.. vim: syntax=rst .. include:: ../global.rst .. _index-ssh: =============== Accessing hosts =============== Hosts on the oden domain can be accessed remotely when on or off campus by two methods. * When on campus, hosts @oden.utexas.edu can be accessed using password authentication or SSH public keys. 'On campus' means the Austin UT campus, this does not include TACC. * When off campus, hosts can be accessed by two methods: 1. UT VPN (requires DUO and an active UT appointment), or 2. Through login1.oden.utexas.edu (requires the use of SSH public key) If you have an active UT appointment, it is preferred you use UT's VPN over the login server and access hosts directly without going through the login server. The purpose of the login server is to provide access for users without and active appointment to access hosts on our network. Read more about the :ref:`NAT faq ` .. note:: For more information on UT's VPN service, please visit the following links `UT VPN wikis`_ and `UT VPN ServiceNow Articles`_. The information is extensive and should answer most questions, the information will not be provided here. SSH Port ======== All hosts on the oden domain use the well known port, 22, for ssh. SSH keys ======== You can setup ssh public key authentication for logging into your Oden Institute account remotely. This allows you to prevent your encrypted password from being sent over the network. It also allows you to setup password-less logins to any machines. Create a private/public key pair -------------------------------- Execute the following instructions below depending on your client. For **Linux and Mac clients**:: # ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/oden/stew/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /oden/stew/.ssh/id_rsa. Your public key has been saved in /oden/stew/.ssh/id_rsa.pub. The key fingerprint is: SHA256:GKW7yzA1J1qkr1Cr9MhUwAbHbF2NrIPEgZXeOUOz3Us stew@suzerain The key's randomart image is: +---[RSA 2048]----+ |.*++ o.o. | |.+B + oo. | | +++ *+. | | .o.Oo.+E | | ++B.S. | | o * =. | | + = o | | + = = . | | + o o | +----[SHA256]-----+ # If you are **on campus** or on UT's VPN with your client and you want to copy your key over to your account here, use ``ssh-copy-id``. This will allow you to use password authentication to copy your key to the correct location on your remote host:: ssh-copy-id -i ~/.ssh/id_rsa user@.oden.utexas.edu If you are **off campus**, you have two options, connect to the VPN and use the above command *or* send only the public key portion of your keys, .pub, to rt@oden.utexas.edu and we'll copy it to the proper location for you. Using the VPN is not an option for external collaborators who do not have an official appointment with UT. Their only option is to send us the public key. For more detailed instructions visit https://www.ssh.com/ssh/copy-id For the lowly **Windows clients** 1) Follow the **Installation instructions for Windows** here: https://www.ssh.com/ssh/putty/download 2) Generate the key using **PuTTYgen** here: https://www.ssh.com/ssh/putty/windows/puttygen **Important**. Copy and paste the public key that was generated in the box below the text ``Public key for pasting into OpenSSH authorized_keys file`` into a file or directly into the help request. This is the public key portion we place into your authorized_keys file under your .ssh directory in your home dir. Please keep in mind that we **require the use of a passphrase**. Some machines may put these files in a different spot. If this is the case, make a note of where it puts them and what it names them. The id_rsa (and, if they exist, id_dsa or identity) file is your private key. Keep it secret, keep it safe. Passwordless logins ------------------- In order to enable passwordless authentication, you need to have an ssh-agent process running. To start the agent in a bash shell, do:: $ eval `ssh-agent` Add your ssh key to the running agent:: $ ssh-add ~/.ssh/id_dsa Once this is done, you should be able to login to any system without needing to type your password. SSH ProxyJump hosts ------------------- This assume you have correctly setup your ssh public keys as described above. It is possible to jump directly into a host on the network if you are not on the campus network using the ProxyJump option in SSH. To login from a remote host off-campus to a host on the institutes network:: $ ssh -J @login1.oden.utexas.edu @.oden.utexas.edu SCP ProxyJump ------------- It is possible to copy files from a remote host not on UT's network to a host on the network using the same principle as the previous section using ProxyJump. On the remote host, execute:: $ scp -o 'ProxyJump @login1.oden.utexas.edu' @.oden.utexas.edu:/ A helpful link https://www.madboa.com/blog/2017/11/02/ssh-proxyjump/ Using rsync to copy files ------------------------- Similar to scp, rsync is another option to use if moving large amounts of files securely. It uses a similar setup as above:: rsync -avz -e 'ssh -J @login1.oden.utexas.edu' --progress @.oden.utexas.edu:/ Connecting to a VNC session --------------------------- To connect to a VNC session from a remote location to a host running a vnc server session on a hosts, use the following command to setup a tunnel:: ssh -Ao ProxyCommand="ssh -W %h:%p @login1.oden.utexas.edu" -L 5902:127.0.0.1:5901 -N @.oden.utexas.edu This should actually fork a process in background and allow you to run the vncviewer and connect to vnc session that is running on the host. A helpful link https://boknowsit.wordpress.com/2018/09/02/vnc-and-ssh-port-forwarding/ `Fail2ban`_ ============ Wwe use `Fail2ban`_ to provide a layer of security for our workstations. Here are some things to keep in mind: * Trying to login with an incorrect password for an existing account will lock you out after **5** unsuccessful attempts If your IP address is blocked, you will receive a message that looks something like this:: ssh_exchange_identification: Connection closed by remote host If you see this message, send an email to `RT`_ and ask us to fix it for you or you can remove the ban yourself. To remove the IP address that has been banned, you would need to know the `IP address that is banned`_ and access the desktop from another IP address that is not banned. This will require a couple hops to get to the desktop you have been banned from. Most users have access to multiple desktops in their group. Login to another desktop then access the desktop that has been banned. Use the following utilities to view and remove the banned IP address. :: $ sudo /usr/local/bin/fail2showbans.sh The IP addresses banned from logging into this system are listed below with "IP List:" Status for the jail: ssh-iptables |- Filter | |- Currently failed: 2 | |- Total failed: 12009 | `- File list: /var/log/secure `- Actions |- Currently banned: 29 |- Total banned: 1145 `- Banned IP list: 202.131.225.54 173.201.23.110 58.67.199.9 $ sudo /usr/local/bin/fail2unban.sh 202.131.225.54 Please wait a moment.. 202.131.225.54 .. _Fail2ban: http://www.fail2ban.org/ .. _IP address that is banned: http://whatismyipaddress.com/ Preventing Lockouts ------------------- There are some things you can do to try and prevent yourself from getting locked out by `Fail2ban`_. The first thing would be setting up ssh key pairs (see below). This will also allow you to do things like passwordless logins once you have an ssh agent running. Another common problem is that your username is different for your oden account and the machine you are attempting to connect from. The following solution was sent to us by a user with this problem: I am now using the following lines in my ~/.ssh/config file:: Host *.oden.utexas.edu User solj This sets the default user for all oden machines. So that when I ssh in from home it uses the oden user name instead of my home user name.