SSH Access to HEP Linux Services

The main secure way of accessing HEP Linux systems is via SSH.

Connecting from HEP Systems

If you are connecting via SSH to HEP systems from another HEP system you should be able to just use a simple ssh command like
  • ssh hostname
  • eg ssh gamma

You don't need to specify the username or full name of the machine unless you're accessing a different account.

Connecting from Other Systems

If you are connecting from anything outside of the HEP network there are extra steps involved.

To connect to a HEP system from outside the network you will need to connect to either our SSH gateway first with or to use an interactive node you can connect directly with SSH eg From either of these you can then connect to HEP systems as normal.

Graphical applications can also be run over SSH, you can tell SSH to enable this with
  • ssh -X -Y username@hostname

This is ok for most things on campus. Off campus on slower or less reliable connections it may be better to use a VNC session tunneled through SSH. See the HepVNCGuide for more info.

Duo Two Factor Authentication (2FA)

When connecting to the SSH service from outside the HEP network you will be asked to provide extra information via the Duo service. All Liverpool staff and students should enroll with the Duo service. See CSD's information on their website https://s.liv.ac.uk/708 .

You will need to provide your valid HEP password as normal. You will also need to provide the passcodes as requested. The SSH login should give details about how to provide this code, something like this
Duo two-factor login for 'username'

Enter a passcode or select one of the following options:

 1. Duo Push to +XX XXXX XX9999
 2. SMS passcodes to +XX XXXX XX9999

Passcode or option (1-2): 

or
Duo two-factor login for 'username'

Enter a passcode or select one of the following options:

 1. SMS passcodes to +XX XXXX XX9999 (next code starts with: 8)

Passcode or option (1-1): 

depending on whether you have push enabled for your Duo authentication.

After approving the push notification or presenting the correct code, and a correct password, you should then be logged in.

The SSH service will ask for a Duo code or push notification approval on every new connection.

Avoiding multiple Duo Activations

As Duo authentication can take more time than a simple password you may wish to avoid lots of separate SSH connections.

Using a VNC session will allow the use of many open sessions and terminals that can be accessed over one connection. See the HepVNCGuide. This also has advantages in work and environments persisting if the connection is dropped.

Multiple bash shells can also be accessed from one SSH session using the Screen command. See the man page or online guides eg https://linuxize.com/post/how-to-use-linux-screen/

If transferring lots of files an sftp session can be used multiple times in a single login, while scp will ask for a login for each new command. Graphical applications like WinSCP /Cyberduck can be used many times from a single login.

SSHFS can allow a file-system like interface to HEP storage from a persistent connection, again allowing lots of transfers (and filesystem navigation) without logging in repeatedly. We do not support installing this on personal systems but as it uses standard ssh/sftp connections it should work on any system you can normally sftp to.

Idle connections (eg an ssh session that hasn't been typed in for a while) can be dropped by institutional firewalls, typically after a few hours. This will affect idle SSH, SSHFS, SFTP sessions etc. You can configure your ssh client to use a regular keep alive message to the server which will stop the connection being flagged as idle. In your ~/.ssh/config file you can add ServerAliveInterval 120 which will send a response request every 120s. This usually enough to stop connectiong being terminated unnecessarily.

Problems with Duo Activation in Utilities

As far as we are aware normal console access in CLI or GUI clients should work as standard just like entering a password.

At present we are unable to support SSH keys alongside Duo, so access is only via passwords. If you have utilities configured to use keys you may have to modify them to use passwords instead.

Some tools or utilities that automatically submit passwords or through graphical interfaces may break. We'll keep a list of problems and fixes here.

SSHFS

We're not aware of any issues with SSHFS, it should continue to work as before, just with password and Duo input only. Connecting with keys is no longer available.

MobaXterm

The file window is blank. We're investigating the cause of this. Meanwhile this workaround may be useful
  1. Specify your target as destination host eg gamma.ph.liv.ac.uk
  2. Enter gateway.ph.liv.ac.uk as "SSH gateway (jump host)" in the "Network settings"
  3. Enter password/duo codes

WinSCP

WinSCP using SFTP protocol appears to support duo logins natively, popping up a window for first the password and then another for the Duo codes.

Once logged in it uses the same connection for transfers so there are no further login windows.

FileZilla

This general graphical file transfer tool can be used for SFTP access but standard logins break with Duo. To fix this configure your destination in the Site Manager eg
  1. File>Site Manager...
  2. Enter the new site eg Gateway
  3. Set protocol as SFTP, host as gateway.ph.liv.ac.uk, port 22, Logon type as Interactive, User as your username
  4. Save the site and connect
  5. When connecting a window should appear into which you can enter the password and see the Duo prompt to then enter the duo code as required.
Unfortunately the current version pops up a login dialog for each file transfer. Under transfer settings you can limit the number of connections to 1 so it only does this once, but the connection times out quite quickly so isn't much use unless you're transferring lots of files at once.

Cyberduck

The latest version of Cyberduck (GUI file transfer for Mac) supports Duo logins natively, it should pop up a window with the Duo options similar to normal SSH logins.

Once connected, by default it will pop up a fresh Duo login for every file transferred. This can be removed by setting the connection bookmark to use browser connection, transferring over the original connection. This is available while editing the bookmark under More Options>Transfer files.

Cyberduck Bookmark
Topic revision: r10 - 10 May 2021, JohnBland
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback