | Computational Research Division | ESnet
LBNL Home
Page last modified: Tue, 09 Sep 2008 22:53:58 GMT
Page URL: http://www.nersc.gov/nusers/systems/hpss/accounts_passwords_ftp.php
Web contact: webmaster@nersc.gov
Computing questions: consult@nersc.gov

Privacy and Security Notice 		DOE Office of Science