Current NICS Resources
- In case of a system outage, login.nics.utk.edu can always be used to access user's home directories on NFS.
Secure Access With OTP
The preferred method of secure access to NICS resources is through SSH with an RSA One Time Password (OTP) token. As part of the NICS account activation procedure, you will receive information about obtaining an RSA token. Tokens are sent by US mail and are not enabled until NICS receives the notarized Token Activation Form.
Logging in with OTP requires using a personal pin number plus the current code displayed on the OTP token—this combination is referred to as your NICS passcode. Along with your token, you will receive instructions on setting up your pin number for the first time. Use SSH along with your NICS passcode to log in to NICS resources, for example:
> ssh <username>@login.darter.nics.utk.edu Enter PASSCODE:
Note: No characters will appear when entering passcode.
Accounts that are not used for a period of three consecutive months are disabled. If you believe your account has been disabled for inactivity please submit a request to firstname.lastname@example.org or you may call the helpline directly at 865-241-1504.
UNIX-based operating systems generally have an SSH client built in and Windows users may obtain free clients online, such as PuTTY.
Any SSH client used to log into NICS resources should:
- Support the SSH-2 protocol (supported by all modern SSH clients). Several security vulnerabilities exist in the SSH-1 protocol, therefore, access using a version 1 client is not allowed.
- Allow keyboard-interactive authentication to access NICS
systems. For UNIX-based SSH clients, the following line should be in
either the default ssh_config
file or your $HOME/.ssh/config file:
PreferredAuthentications keyboard-interactive,passwordThe line may also contain other authentication methods, so long as keyboard-interactive is included. For recent versions of SecureCRT or PuTTY, the setting can be made through the SSH connection properties menu.
NICS also supports access using GSI-enabled SSH (gsissh). GSI (Grid Security Infrastructure) authentication relies on proxy certificates which are managed using the Globus Toolkit. This method of access is used by the XSEDE User Portal and can be used from the command line using the Globus toolkit.
XSEDE User Portal
The XSEDE User Portal (XUP) provides the simplest way to access NICS resources via gsissh using your XSEDE username and password. After logging on to the portal, the 'Accounts' tab lists the resources you have access to. Simply click the 'login' button and a Java applet provides secure access via gsissh. XSEDE also provides a Single-Sign-On Hub and a stand-alone Java-based terminal for GSI-enabled SSH access.
Command Line Use
For using gsissh from the command line, the Globus toolkit is required. On NICS and XSEDE resources, the Globus module should be loaded by default. If not, load it with:
> module load globus
For other machines outside of XSEDE, see our instructions on acquiring and configuring the Globus Toolkit.
To use gsissh, you must first acquire a proxy certificate with the myproxy-logon command. Certificates can be obtained from either NCSA's myproxy server (which requires your XSEDE username and password) of from NICS myproxy server (which requires your NICS username and passcode using OTP). Use the -s option with myproxy-logon to specify the server and the -l to specify username if needed:
for XSEDE certificates: > myproxy-logon -s myproxy.teragrid.org -l <XSEDE username> Enter MyProxy pass phrase: [enter XSEDE password] for NICS certificates: > myproxy-logon -s myproxy.nics.utk.edu -l <NICS username> Enter MyProxy pass phrase: [enter NICS passcode (pin + OTP token code)]
You should receive a message like:
A credential has been received for user <username> in /tmp/x509up_u000.
Note: If using your own installation of the Globus Toolkit, you may need to use the -T option with myproxy-logon to install trusted certificates on your machine.
Once your certificate is in place, you may use gsissh to log on to any of NICS resources without any further authentication. For example, to access Darter:
> gsissh gsissh.darter.nics.utk.edu
Proxy certificates are valid for 12 hours by default. You may specify a longer time (in hours) with the -t option for myproxy-logon. The command grid-proxy-info will give information on any existing proxy certificates including remaining time limit.
Other Login Issues
RSA Key Fingerprints
Occasionally, you may receive an error message upon logging in to a system such as the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the OTP host key has just been changed.
This can be a result of normal system maintenance that changes an RSA public key or could be an actual security incident. If these fingerprints do not match what your SSH/SCP/SFTP client shows you, do not continue authentication; instead, contact email@example.com.
There are graphical tools you might want to use on NICS resources, which require using X11 forwarding. For example, there are a number of graphical debugging, optimization, as well as visualization tools that you might want to use. For instructions on setting up the X11 forwarding please see Procedures for X11 forwarding.
Changing Default Shell
You may change your default shell, by logging into the NICS User portal. After logging in to the portal, you may change your shell in the 'Login Information' section.