// Bastion Host
Most of the NCCS systems are accessed via an intermediary "Bastion" host referred to as login.nccs.nasa.gov. When using the Bastion Service you may be prompted to verify an SSH fingerprint. Make sure that the fingerprint presented matches one of the listed fingerprints listed for the system you are accessing.
NOTICE: NCCS login servers were changed, please update your client software.
| SYSTEM | LOGIN COMMAND | HOSTNAME |
|---|---|---|
| ADAPT | ssh <USERID>@login.nccs.nasa.gov | adapt |
| Dataportal | ssh <USERID>@login.nccs.nasa.gov | dataportal |
| Dirac (Storage) | ssh <USERID>@login.nccs.nasa.gov | dirac |
| Discover | ssh <USERID>@login.nccs.nasa.gov | discover |
| Discover – NASTRAN Project | ssh <USERID>@login.nccs.nasa.gov | discover-nastran |
// Modes of Operation
There are three modes of operation for the Bastion Service – Login, Direct, and PIV SSH.
Login Mode: This mode is the simplest and allows users to establish an interactive login session on the NCCS System they wish to access.
Direct Mode: This mode requires more configuration, yet allows streamlined login into NCCS systems, and facilitates file transfer into NCCS resources using SCP, RSYNC, or SFTP from a remote workstation like a desktop.
PIV SSH: Logging in with PIV SSH requires a PIV card reader and card.
LOGIN MODE INSTRUCTIONS
From your workstation or a resource outside the NCCS environment, access NCCS systems using:
$ ssh <USERID>@login.nccs.nasa.gov
where <USERID> is your NCCS User ID. Using the -XY option allows for trusted X11 forwarding which is a secure way of running X application via ssh to your local machine. For Windows Putty users, make sure you choose ssh protocol 2 and enable X11 forwarding in your configurations.
Once you are connected, you will be asked to authenticate your access using RSA SecurID authentication (i.e. Hardware or Software Token). PASSCODE: Enter your hardware or software token code here. Learn more about RSA Tokens here
host: discover
password: YOUR NCCS PASSWORD
DIRECT MODE INSTRUCTIONS
Only command line users will need to set up the the Bastion Service Direct Mode for streamlined login or file transfer. The Direct Mode is authorized for use on the following systems:
- ADAPT
- Dirac (if you have Dirac access)
- Discover
- Discover-Nastran
- DataPortal
Create or modify the $HOME/.ssh/config file on the system from which you will be accessing your NCCS userid as outlined in the code block below. (This would be your own local Linux/MacOS workstation, not the $HOME/.ssh/config file on an NCCS system.)
host adapt.nccs.nasa.gov discover.nccs.nasa.gov discover-nastran.nccs.nasa.gov dirac.nccs.nasa.gov dataportal.nccs.nasa.gov
User <USERID>
LogLevel Quiet
ProxyCommand ssh -l <USERID> login.nccs.nasa.gov direct %h
Protocol 2
Note: Substitute <USERID> with your NCCS userid. In the host line, you may leave out any host to which you do not have access.
Once you create the "config" file, make sure the permission of the $HOME/.ssh directory is set up as inaccessible by anyone except you, i.e., $ chmod 0700 $HOME/.ssh
Now you will be able to SSH or SCP to any of the hostnames following "host" in the above $HOME/.ssh/config file, for example: $ ssh -Y <USERID>@discover.nccs.nasa.gov
Ensure that for the PASSCODE prompt you enter a freshly generated RSA token code, i.e., one that has at least a couple of bars of life left.
PIV SSH INSTRUCTIONS
General Requirements: PIV card reader and PIV card. See below for instructions covering each type of operating system.
Linux- Install and appropriate library to support PIV cards such as opensc-pkcs11, on your system.
- Modern version of OpenSSH are compliant
- Add the following to the ~/.ssh/config. Note, the path to the PKCS11 library for a Linux distribution may vary.
Host login.nccs.nasa.gov login
PKCS11Provider=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
- Add the following to the ~/.ssh/config:
- If the ssh-keychain.dylib file does not exist please contact your client side system admin to install the file.
