Connection Requirements
In order to provide a secure system, access to Kraken is only available via the Secure Shell protocol (SSH). UNIX-based operating systems generally have an SSH client built in, available by typing "ssh user-name@server" (username is your user name on Kraken). Windows users may obtain free clients online, such as PuTTY. Any SSH client:
- must support the SSH-2 protocol (supported by all modern SSH clients). Several security vulnerabilities exist in the SSH-1 protocol, therefore, access using a version 1 client is not allowed.
- must allow keyboard-interactive authentication to access NICS systems. For UNIX-based SSH clients, the following line should be in either the default
ssh_configfile or your$HOME/.ssh/configfile:PreferredAuthentications keyboard-interactive,password
The line may also contain other authentication methods, so long askeyboard-interactiveis included.For recent versions of SecureCRT or PuTTY, the change can be made through the SSH connection properties menu.
Connection Procedures
NICS supports secure access using gsissh (part of the Globus Toolkit) and secure access that requires the use of an RSA One Time Password (OTP) token which generates a one-time password. Secure access using the OTP is also required to access HPSS storage.
See table for system names. <name>.nics.tennessee.edu (or <name>.nics.teragrid.org).
| Node type | Kraken XT5 | |
|---|---|---|
| Login Node: (OTP) | kraken-xt5 kraken |
Note that kraken currently points to Kraken XT5.
One-Time Password Authentication
The OTP token is the authentication method that will be used to access NICS resources securely. To log in to NICS OTP systems, an OTP token is required. You should receive this in the mail after you receive your allocation. After your OTP token has been authorized (instructions will be mailed with the OTP token), you will need to set your PIN, see Setting up your One Time Password.
Once you have set your PIN, you may log into Kraken using Use SSH to connect to Kraken XT5, kraken.nics.tennessee.edu. In the example below, userid would be replaced by your NICS username. Users are prompted for their OTP token by the PASSCODE prompt. The PASSCODE is made up of your PIN, followed by the number displayed on the OTP token (see picture). For example, if your pin is 1234 and the token code is 987654, enter 1234987654.
Note: No characters
will appear when entering your PASSCODE
% ssh kraken_userid@kraken.nics.tennessee.edu Enter PASSCODE:
OTP tokens that are not used for a period of three consecutive months will be disabled.
GSISSH Access
You may also access Kraken using gsissh, part of the Globus Toolkit. This utility uses proxy certificates to authenticate, and allows for single-sign-on capability to almost all of the TeraGrid, without having to remember multiple passwords or usernames. To use this method, see GSISSH. More information about setting up Proxy certificates, which are used with GSISSH and GridFTP can be found at Getting Started with Globus.
Not every target supports gsissh: kraken-gsi (tg-login-pwd) does support it, but kraken, login, athena and verne at NICS only accept OTP authentication. If GSI authentication fails, gsissh will default to standard keyboard-interactive authentication (for OTP nodes, it prompts for your passcode).
userjd@ncsa:~> gsissh kraken-gsi.nics.teragrid.org
File System Access
During times of system outage, access to a user's home and project
directories is available at login.nics.tennessee.edu. The procedure
for this is analogous to the Secure Access procedure. For example:
% ssh userid@login.nics.tennessee.edu Enter PASSCODE:
Note that this system does not have access to the Lustre file system.
Connection Options
X11 Forwarding
There are some graphical tools you might want to use on Kraken, which might require you to set up X11 forwarding, for example, there are a number of graphical debuggers and profilers as well as visualization tools. For instructions on setting this up, see Procedures for X11 forwarding.
Changing Your Default Shell
If you wish to change your default shell, please send an email to help@teragrid.org. The available login shells are bash and tcsh.
RSA Key Fingerprints
Occasionally, you may receive an error message upon logging in to a system such as the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the OTP host key has just been changed.
This can be a result of normal system maintenance that changes an RSA public key or could be an actual security incident. If these fingerprints do not match what your SSH/secure copy (SCP)/secure file transfer (SFTP) client shows you, do not continue authentication; instead, contact help@teragrid.org
HPSS Archival Storage Access
The HPSS archival storage system may be accessed using HSI. Use of HPSS archival storage resources requires OTP access. Password-free access is provided on the secure-access login nodes (ie if you used the OTP to log in).
File Transfer Utilities
The SSH-based SCP and SFTP utilities can be used to transfer files to and from NICS systems.
If GridFTP is available at your local site, this is the best way to transfer large files. For more information on data transfers, see the data transfer page in the general support section.
