From MCS IT Wiki
Secure Access Policy (includes SSH and VPN info)
What is the Secure Access policy?
External network connections to MCS resources shall not use clear text reusable passwords for authentication. Additionally, SSH connections without VPN tunneling will not use reusable passwords for authentication.
What does that mean to me?
It means that if you're using a network to access MCS resources from outside MCS office space, you must use some mechanism to hide your password from being "sniffed" or otherwise captured in transit to the MCS network, especially without your knowledge.
Note: As of April 26, 2003, machines in MCS are, by default, disallowing any password-based authentication on connections initiated from outside the MCS firewall including wireless. The list of machines to which you can SSH directly is:
- General Login
- (The above can all be accessed as "login.mcs.anl.gov")
These machines require SSH keys for login. See the SSH Key FAQ for details. If you use the VPN, you can SSH direct to any machine (except those listed above) you can use onsite, using your password as authentication.
SSH DSA key fingerprint is 12:52:1f:45:8c:09:70:13:c1:cc:9a:59:bf:69:4b:d6
If you see a warning message that the key has changed and it is showing this as the new key. It is the right machine, and you should follow the instructions given in the error message so you can login properly.
- Login machines are meant for login/access purposes only. We will not tolerate any compiling or running of code or any type of resource intensive processes. They are meant to provide a gateway to other resources here in MCS where you can do you computation/testing
- /sandbox no longer exists on the logins. It has been re-tasked to be /scratch and as such will be cleaned out periodically. Currently any file that hasn't changed in 7 days will be deleted from /scratch. This new policy should hopefully help to keep the area from filling up and still provide a local disk to drop files temporarily.
How do I log in?
The MCS Systems Group has installed the Secure Shell (SSH) server on all UNIX systems that it maintains. You can use this protocol from anywhere on the Internet to connect to the above listed MCS computing resources, provided you are set up for SSH key-based login. If the host to which you need to connect is not in that list, you can either SSH from one of the hosts above, or you can use the VPN client first.
Other protocols may also be available, depending on circumstance.
How do I transfer files?
You're probably asking this question because you're used to using the old Internet protocol FTP. There are several ways to work around the fact that this protocol uses reusable clear text passwords:
- Use SCP or SFTP to transfer files over SSH.
- You can use the Windows VPN, and ftp via unixhome.mcs.anl.gov.
FTP is pretty much disabled on hosts inside the firewall. The host "unixhome" accepts FTP connections so make sure that's the only host with which you try to use FTP.
Where do I get SSH software for my computer?
This depends on what kind of computer you are using and whether you are an employee of Argonne's MCS Division.
Most unix and linux machines have SSH and its associated utilities installed by default. If you're running your own unix/linux machine, you should know how to get these packages.
Mac OS X machines include SSH and its associated utilities by default.
What is port forwarding, and how do I set it up?
Port forwarding is a technique where an insecure protocol (like FTP, X, POP3) is tunneled through a secure protocol (like SSH). This is a good way to continue to use your familiar protocols in a secure way.
Using SSH Port Forwarding with X on UNIX or Mac OS X
This is easy, just use ssh -Y <hostname> and your X display settings will be sent to the remote machine, and all X Windows will open on your own display.
If you have a $DISPLAY set properly, and use ssh to connect to another system, ssh will automatically set $DISPLAY on the remote end and set up everything for you. All you have to do is start your favorite X application on the remote end. Check to make sure you're not setting your $DISPLAY in any of your startup files. Also, never use xhost +, especially in your startup files, as it's a big security hole.
If you're using a Mac OS X computer, remember that X11 is not installed by default. The steps to install X11 on OS X are pretty simple. Insert your OS X Install Disk #1. A finder window will open that will show you all the installers and folders on the disk. Double-click on the Optional Installs package (due to the organization of the icons in the finder window, you must scroll down to find the Optional Install icon).
Using SSH Port Forwarding with X on Microsoft Windows
Use Cygwin. See Windows instructions. Follow the Unix instructions above after cygwin is installed.
How can I dial in over the phone?
If you want a PPP connection, you can sign up with ANL's dialup program. This is painless, but you need a cost code. More information can be found here.
What do I need to do to be able to interact with the ANL or MCS Windows domain?
Use the VPN.
Cable Modem and Digital Subscribe Line (DSL) users
What do I do if I want to use more than one computer with my connection at home?
Send e-mail to firstname.lastname@example.org to request a NAT box.