Host login.nccs.nasa.gov login
PKCS11Provider=/usr/lib/ssh-keychain.dylib
- Add the following to the %USERPROFILE%/.ssh/config:
Host *
PKCS11Provider="C:\Program Files\HID Global\ActivClient\acpkcs211.dll"
User <USERID>
- See the PowerPoint slides below the video on this page for PIV setup with WinSCP.
- PuTTY-CAC is required. If you have a NASA provided laptop, search for "Software Center" and install PuTTY-CAC.
- To configure PuTTY-CAC, open PuTTY, then:
- In the PuTTY Configuration window, there will be an expandable menu of categories on the left-hand side. Expand the Connection category, and then expand the SSH category. Under SSH, there will be an item called "Certificate", click that.
- Check the box for "Attempt Certificate authentication." In the Authentication Parameters section, click "Set CAPI Cert..."
- This will list the certificates on the card. Select the one you would like to use and ensure the certificate has your name and is not expired.
- In the left-hand menu, click the Session category. Enter the Host Name as either "login.nccs.nasa.gov" or "adapt.nccs.nasa.gov" and set the connection type to SSH.
- Name and save your PuTTY session (ex: Smartcard Auth) so these configurations can be loaded again, then try to connect.
Both Putty, WinSCP and the native Windows openssh client can be configured to use Pagent. The NASA EUSO/WCS configuration comes with ActiveClient installed, but we have found that using the PKCS11Provider from ActiveClient sometimes does not function and it is simply easier to configure all of the ssh applications to use Putty-CAC's Pagent.
First configure Pagent to start automatically when your user logs in:
pagent_openssh.bat
powershell -Command "& 'C:\Program Files\PuTTY\pageant.exe' --openssh-config c:\Users\<USERID>\.ssh\pagent.conf"
You will need to modify the path to your own home directory so that the pagent.conf is placed in your own .ssh directory.
You can then place a copy of this batch script (pagent_openssh.bat) into the windows shell startup via Windows Key+R and run "shell:startup" (place a copy or shortcut in this folder which is called at windows login to ensure that Pagent is started with the pagent.conf file in the correct location).
Native Openssh ConfigurationUsing the documentation we provide on the NCCS website the native windows openssh can be configured to use both the ProxyCommand and to use the above pagent.conf:
Example NCCS openssh .ssh/config
# assuming pagent.conf is placed under C:\Users\<USERID>\.ssh\
Include pagent.conf
# modify all usernames to be your own
Host *
PKCS11Provider="C:\Program Files\HID Global\ActivClient\acpkcs211.dll"
IdentitiesOnly yes
Host adapt adapt.nccs.nasa.gov discover discover.nccs.nasa.gov
User <USERID>
ForwardX11 yes
ProxyCommand ssh -l <USERID>login.nccs.nasa.gov direct %h
Host login.nccs.nasa.gov
PKCS11Provider="C:\Program Files\HID Global\ActivClient\acpkcs211.dll"
User <USERID>
IdentitiesOnly yes
To test, use "ssh -vvv" and check output to see that pagent is being referenced. You might need to explicitly load your CAPI cert with your PIV card inserted (please see other troubleshooting references for working with PIV cards).
Users of openssh have been able to for some time to connect directly into Discover or ADAPT by use of the ProxyCommand.
Similarly it is possible to configure Putty to use plink.exe (included with Putty) to jump through an intermediate node (in this case login.nccs.nasa.gov). This is done via the "Proxy" tab in the configuration:
Load the configuration (or start a new one) and click on the "Proxy" Category in the left hand panel:
The Proxy Type should be set to "Local", Proxy Hostname: "login.nccs.nasa.gov" Port: "22" Username: <USERID>
The "Command to send to proxy" should follow the format:
Putty ProxyCommand exampleplink.exe %user@%proxyhost direct %host
The %user, %proxyhost and %host are all filled in from the respective input boxes within the configuration for the Putty session.
