ARSC system news for bigdipper

Menu to filter items by type

Type Downtime News
Machine All Systems linuxws pacman bigdipper fish lsi

Contents for bigdipper

News Items

"LDAP Passwords" on bigdipper

Last Updated: Mon, 20 May 2013 -
Machines: linuxws pacman bigdipper fish
    
How to update your LDAP password 
========================================

User authentication and login to ARSC systems uses University 
of Alaska (UA) passwords and follows the LDAP protocol to connect to
the University's Enterprise Directory.  Because of this, users must
change their passwords using the UA Enterprise tools.

While logging into ARSC systems, if you see the following message,
please change your password on https://elmo.alaska.edu

  Password: 
  Your are required to change your LDAP password immediately.
  Enter login(LDAP) password:

Attempts to change your password on ARSC systems will fail.

Please contact the ARSC Help Desk if you are unable to log into
https://elmo.alaska.edu to change your login password.

  

"pubkeys" on bigdipper

Last Updated: Fri, 11 Jun 2010 -
Machines: bigdipper
Setting Up SSH Public Key Authentication On Linux/UNIX Systems
==============================================================

SSH public key authentication is available on ARSC Academic systems 
as an alternative to SecurID authentication.  This method of authentication 
allows you to log into ARSC Academic systems (e.g. pacman, midnight,
bigdipper) using a password, removing the need for a hardware 
authentication mechanism.  The following guide describes the procedure for 
enabling SSH public key authentication for your bigdipper account.

Linux and Mac Systems Instructions
==================================

Step #1 - Generate an SSH Key Pair on Your Local System

Note: If you have existing SSH keys on your system, you may want to back 
them up before generating a new key pair.

The SSH installation on your local system should have come with an 
executable named "ssh-keygen".  Use this command to generate an SSH 
public/private key pair:

  $ ssh-keygen

This program will prompt you for the location to save the key.  The rest 
of this guide will assume you chose the default location, 
$HOME/.ssh/id_rsa.

You will then be prompted to enter a password.  Please choose a long 
password with multiple character classes (e.g., lowercase letters, 
uppercase letters, numbers, and/or symbols).  After you set your password, 
the program will write two files to the location you specified:

  Private Key: $HOME/.ssh/id_rsa
  Public Key: $HOME/.ssh/id_rsa.pub

Do not share your private key.  Take precautions to make sure others 
cannot access your private key.

Step #2 - Transfer Your Public Key to Bigdipper.

ARSC has developed a tool, "ssh-keymanage", to help you comply with our 
security policies while adding your SSH public keys to bigdipper.  When a 
public key is added to your account on bigdipper, it must be associated with 
a particular system that is allowed to authenticate with that key.  This 
is accomplished via SSH's "from=" clause, which is tied to a public key 
when it is inserted into SSH's authorized_keys file.

The basic usage for adding a public key to bigdipper with the ssh-keymanage 
tool is:

  ssh-keymanage --add <keyfile> --host <hostname>

This usage assumes that you have already transferred the public key you 
generated in Step #1 to bigdipper.  You will also need to know your local 
system's full hostname (e.g., "sysname.uaf.edu").

Step #3 - Enable SSH Public Key Authentication on Your Local System

Pacman is already configured to allow SSH public key authentication on the 
server side, but you will need to make sure the SSH client on your local 
machine is configured to allow SSH public key authentication.  There are 
several ways to do this, including:

a) Adding an option to your SSH command when you connect to bigdipper:

     ssh -o PubkeyAuthentication=yes username@bigdipper.arsc.edu

b) Adding the following to your $HOME/.ssh/config file as a long-term 
   solution:

     Host bigdipper
     PubkeyAuthentication yes
     Hostname bigdipper.arsc.edu

Windows Instructions
====================

Step #1 - Generate an SSH Key Pair on Your Local System

Note: If you have existing SSH keys on your system, you may want to back 
them up before generating a new key pair.

You will need to use PuTTY's "puttygen.exe" program to generate a key 
pair.  If you installed the HPCMP Kerberos Kit in the default location, 
you can run this program by clicking Start -> Run and entering the 
following into the "Open" text box:

  "C:\Program Files\HPCMP Kerberos\puttygen.exe"

Next, click the "Generate" button in this program.  This will prompt you 
to move the mouse around to generate randomness to create a unique key 
pair.  This may take you a few minutes.  Once this process is complete, 
you will be shown the public key for your SSH key pair.

Please enter a password for your key pair by filling out both the "Key 
passphrase" and "Confirm passphrase" text boxes.  Choose a long password 
with multiple character classes (e.g., lowercase letters, uppercase 
letters, numbers, and/or symbols).

Then, click the "Save private key" button.  You are free to choose the 
file name and location of the private key.  This guide will assume you 
saved the private key as "private.ppk" in your "My Documents" folder.  Do 
not share your private key.  Take precautions to make sure others cannot 
access your private key.  Proceed to Step #2, but do not close the "PuTTY 
Key Generator" yet.

Step #2 - Transfer Your Public Key to Bigdipper

Log into bigdipper with your SecurID card and open your favorite text 
editor.  Copy the text in the "Public key for pasting into OpenSSH 
authorized_keys file" text area on the "PuTTY Key Generator" window.  
Paste this text into the text editor on pacman and save this to a 
temporary file.  This guide will assume you named the file "pubkey".

ARSC has developed a tool, "ssh-keymanage", to help you comply with our 
security policies while adding your SSH public keys to bigdipper.  When a 
public key is added to your account on bigdipper, it must be associated with 
a particular system that is allowed to authenticate with that key.  This 
is accomplished via SSH's "from=" clause, which is tied to a public key 
when it is inserted into SSH's authorized_keys file.

The basic usage for adding a public key to bigdipper with the ssh-keymanage 
tool is:

  ssh-keymanage --add <keyfile> --host <hostname>

You will need to know your local system's full hostname (e.g., 
"sysname.uaf.edu").  For example:

  ssh-keymanage --add pubkey --host sysname.uaf.edu

This command will report whether the key was successfully added.  Once the 
public key has been added, type "exit" to close PuTTY.

Step #3 - Add Your Private Key to PuTTY

Launch PuTTY again.  Click the + sign next to "SSH", under the 
"Connection" category.  Click the "Auth" section under the SSH 
subcategory.  Click the "Browse..." button under "Private key file for 
authentication" and select your private key file, "private.ppk".  Go back 
to the "Session" category and enter bigdipper.arsc.edu under "Host Name".

If you do not want to enter your private key every time you run PuTTY, you 
may wish to save your session settings by entering a name under "Saved 
Sessions" (e.g., "Bigdipper (pubkey auth)") and clicking "Save".  The next 
time you run PuTTY, you can reload these settings by selecting your saved 
session and clicking "Load".

Finally, click "Open".  Instead of being prompted for a SecurID passcode, 
you should be prompted for the password you set on your key pair in 
Step #1.  Enter your key pair password.  You should now be logged into 
bigdipper.


Back to Top