Last update: 10/05/2005
This document describes how to communicate with the SCD compute servers that are inside the UCAR security perimeters. These systems can no longer be accessed via Telnet from outside the security perimeters. You must now use a Secure SHell (SSH) to access protected systems.
In addition, one-time passwords are required for access to the supercomputers and some divisional servers. By end of calendar year 2005, external access through the UCAR security perimeter shall be via one-time passwords only. (The UCAR security perimeter is maintained by gate.ucar.edu, roy.ucar.edu, and VPN - Virtual Private Network.) This security measure will include all VPN access as well as certain internal web pages.
One-time passwords for protected systems are issued by single-user hardware devices named "CRYPTOCards." The protected system issues a challenge, and users access the CRYPTOCard to obtain the response.
Increasing attempts to gain unauthorized access to UCAR computing systems put researchers' work at risk and became an unacceptable drain on system administration resources. The greatest risk for breakins is valid usernames and passwords that are intercepted during transmission, then used to create an authenticated connection to a system within the security perimeters.
The best way to minimize this vulnerability is to encrypt all transmissions of usernames and passwords from external systems, so a cleartext password ban has been implemented. You are affected by this change if you log in to a UCAR computer, or if you do not use one of the following secure methods to transfer files. Note that this change has no impact on access to websites at UCAR, NCAR, or SCD.
You have several options for accessing protected UCAR computers. You can use:
- Secure SHell (SSH) for direct access
- Secure FTP via SSH through the gateway
- Dialup to the Remote Access Server (RAS)
This document describes these methods.
SSH - Secure SHell
SSH encrypts transmissions between remote computers and secure computers. SCD has installed SSH on all its systems. Use SSH for local and remote access to all SCD systems.
To use SSH for remote computing on secure UCAR systems, you must have SSH software on your local computer. Your SSH client must be compatible with the SSH software on UCAR systems. The SCD document How to Use Secure SHell (SSH): End-to-End Encryption to Access SCD Supercomputers provides instructions for obtaining a compatible SSH client for your local computer if you do not already have it. If you need to use SSH, you should read the entire document and follow its recommendations.
SCD also provides instructions for using SSH at NCAR: Getting started with SSH at NCAR. A good introductory document about using SSH has been published on the web by Kimmo Suominen: Getting started with SSH.
When you are familiar with SSH and have a client installed on your local computer, you will be able to SSH and/or scp to all of the SCD servers.
Interactive access to each server requires secure shell (SSH). These servers include supercomputing systems, data analysis and visualization systems, and system and application testing systems. You can log in using SSH both inside and outside the security perimeters.
File transfers to and from remote systems can be performed with either SSH or the secure FTP gateway.
These requirements are documented in: Security requirements, SSH, secure FTP.
You can use several methods to access the NCAR supercomputing facility from your workstation. This section provides information about each method.
This section does not provide instructions for accessing the supercomputers. Logging on to any of the supercomputers requires a CRYPTOCard. See Procedure for logging on to NCAR supercomputers using your CRYPTOCard.
Access via the internet using SSH
To access any SCD system via the internet, you must use SSH as documented above.
Access via phone lines - dialup to the RAS
You can access systems inside the UCAR security perimeters using a modem on your local computer to dial in to the Remote Access Server (RAS) at NCAR. When you do this, you are using NCAR as your Internet Service Provider (ISP).
When you are connected to the RAS, you are inside the UCAR security perimeters. You can obtain an account on the RAS by contacting CISL Customer Support at 303-497-1200 or sending a request to https://cislcustomersupport.ucar.edu/evj/ExtraView
The user document Remote Access Services provides the information you need to use this service.
Access via the proxy gateway
Access to some NCAR computers inside the UCAR security perimeter must be done by connecting to the gateway system gate.ucar.edu. This system requires a one-time password to log in.
Follow the login instructions at Procedure to access systems inside the UCAR security perimeter using your CRYPTOCard.
By end of calendar year 2005, all external access to systems inside the UCAR security perimeter will be via one-time passwords only.
None of the servers inside the UCAR security perimeters support Telnet. Use SSH to access both local and remote systems.
You can interactively access your account on any SCD supercomputer using SSH. Note that interactive sessions on the supercomputers are limited to 30 minutes.
Logging on to any of the supercomputers requires a CRYPTOCard. See Procedure for logging on to NCAR supercomputers using your CRYPTOCard.
Unlike the compute servers, the data analysis and visualization systems are provided for you to conduct extended periods of interactive computing. These systems are intended for you to obtain, examine, and edit data, and they do not have interactive usage limits.
Logging on to the data analysis and visualization systems requires a CRYPTOCard. See Procedure for logging on to NCAR supercomputers using your CRYPTOCard.
The NCAR Mass Storage System is not directly accessible. Methods for transferring and maintaining MSS files are described in Introduction to NCAR's Mass Storage System.
Overview of computing at NCAR - Table of contents
If you have questions about this document, please contact SCD Customer Support. You can also reach us by telephone 24 hours a day, seven days a week at 303-497-1278. Additional contact methods: consult1@ucar.edu and during business hours in NCAR Mesa Lab Suite 39.
© Copyright 2002-2005. University Corporation for Atmospheric Research (UCAR). All Rights Reserved.
Address of this page: http://www.scd.ucar.edu/docs/access/access.html