// Bastion Host

Most of the NCCS systems are accessed via an intermediary "Bastion" host referred to as login.nccs.nasa.gov. When using the Bastion Service you may be prompted to verify an SSH fingerprint. Make sure that the fingerprint presented matches one of the listed fingerprints listed for the system you are accessing.

NOTICE: NCCS login servers were changed, please update your client software.

SYSTEM LOGIN COMMAND HOSTNAME
ADAPT ssh <USERID>@login.nccs.nasa.gov adapt
Dataportal ssh <USERID>@login.nccs.nasa.gov dataportal
Dirac (Storage) ssh <USERID>@login.nccs.nasa.gov dirac
Discover ssh <USERID>@login.nccs.nasa.gov discover
Discover – NASTRAN Project ssh <USERID>@login.nccs.nasa.gov discover-nastran

// Modes of Operation

There are three modes of operation for the Bastion Service – Login, Direct, and PIV SSH.

Login Mode: This mode is the simplest and allows users to establish an interactive login session on the NCCS System they wish to access.

Direct Mode: This mode requires more configuration, yet allows streamlined login into NCCS systems, and facilitates file transfer into NCCS resources using SCP, RSYNC, or SFTP from a remote workstation like a desktop.

PIV SSH: Logging in with PIV SSH requires a PIV card reader and card.

LOGIN MODE INSTRUCTIONS

From your workstation or a resource outside the NCCS environment, access NCCS systems using:

$ ssh <USERID>@login.nccs.nasa.gov

where <USERID> is your NCCS User ID. Using the -XY option allows for trusted X11 forwarding which is a secure way of running X application via ssh to your local machine. For Windows Putty users, make sure you choose ssh protocol 2 and enable X11 forwarding in your configurations.

Once you are connected, you will be asked to authenticate your access using RSA SecurID authentication (i.e. Hardware or Software Token). PASSCODE: Enter your hardware or software token code here. Learn more about RSA Tokens here
host: discover
password: YOUR NCCS PASSWORD

DIRECT MODE INSTRUCTIONS

Only command line users will need to set up the the Bastion Service Direct Mode for streamlined login or file transfer. The Direct Mode is authorized for use on the following systems:

  • ADAPT
  • Dirac (if you have Dirac access)
  • Discover
  • Discover-Nastran
  • DataPortal

Create or modify the $HOME/.ssh/config file on the system from which you will be accessing your NCCS userid as outlined in the code block below. (This would be your own local Linux/MacOS workstation, not the $HOME/.ssh/config file on an NCCS system.)

host adapt.nccs.nasa.gov discover.nccs.nasa.gov discover-nastran.nccs.nasa.gov dirac.nccs.nasa.gov dataportal.nccs.nasa.gov
User <USERID>
LogLevel Quiet
ProxyCommand ssh -l <USERID> login.nccs.nasa.gov direct %h
Protocol 2

Note: Substitute <USERID> with your NCCS userid. In the host line, you may leave out any host to which you do not have access.

Once you create the "config" file, make sure the permission of the $HOME/.ssh directory is set up as inaccessible by anyone except you, i.e., $ chmod 0700 $HOME/.ssh

Now you will be able to SSH or SCP to any of the hostnames following "host" in the above $HOME/.ssh/config file, for example: $ ssh -XY <USERID>@discover.nccs.nasa.gov

Ensure that for the PASSCODE prompt you enter a freshly generated RSA token code, i.e., one that has at least a couple of bars of life left.

PIV SSH INSTRUCTIONS

General Requirements: PIV card reader and PIV card. See below for instructions covering each type of operating system.

Linux
  • Install and appropriate library to support PIV cards such as opensc-pkcs11, on your system.
  • Modern version of OpenSSH are compliant
  • Add the following to the ~/.ssh/config. Note, the path to the PKCS11 library for a Linux distribution may vary.
  • Host login.nccs.nasa.gov login
    PKCS11Provider=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
Mac
  • Add the following to the ~/.ssh/config:
  • Host login.nccs.nasa.gov login
       PKCS11Provider=/usr/lib/ssh-keychain.dylib
  • If the ssh-keychain.dylib file does not exist please contact your client side system admin to install the file.
Windows via PowerShell or Command Prompt
  • Add the following to the %USERPROFILE%/.ssh/config:
  • Host *
       PKCS11Provider="C:\Program Files\HID Global\ActivClient\acpkcs211.dll"
       User <USERID>
Windows via PuTTY and/or WinSCP
  • See the PowerPoint slides below the video on this page for PIV setup with WinSCP.
  • PuTTY-CAC is required. If you have a NASA provided laptop, search for "Software Center" and install PuTTY-CAC.
  • To configure PuTTY-CAC, open PuTTY, then:
    • In the PuTTY Configuration window, there will be an expandable menu of categories on the left-hand side. Expand the Connection category, and then expand the SSH category. Under SSH, there will be an item called "Certificate", click that.
    • Check the box for "Attempt Certificate authentication." In the Authentication Parameters section, click "Set CAPI Cert..."
    • This will list the certificates on the card. Select the one you would like to use and ensure the certificate has your name and is not expired.
    • In the left-hand menu, click the Session category. Enter the Host Name as either "login.nccs.nasa.gov" or "adapt.nccs.nasa.gov" and set the connection type to SSH.
    • Name and save your PuTTY session (ex: Smartcard Auth) so these configurations can be loaded again, then try to connect.