Difference between revisions of "Logging into the Hall C cluster"

From HallCWiki
Jump to navigationJump to search
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
The Hall C DAQ and online analysis machines are now behind a 2-factor controlled gateway called ''hallgw.jlab.org''.
+
NOTE: If instructions on this page fall out of date, please update it yourself and/or let a Hall C Staff Member know.
  
[[Image:cc.jpg|CryptoCard Key Chain|100 px|thumb]]  [[Image:mp1.jpg|MP-1 Application|100 px|thumb]]
+
== General Instructions ==
You now need a 2-factor token in order to ssh to these machines.  If you do not have one, you can ask for one at the Help Desk.  
+
The Hall C DAQ and online analysis machines are behind a 2-factor controlled gateway (computer) called ''hallgw.jlab.org''.
 +
 
 +
If you are logging in from a machine located outside the Accelerator fence (including off-site), or via a wifi connection, you will need to ssh to <username>@hallgw.jlab.org using a 2-factor token first.  You can connect to the cdaq hosts from there.
 +
 
 +
[[Image:cc.jpg|CryptoCard Key Chain|100 px|thumb]]   
 +
[[Image:safenet.jpg|SafeNet MobilePASS Application for Android/iPhone|100 px|thumb]]
 +
You will need a 2-factor token in order to ssh to ''hallgw.jlab.org''.  If you do not have one, you can ask for one at the Help Desk.  
 
There are two types of tokens:
 
There are two types of tokens:
 
* a physical 'CrypoCard' key fob device, and  
 
* a physical 'CrypoCard' key fob device, and  
* a software token + application (called MP-1) that can be installed on your smartphone.
+
* a software token + application (SafeNet MobilePASS) that can be installed on your smartphone.
  
 
== How to use the 2-factor token to log in ==
 
== How to use the 2-factor token to log in ==
Line 14: Line 20:
 
*** '''CryptoCard (the physical keychain-style token):'''
 
*** '''CryptoCard (the physical keychain-style token):'''
 
**** Press the button and it will display a number.  Type in your PIN immediately followed by the digits on the Cryptocard as your password (no spaces, no dashes).
 
**** Press the button and it will display a number.  Type in your PIN immediately followed by the digits on the Cryptocard as your password (no spaces, no dashes).
*** '''MP-1 Software token (ie. Android, iPhone, Blackberry):'''
+
**** Note that the first time you log in to hallgw.jlab.org you may be prompted to select a new PIN.  Don't forget it <small>(and FTLOATIH, do not write the PIN on the hardware token)</small>.
**** Run the MP-1 app and enter your PIN when prompted.  Enter ''only'' the displayed 7 digit number (including the '-') at the hallgw.jlab.org password prompt ie: 'XXX-XXXX'
+
*** '''SafeNet MobilePASS Software token (ie. Android, iPhone, Blackberry):'''
 +
**** Run the MobilePASS app and enter your pin followed immediately by the displayed number all on the same password line and hit return.  Enter ''only'' digits, no dashes or spaces at the hallgw.jlab.org password prompt ie: 'PINXXXXXXX'
 +
** If this is the first time you have logged in to hallgw.jlab.org you may be prompted to set up a new shell.  Just accept the defaults (keep selecting 'y') and you'll be fine.  You can change them later in the unlikely event you care.
 +
* '''ssh <user>@cdaqlX.jlab.org''' from hallgw prompt.
  
 
== Smartphone 2-Factor Applications ==
 
== Smartphone 2-Factor Applications ==
* [https://play.google.com/store/apps/details?id=com.m2m&hl=en Android / Google Play MP-1 application]
+
* [https://play.google.com/store/apps/details?id=securecomputing.devices.android.controller Android / Google Play SafeNet MobilePASS application]  
* [https://itunes.apple.com/us/app/cryptocard-mp-1-authentication/id421105724 iPhone / Apple MP-1 application]
+
* [https://itunes.apple.com/app/safenet-mobilepass/id364682261 iPhone / Apple SafeNet MobilePASS application]
  
 
=== Enrollment process ===
 
=== Enrollment process ===
'''1)''' Contact the Help desk and request a 2-factor token for your smartphone.
+
# Contact the Help desk and request a 2-factor token for your smartphone.  They may require your JLab sponsor to acknowledge the request.
* '''NOTE! ''' If you are off-site then you must mention this in your requestYour phone will need to be connected to a wifi network '''and''' you will need to tell the Help desk what that network is. 
+
# You should receive an enrollment email from JLab.  Follow the instructions in the email to complete the enrollment.
** One easy way to do this is to connect to the wifi network you will use, then point your browser at [http://www.whatismyip.com What is my IP]. 
+
#* This will require you to download the MobilePASS phone app as noted above, then read and follow the instructions in the enrollment email while on your phone.
*** Tell the help desk you will be connecting from the network associated with the IP address shown.
 
* If you are connected via the JLab wifi network then you do not have to do anything special.
 
 
 
'''2)''' Install the application to your phone using one of the links at the top of the page.
 
 
 
'''3)''' You should receive an enrollment email from JLab.
 
* If you are enrolling from off-site, then you must wait until the agreed upon appropriate activation period startsSteps (4) and (5) must be done using your phone '''while connected to the network mentioned in step 1'''.
 
* When the activation period begins (or anytime, if you are connected to the JLab wifi network) proceed to step 4.
 
 
 
'''4)''' Follow the http://jauth1... link and chose the "Android/iPhone install" option using your phone.  Note that you may get a certificate warning -- that is OK.  The system will then send you a second email.
 
 
 
'''5)''' Open this second email in one of the following Android email apps:
 
** GMail: https://play.google.com/store/apps/details?id=com.google.android.gm&hl=e
 
** K-9 Mail: https://play.google.com/store/apps/details?id=com.fsck.k9&hl=en
 
* This second email will have a URI starting with token://jauth1....  that must be "clickable".  This has been confirmed to work in the above Android email clients.
 
** '''NOTE!''' The stock Android app titled "Email" does *not* (reliably) work.  If the "token://" link is not clickable, install the "GMail" client and forward the email to your gmail.com account.  You can uninstall GMail when the process is complete.
 
* When you click on the token:// link you should get a pop-up that will let you open the link using the "MP-1" program.
 
 
 
'''6)''' MP-1 should open and install the token.  You will be prompted to enter and confirm a pin to protect the token.
 

Latest revision as of 09:20, 12 October 2022

NOTE: If instructions on this page fall out of date, please update it yourself and/or let a Hall C Staff Member know.

General Instructions

The Hall C DAQ and online analysis machines are behind a 2-factor controlled gateway (computer) called hallgw.jlab.org.

If you are logging in from a machine located outside the Accelerator fence (including off-site), or via a wifi connection, you will need to ssh to <username>@hallgw.jlab.org using a 2-factor token first. You can connect to the cdaq hosts from there.

CryptoCard Key Chain
SafeNet MobilePASS Application for Android/iPhone

You will need a 2-factor token in order to ssh to hallgw.jlab.org. If you do not have one, you can ask for one at the Help Desk. There are two types of tokens:

  • a physical 'CrypoCard' key fob device, and
  • a software token + application (SafeNet MobilePASS) that can be installed on your smartphone.

How to use the 2-factor token to log in

The procedure to ssh into a Hall C machine inside the accelerator fence is now:

  • ssh <user>@hallgw.jlab.org
    • Use your CUE username at the prompt
    • Use the 2-factor token to generate your password as indicated below:
      • CryptoCard (the physical keychain-style token):
        • Press the button and it will display a number. Type in your PIN immediately followed by the digits on the Cryptocard as your password (no spaces, no dashes).
        • Note that the first time you log in to hallgw.jlab.org you may be prompted to select a new PIN. Don't forget it (and FTLOATIH, do not write the PIN on the hardware token).
      • SafeNet MobilePASS Software token (ie. Android, iPhone, Blackberry):
        • Run the MobilePASS app and enter your pin followed immediately by the displayed number all on the same password line and hit return. Enter only digits, no dashes or spaces at the hallgw.jlab.org password prompt ie: 'PINXXXXXXX'
    • If this is the first time you have logged in to hallgw.jlab.org you may be prompted to set up a new shell. Just accept the defaults (keep selecting 'y') and you'll be fine. You can change them later in the unlikely event you care.
  • ssh <user>@cdaqlX.jlab.org from hallgw prompt.

Smartphone 2-Factor Applications

Enrollment process

  1. Contact the Help desk and request a 2-factor token for your smartphone. They may require your JLab sponsor to acknowledge the request.
  2. You should receive an enrollment email from JLab. Follow the instructions in the email to complete the enrollment.
    • This will require you to download the MobilePASS phone app as noted above, then read and follow the instructions in the enrollment email while on your phone.
Retrieved from "https://hallcweb-2024.jlab.org/wiki/index.php?title=Logging_into_the_Hall_C_cluster&oldid=21263"