|
Size: 2361
Comment:
|
← Revision 8 as of 2019-09-09 15:56:57 ⇥
Size: 1857
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 5: | Line 5: |
| {{{ ssh warp.zeuthen.desy.de }}} |
|
| Line 6: | Line 9: |
| ==== The concept ==== {{{ #!figure {{attachment:warp-concept1.jpg}} }}} * a cluster of access nodes will be used for an automatic and transparent forwarding to a suitable work group server of your group. * the deciding factor is your primary login group * choose the wgs with the lowest load * the user has possibilities to choose another destination or another group * users of groups which haven't an own wgs will be forwarded to a public wgs ==== Advantages ==== * the access systems need only an ssh and kerberos clearance in the firewall * backdoors are not possible * local root exploits on the access systems pose not longer a serious risk (except for the sshd ) * Users of different groups will be distributed across different machines ==== Problems in the past ==== * Whenever cases of local root exploits came to light, we had have to act immediately. (multiple in the year, '''one''' compromized user account is sufficient) * Although all available security updates are rolling out quickly the login hosts are threatened by zero-day exploits * All users used the same login hosts. Several times the pubs could not used by other users because of overload (misusage for job processing, mathematica process or similar). Further information and usage suggestions you can find here: [[Warp_Login_Usage]]. |
* Further information and usage suggestions, e.g. VNC session, you can find here: [[Warp_Login_Usage]]. * [[Remote_Login | Warp - The Concept]] |
| Line 32: | Line 13: |
| The SSH is available from outside to DESY Zeuthen on the following public login hosts * pub.zeuthen.desy.de (pub1-pub6) for standard cases if warp concept doesn't work for you |
The SSH is available from outside to DESY Zeuthen on the following public login hosts * ''pub.zeuthen.desy.de'' (pub1-pub6) - deprecated - only use if warp doesn't work for you |
| Line 35: | Line 16: |
| * transfer.zeuthen.desy.de for IO intensive datatransfers from/to outside. /acs is available. | * ''transfer.zeuthen.desy.de'' for I/O intensive data transfers from/to outside. /acs and /lustre are available. |
| Line 37: | Line 18: |
| For security reasons SSH key authentication is not allowed for remote sessions from the Internet. More information for SSH/SCP usage is here: [[https://it.desy.de/services/uco/documentation/ssh_scp/index_eng.html]] |
=== SSH Login without Password === For security reasons SSH key authentication is not allowed for remote sessions from the Internet. They're also mostly useless internally. Passwordless access is possible using GSSAPI authentication. This requires a Kerberos 5 ticket for our realm (see `/etc/krb5.conf` on one of our systems for a configuration example) and the use of the openssh options `GSSAPIAuthentication` and `GSSAPIDelegateCredentials` (recent versions enable both with the `-K` parameter). Helpful links * [[http://www.desy.de/d4/ssh-tunnel-en.html| ssh tunnel with putty]] * [[https://dv-zeuthen.desy.de/services/windows/remote_zugang/| Accessing remotely your Windows Desktop or Terminal Services at DESY Zeuthen via SSH tunneling using Windows or Linux/UNIX]] |
| Line 42: | Line 30: |
| Only for the cases that you don't have an chance to use a local client this service is offered. Be aware that the terminal emulation is limited, so special character support, ECS sequences and menu driven software may not work a aspected. The link will open a new browser window. | Only for the cases that you don't have a chance to use a local client this service is offered. Be aware that the terminal emulation is limited, so special character support, ECS sequences and menu driven software may not work a aspected. The link will open a new browser window. You get a terminal session on the pal cluster in DESY Hamburg. |
Remote Login Service
Contents
WARP - The Concept for Remote Login Service with more Safety
ssh warp.zeuthen.desy.de
Further information and usage suggestions, e.g. VNC session, you can find here: Warp_Login_Usage.
Remote login with SSH
The SSH is available from outside to DESY Zeuthen on the following public login hosts
pub.zeuthen.desy.de (pub1-pub6) - deprecated - only use if warp doesn't work for you
transfer.zeuthen.desy.de for I/O intensive data transfers from/to outside. /acs and /lustre are available.
SSH Login without Password
For security reasons SSH key authentication is not allowed for remote sessions from the Internet. They're also mostly useless internally.
Passwordless access is possible using GSSAPI authentication. This requires a Kerberos 5 ticket for our realm (see /etc/krb5.conf on one of our systems for a configuration example) and the use of the openssh options GSSAPIAuthentication and GSSAPIDelegateCredentials (recent versions enable both with the -K parameter).
Helpful links
Web based Client
Only for the cases that you don't have a chance to use a local client this service is offered. Be aware that the terminal emulation is limited, so special character support, ECS sequences and menu driven software may not work a aspected. The link will open a new browser window. You get a terminal session on the pal cluster in DESY Hamburg.