SSH Access to HEP Linux Services

The main secure way of accessing HEP Linux systems is via SSH.

Connecting from HEP Systems

If you are connecting via SSH to HEP systems from another HEP system you should be able to just use a simple ssh command like
  • ssh hostname
  • eg ssh gamma

You don't need to specify the username or full name of the machine unless you're accessing a different account.

Connecting from Other Systems

If you are connecting from anything outside of the HEP network there are extra steps involved.

To connect to a HEP system from outside the network you will need to connect to either our SSH gateway first with or to use an interactive node you can connect directly with SSH eg From either of these you can then connect to HEP systems as normal.

Graphical applications can also be run over SSH, you can tell SSH to enable this with
  • ssh -X -Y username@hostname

This is ok for most things on campus. Off campus on slower or less reliable connections it may be better to use a VNC session tunneled through SSH. See the HepVNCGuide for more info.

Duo Two Factor Authentication (2FA)

When connecting to the SSH service from outside the HEP network you will be asked to provide extra information via the Duo service. All Liverpool staff and students should enroll with the Duo service. See CSD's information on their website https://s.liv.ac.uk/708 .

You will need to provide your valid HEP password as normal. You will also need to provide the passcodes as requested. The SSH login should give details about how to provide this code, something like this

Duo two-factor login for 'username'

Enter a passcode or select one of the following options:

 1. Duo Push to +XX XXXX XX9999
 2. SMS passcodes to +XX XXXX XX9999

Passcode or option (1-2): 

or

Duo two-factor login for 'username'

Enter a passcode or select one of the following options:

 1. SMS passcodes to +XX XXXX XX9999 (next code starts with: 8)

Passcode or option (1-1): 

depending on whether you have push enabled for your Duo authentication.

After approving the push notification or presenting the correct code, and a correct password, you should then be logged in.

The SSH service will ask for a Duo code or push notification approval on every new connection.

Avoiding multiple Duo Activations

As Duo authentication can take more time than a simple password you may wish to avoid lots of separate SSH connections.

Using a VNC session will allow the use of many open sessions and terminals that can be accessed over one connection. See the HepVNCGuide. This also has advantages in work and environments persisting if the connection is dropped.

Multiple bash shells can also be accessed from one SSH session using the Screen command. See the man page or online guides eg https://linuxize.com/post/how-to-use-linux-screen/

If transferring lots of files an sftp session can be used multiple times in a single login, while scp will ask for a login for each new command. Graphical applications like WinSCP /Cyberduck can be used many times from a single login.

SSHFS can allow a file-system like interface to HEP storage from a persistent connection, again allowing lots of transfers (and filesystem navigation) without logging in repeatedly. We do not support installing this on personal systems but as it uses standard ssh/sftp connections it should work on any system you can normally sftp to.

Idle connections (eg an ssh session that hasn't been typed in for a while) can be dropped by institutional firewalls, typically after a few hours. This will affect idle SSH, SSHFS, SFTP sessions etc. You can configure your ssh client to use a regular keep alive message to the server which will stop the connection being flagged as idle. In your ~/.ssh/config file you can add ServerAliveInterval 120 which will send a response request every 120s. This usually enough to stop connectiong being terminated unnecessarily.

Problems with Duo Activation in Utilities

As far as we are aware normal console access in CLI or GUI clients should work as standard just like entering a password.

At present we are unable to support SSH keys alongside Duo, so access is only via passwords. If you have utilities configured to use keys you may have to modify them to use passwords instead.

Some tools or utilities that automatically submit passwords or through graphical interfaces may break. We'll keep a list of problems and fixes here.

SSHFS

We're not aware of any issues with SSHFS, it should continue to work as before, just with password and Duo input only. Connecting with keys is no longer available.

MobaXterm

SSH Sessions and SSH connections from a local mobaXterm terminal work in the same was as a typical Linux SSH client, it will ask for your HEP password then a DUO code on the terminal. Starting a local terminal and using the ssh command is the simplest option.

If you are using the MobaXterm file browser tab it pops up a separate window asking for your login (HEP) password, then another window asking for the duo "password". Type in the next Duo code (it doesn't show the prompt for the first number). The file browser works as normal if you connect from a local terminal or if you configure your session to use a "jump host". Starting a SSH Session without a jump host will log in correctly but the file window will remain blank.

To configure a SSH Session with a jump host, first you might need to enable 2-factor authentication in the Settings>SSH tab (you can also disable graphical SSH-browser here if you don't use it). Then start a session and:
  1. Specify the remote host as the system you wish to log in to eg gamma.ph.liv.ac.uk
  2. Enter the jump host you wish to connect through eg gateway.ph.liv.ac.uk as "SSH gateway (jump host)" in the "Network settings"
  3. Enter password/duo codes when prompted

WinSCP

WinSCP using SFTP protocol appears to support duo logins natively, popping up a window for first the password and then another for the Duo codes.

Once logged in it uses the same connection for transfers so there are no further login windows.

FileZilla

This general graphical file transfer tool can be used for SFTP access but standard logins break with Duo. To fix this configure your destination in the Site Manager eg
  1. File>Site Manager...
  2. Enter the new site eg Gateway
  3. Set protocol as SFTP, host as gateway.ph.liv.ac.uk, port 22, Logon type as Interactive, User as your username
  4. Save the site and connect
  5. When connecting a window should appear into which you can enter the password and see the Duo prompt to then enter the duo code as required.
Unfortunately the current version pops up a login dialog for each file transfer. Under transfer settings you can limit the number of connections to 1 so it only does this once, but the connection times out quite quickly so isn't much use unless you're transferring lots of files at once.

Cyberduck

The latest version of Cyberduck (GUI file transfer for Mac) supports Duo logins natively, it should pop up a window with the Duo options similar to normal SSH logins.

Once connected, by default it will pop up a fresh Duo login for every file transferred. This can be removed by setting the connection bookmark to use browser connection, transferring over the original connection. This is available while editing the bookmark under More Options>Transfer files.

Cyberduck Bookmark
Topic revision: r12 - 01 Oct 2021, JohnBland
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback