// Streamlining Connections


⚠️
Before you Begin: Make sure you have set up your NCCS LDAP Password and verified you can log in to login.nccs.nasa.gov before completing the steps on this page to streamline your connections to NCCS systems.

Direct SSH Configuration

Create or modify the ~/.ssh/config file on the system from which you will be accessing NCCS hosts with the following content:

host discover.nccs.nasa.gov adapt.nccs.nasa.gov discover-nastran.nccs.nasa.gov dataportal.nccs.nasa.gov dirac.nccs.nasa.gov
    User USERID
    LogLevel Quiet
    ProxyCommand ssh -l USERID login.nccs.nasa.gov direct %h
    Protocol 2

Substitute both instances of USERID with your NASA userid. You may omit any host you do not have access to.

Ensure permissions for the ~/.ssh directory are inaccessible by anyone except you:

$ chmod 0700 ~/.ssh

Now you will be able to SSH to any of the hosts in the above ~/.ssh/config file, for example:

$ ssh USERID@discover.nccs.nasa.gov
$ ssh USERID@adapt.nccs.nasa.gov

PIV Configuration

Install an appropriate library to support PIV cards, such as opensc-pkcs11, on your system:

Add the following to the ~/.ssh/config. Note, the path to the PKCS11 library for a Linux distribution may vary.

Host login.nccs.nasa.gov login
    PKCS11Provider=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

Direct SSH Configuration

Create or modify the ~/.ssh/config file on the system from which you will be accessing NCCS hosts with the following content:

host discover.nccs.nasa.gov adapt.nccs.nasa.gov discover-nastran.nccs.nasa.gov dataportal.nccs.nasa.gov dirac.nccs.nasa.gov
    User USERID
    LogLevel Quiet
    ProxyCommand ssh -l USERID login.nccs.nasa.gov direct %h
    Protocol 2

Substitute both instances of USERID with your NASA userid. You may omit any host you do not have access to.

Ensure permissions for the ~/.ssh directory are inaccessible by anyone except you:

$ chmod 0700 ~/.ssh

Now you will be able to SSH to any of the hosts in the above ~/.ssh/config file, for example:

$ ssh USERID@discover.nccs.nasa.gov
$ ssh USERID@adapt.nccs.nasa.gov

PIV Configuration

Add the following to the ~/.ssh/config:

Host login.nccs.nasa.gov login
   PKCS11Provider=/usr/lib/ssh-keychain.dylib

Contact your system administrator and ask them to install the ssh-keychain.dylib library if it does not exist.

Direct SSH Configuration

If you will use PowerShell to SSH, paste "%USERPROFILE%/.ssh/config" into File Explorer to open the config file and edit it with the content below.

However, we recommend a terminal manager like MobaXterm instead because it provides a configurable X11 server, and a Linux-like environment with built-in file transfer utilities (scp, rsync, sftp). You can download the Installer Edition here. Once it is installed, you simply need to open a terminal and modify the ~/.ssh/config with the following:

host discover.nccs.nasa.gov adapt.nccs.nasa.gov discover-nastran.nccs.nasa.gov dataportal.nccs.nasa.gov dirac.nccs.nasa.gov
    User USERID
    LogLevel Quiet
    ProxyCommand ssh -l USERID login.nccs.nasa.gov direct %h
    Protocol 2

Substitute both instances of USERID with your NASA userid. You may omit any host you do not have access to.

Ensure permissions for the ~/.ssh directory are inaccessible by anyone except you:

$ chmod 0700 ~/.ssh

Now you will be able to SSH to any of the hosts in the above ~/.ssh/config file, for example:

$ ssh USERID@discover.nccs.nasa.gov
$ ssh USERID@adapt.nccs.nasa.gov

PIV Configuration

Pageant (from PuTTY-CAC) SSH Agent Configuration


First, install PuTTY-CAC and launch Pageant:

  1. Search for "Software Center" on your laptop.
    1. In "Applications", install PuTTY-CAC if it is not already installed.
  2. Now search for "pageant" and open it.
    1. If you get a message that it is already running, that's great.
  3. In the bottom-right of the taskbar, click the up-carrot for hidden icons.
    1. Double-click the pageant icon to open the key list.
  4. Click "Add CAPI Cert".
    1. Select the certificate from your PIV card.
    2. Close the window after it is added.

Next, Pageant should be made to run on startup:

  1. Open File Explorer.
  2. Go to "C:\Program Files\PuTTY" and leave that window open.
  3. Press the Windows Key + R and type "shell:startup" to open the Startup folder.
  4. Right-click on the "Pageant" shortcut in the "C:\Program Files\PuTTY" window
    1. Click the Copy icon.
    2. Paste the shortcut into the Startup folder.

If you are using MobaXterm, no additional modification to the ~/.ssh/config file is needed.

If you are using PowerShell, you must also do the following:

  1. Press the Windows Key + R and type "shell:startup" to open the Startup folder.
  2. Create a new file called "pageant_openssh.bat"
    1. Add the following contents: powershell -Command "& 'C:\Program Files\PuTTY\pageant.exe' --openssh-config C:\Users\USERID\.ssh\pageant.conf"
    2. Replace USERID with your NASA userid.
  3. Open the %USERPROFILE%/.ssh/config file.
    1. Add this line to the top: Include pageant.conf

PuTTY with PuTTY-CAC Configuration

If you are limited to using PuTTY, do the following when adding a new connection:

  1. Expand the "Connection" category on the left-side of the PuTTY Configuration window.
    1. Expand the SSH category.
    2. Under SSH, click the item called "Certificate".
  2. Check the box for "Attempt certificate / key authentication."
  3. Click "Set CAPI Cert".
    1. Select the certificate from your PIV card.
  4. In the left-side menu, click the Session category.
  5. Enter the Host Name as "login.nccs.nasa.gov".
    1. Set the connection type to SSH.
  6. Name and save your PuTTY session (for example, "NCCS with PIV Auth") so you can load these configurations later.
  7. Test your connection.

ActivClient Configuration (Optional)

⚠️
Use this only if you MUST use PowerShell for SSH. On some Windows clients the ActivClient configuration may not work.

To set up the PKCS11 library from ActivClient, add the stanza below to your %USERPROFILE%/.ssh/config file:

Host *
   PKCS11Provider="C:\Program Files\HID Global\ActivClient\acpkcs211.dll"
   User USERID


SSH Between Discover Login Nodes

Users must set up an SSH key pair and put the public key in their Discover $HOME/.ssh/authorized_keys file to SSH between login nodes. Use the default name/file and the default of no passphrase:

$ ssh-keygen -t ecdsa
$ cat $HOME/.ssh/id_ecdsa.pub >> $HOME/.ssh/authorized_keys

This setup only needs to be done once, though keys can be replaced or others can be added. Just make sure the .pub key is added to the authorized_keys file.