In order to meet updated security requirements, the interactive nodes (ifarm
/qcdi
) now sit behind 2-factor login nodes. The login nodes can be reached from on- and off-site. This model is similar to existing workflows used by acclogin.jlab.org
and hallgw.jlab.org
. Current login nodes are
scilogin.jlab.org.
,acclogin.jlab.org.
, andhallgw.jlab.org.
.NOTE: direct connections to ifarm
/qcdi
nodes are expected to be BLOCKED from all user VLANs. Connections must be made directly from a 2-factor login node. Actions like ssh hallgw
=> mydesktop
=> ifarm
will NOT be allowed, as opposed to
ssh hallgw
=> ifarm
(ALLOWED) andssh hallgw
=> mydesktop
=> scilogin
=> ifarm
(ALLOWED).See article on configuring ProxyJump in your .ssh/config
to streamline this workflow.
QCD Users: references to ifarm
/Farm within the article should be treated as examples. Substitute your specific qcdi
hostname as appropriate.
Please ensure all prerequisites in the list above have been met. Then, to access the Farm using SSH you can
ssh <user>@scilogin.jlab.org
Password: <PIN followed by token, no spaces>
ssh ifarm
Password: <CUE password>
Alternatively, one can use the ProxyJump
directive (-J
). Just remember the first login is 2-factor and the second is CUE password, and that mistyped credentials can result in additional, confusingly-unlabled password prompts, depending on your OpenSSH version.
ssh -J <user>@scilogin.jlab.org <user>@ifarm
Password: <PIN followed by token, no spaces>
Password: <CUE password>
See below if your version of OpenSSH does not support -J
. The second authentication can also be via SSH key instead of CUE password, to your personal account or group account, but the first authentication must be two-factor and using your personal account.
To run an X client application, you may need to specify the appropriate flag (if X-forwarding isn't configured in the SSH system or user client configuration). For example,
ssh -X -J <user>@scilogin.jlab.org <user>@ifarm
An easy test to make sure it's working is to try running xclock
:
xclock
If it's working, you will see the xclock
graphical clock open on your local display. If not, retry swapping -X
with the -Y
flag. See below if your version of OpenSSH does not support -J
.
Files can be transferred with scp
, sftp
, or rsync
. For simplicity, we'll show scp
using ProxyJump (-J
):
scp -J <user>@scilogin.jlab.org file_to_upload <user>@ifarm:/dest/path/
scilogin's Password: <PIN+token, no spaces or +>
ifarm's Password: <CUE password>
scp -J <user>@scilogin.jlab.org <user>@ifarm:/file/to/download ./
scilogin's Password: <PIN+token, no spaces or +>
ifarm's Password: <CUE password>
Use -r
to copy whole directories. Note that if you try to scp
, sftp
, rsync
, or otherwise transfer files to and from scilogin
directly, you will not have access to the same filesystems that are available on ifarm
or qcdi
. See below if your version of OpenSSH does not support -J
.
Instead of using -J
in the above commands or figuring out the ssh options to pass rsync, refer to our article on configuring ProxyJump. It tries to include many possible cases, but should be fairly easy to copy/paste.
After that, your individual commands will be greatly simplified. Examples:
ssh ifarm
scp testfile ifarm:/dest/path/
rsync testdir ifarm:/dest/path/
To simplify things, you can bypass your .ssh/config
. If the following works, the problem is likely with your config file.
# If off-site, you need to include the domain name ssh -F /dev/null <username>@scilogin.jlab.org
You can also try
ssh -F ~/.ssh/config ifarm
which if works means specifically that the problem with your config file is that OpenSSH is ignoring it, and if does not work will give a much more obvious error if, for example, you created the config file in the wrong location and ~/.ssh/config
therefore does not exist.
ssh
/scp
/sftp
commands have no -J
optionunknown option -- J usage: scp [-12346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file] [-l limit] [-o ssh_option] [-P port] [-S program] [[user@]host1:]file1 ... [[user@]host2:]file2
ProxyJump
and the corresponding -J
flag were added to OpenSSH in version 7.3, and the -J
flag was extended to the scp
and sftp
commands in version 8.0. So if your ssh
command supports -J
, but your scp
and sftp
commands do not, you can use
-o ProxyJump='%r@scilogin.jlab.org.'
instead, and if neither your ssh
nor scp
/sftp
commands support -J
, you can use
-o ProxyCommand='ssh -W %h:%p %r@scilogin.jlab.org.'
Alternatively, you can avoid needing to specify these options at all by configuring ProxyJump (or ProxyCommand) in your .ssh/config
.
If your OpenSSH doesn't support -W
, that suggests it is a version older than 5.4, and, while there exist solutions involving the use of programs like netcat
, versions of OpenSSH older than 5.4 were last shipped in Enterprise Linux 6 and Ubuntu 10.04 "Lucid," which reached end-of-life November 2020 and April 2015, respectively, so it is likely, whatever distribution you are using, that you are no longer receiving security updates (unless you are paying for them) and need to upgrade to a new version rather than attempt to employ such a solution.
Please include the following in your incident report:
ssh
command on mydesktop.jlab.org
to connect to ifarm
via scilogin
"),-vv
(verbose mode, level 2) in your options to ssh
/scp
/sftp
, or-e 'ssh -vv'
in your options to rsync
, and~/.ssh/config
, so we can check any modifications or other potentially conflicting configuration.