Passwords Starting Tigernet

2.4: Accessing the Computers

There two main categories of terminals that you should know about: X terminals (including the workstation consoles) and Macintoshes.

X terminals predominate in the Theory Division. These offer a windowing environment where the windows are controlled by the workstations or supercomputers.

Macintoshes allow connection to the Unix Cluster as a smart terminal running VersaTerm or NCSA Telnet. Macintoshes running VersaTerm are the main way in which users connect to the Unix cluster from home.

The principle ways of logging into one of the computers here at PPPL include:

1. Logging in directly via the console and/or through xdm (X Display Manager)
2. Through the command xrsh from another computer
3. Through the commands telnet or rlogin from an `Internet' computer
4. Through a networked Mac
5. Through dialing into a terminal server via a modem

2.5: Ssh, Slogin, Scp

ssh,slogin, and scp are "secure" replacements for rsh, rlogin, and rcp. You may wish to use them because:

• These provide a convenient method for establishing X connections on NERSC machines (specifically, a, mcurie, sas).
• They provide a convenient method for accessing the Unix Cluster from off-site, since (a) rsh access to the Unix Cluster is restricted to a few domains, and (b) ssh optionally offers compression which offers improved throughput on low bandwidth connections.
• Finally, ssh knows how to forward AFS tokens to remote machines, so you may wish to use ssh within the Unix Cluster.

The following is a quick how-to. For more information see the man pages, ssh(1), xssh(1), sshd(8), slogin(1), scp(1), ssh-keygen(1), ssh-agent(1),ssh-add(1).

INITIAL SET UP

1. Run ssh-keygen as follows

     $ ssh-keygen
     ...
     Enter file in which to save the key (~/.ssh/identity): [RETURN]
     Enter passphrase: [ENTER A GOOD PASS PHRASE TO PROTECT THE PRIVATE KEY]
     Enter the same passphrase again: [DITTO]
     ...
   

   This creates a private+public key pair in ~/.ssh/identity and ~/.ssh/identity.pub. The first file is protected by (a) Unix permissions, and (b) your pass phrase. The second file only needs to be protected against writing by anyone except you.

2. Create ~/.ssh/authorized_keys:

   cp ~/.ssh/identity.pub ~/.ssh/authorized_keys

3. Create ~/.ssh/authorized_keys on any remote systems you want to access. E.g., on a.nersc.gov

      mkdir ~/.ssh
      chmod 755 ~/.ssh
   

   and use FTP to transfer the local copy of `~/.ssh/authorized_keys' to a.nersc.gov.

4. Near the beginning of your `~/.xsession', put

     eval `ssh-agent -s`
     ssh-add < /dev/null
   OR
     eval `ssh-agent -c`
     ssh-add < /dev/null
   

   depending on whether your `.xsession' is a /bin/sh or /bin/csh script. Look at the first line to find out.

   At the end (after the invocation of the window manager), put

   kill $SSH_AGENT_PID.

   Your `.xsession' may then look like:

     #! /bin/sh
     . /etc/env.default
   
     eval `ssh-agent -s`                # ADDITION
     ssh-add < /dev/null                # ADDITION
   
     xrdb $HOME/.Xresources
     ...
     xterm -ls -T `hostname` -n `hostname` -geo 80x50+105+5 &
     twm
   
     kill $SSH_AGENT_PID                # ADDITION
   

5. [OPTIONAL] Create a file

     ~/.ssh/config
   

   containing

     Host *.nersc.gov
     User u12345
   

   where `u12345' is your NERSC user name. (This step means that you won't have to supply a `-l u12345' argument to ssh.) If you want to use compression on certain connections, this can be configured here too.

ONCE PER X SESSION

When you start an X session on your X terminal, the ssh-add command in `.xsession' will pop up a window for you to enter your pass phrase.

TYPICAL INVOCATIONS

1. To get a window on a.nersc.gov, do

       xssh -auth ssh a.nersc.gov
   

   xssh is a ssh-capable replacement for xrsh. You will need to ensure that your PATH on a.nersc.gov is set in .cshrc and that it included the directory with xterm lives. For that reason, I suggest you move

     if ( -e /etc/cshrc.nersc ) then
             source /etc/cshrc.nersc
     endif
   

   from `~/.login' to the end of `~/.cshrc'.

   On a.nersc.gov, if you do

     echo $DISPLAY
   

   you will see it set to something like `a:4.0'. This is a special display setting used by ssh for encrypting your X traffic. Incidentally the encryption is only in effect between NERSC and the machine you ran xssh on. The traffic between this machine and your X terminal is still unencrypted.

2. To start a window on another machine in the Unix Cluster with your AFS tokens carried over:

     xssh lupus
   

   With this invocation, the X traffic is not encrypted. You may wish to insert these xssh commands into your .twmrc as follows

     menu "Programs"
     {
     "Machines"      f.title
     ...
     "draco"         !"xssh draco"
     "a.nersc.gov"   !"xssh -auth ssh a.nersc.gov"
     ...
     }
   

3. Accessing the Unix Cluster from off-site. This requires installation of ssh on the remote machine. You should ask the system administrator for that machine to do this. In addition, if your site has AFS, ask for the AFS patches to ssh to be made. The main site for ssh is

   http://www.cs.hut.fi/ssh

   The AFS patches are available at

   http://www-personal.umich.edu/~dugsong/ssh-afs-kerberos.html

   [In fact, most of the functionality of ssh is available even if it's not installed by a system administrator.]

   If you have a Linux x86 machine, you can install a pre-compiled version with

     rpm --install ftp://ftp.pcuf.fi/linux/security/ssh-1.2.20-2.i386.rpm
   

Passwords

Starting

Tigernet