There are two login nodes sip-login1 and sip-login2. sip-login1 is for use by UTHSC sponsored researchers and sip-login2 is for use by UTK sponsored researchers. To gain access to SIP resources three things are needed: access to a project with an account on the SIP (see Projects and Accounts below), access to the SIP bastion host, and a UT NetID and password along with access to use one of the supported multi-factor authentications (MFA) capabilities of RSA.
Here is the important node information for access to the SIP:
|ACF SIP Bastion Host Name||IP Address||Authentication Supported||File System Access|
|sip-bh1.nics.utk.edu||184.108.40.206||NICS username + RSA||None|
|ACF Login Host Name for UTK||IP Address||Authentication Supported||File System Access|
|220.127.116.11||NICS username + RSA||Home, |
|ACF Login Host Name for UTHSC||IP Address||Authentication Supported||File System Access|
|18.104.22.168||NICS username + RSA||Home,|
Projects and AccountsUTK and UTHSC researchers must create an account on the ACF Open side as the first step to getting a ACF SIP account by claiming an ACF Open account using one's UT NetID at this ACF User Account form. Once you have created an ACF Open account one can request a SIP project by going back to the ACF User Account form, authenticating, and then click on the "Request a new project on the SIP enclave" and fill out all the requested information. This will include a project description document and a data management plan. These are likely within your UTK or UTHSC IRB documents.
Bastion Host AccessOnce you obtain a SIP project you will be added to a SIP bastion host. This will be done for you as part of the process to create a SIP project. The SIP bastion hosts are created to provide controlled access from remote locations to the SIP resources. To gain access to the SIP login nodes one has to login to a SIP bastion host then login to the SIP login node. This allows more open access to SIP resources from computers on the UTK and UTHSC networks without having to manage individual SIP firewall rules for all systems that want to access and prevents data transfer from unauthorized systems. Access to the bastion host will be allowed from the UTHSC and UTK managed networks including the VPNs. By allowing the VPNs this allows users to use portable devices on networks outside of UTK and UTHSC, connect to one's campus VPN to get on the UTK or UTHSC network, and then access SIP resources through the SIP bastion hosts.
Multi-Factor Authentication (MFA)Access to SIP resources requires NetID, password and MFA for authentication. Currently only RSA MFA is enabled on the SIP bastion hosts and SIP login nodes. RSA is a MFA method using hardware tokens. If you do not have an RSA token one will be provided to you as part of the SIP project creation and project user addition process. Once you have an RSA token then you will be able to use it to login to the SIP bastion host and then the SIP login nodes. We are working to enable Duo which has been adopted by UTK and UTHSC. Once Duo is available this will replace RSA.
Logging in with OTP requires using a personal PIN plus the current code displayed on the token—this combination is referred to as your passcode. Along with your token, you will receive instructions on setting up your PIN for the first time. Use SSH along with your passcode to log in to resources, for example:
> ssh <username>@sip-login1.acf.tennessee.edu Enter PASSCODE:
Note: No characters will appear when entering passcode.
UNIX-based operating systems generally have an SSH client built in and Windows users may obtain free clients online, such as PuTTY.
Any SSH client used to log into resources should:
- Support the SSH-2 protocol (supported by all modern SSH clients). Several security vulnerabilities exist in the SSH-1 protocol, therefore, access using a version 1 client is not allowed.
- Support the encryption algorithms that our Secure Shell server version 5.8 supports.
- Allow keyboard-interactive authentication to access NICS
systems. For UNIX-based SSH clients, the following line should be in
either the default ssh_config
file or your $HOME/.ssh/config file:
PreferredAuthentications keyboard-interactive,passwordThe line may also contain other authentication methods, so long as keyboard-interactive is included. For recent versions of SecureCRT or PuTTY, the setting can be made through the SSH connection properties menu.
Other Login Issues
Accounts that are not used for a period of three consecutive months are disabled. If you believe your account has been disabled for inactivity please submit a request to firstname.lastname@example.org.
RSA Key Fingerprints
Occasionally, you may receive an error message upon logging in to a system such as the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the OTP host key has just been changed.
This can be a result of normal system maintenance that changes an RSA public key or could be an actual security incident. If these fingerprints do not match what your SSH/SCP/SFTP client shows you, do not continue authentication; instead, contact email@example.com.
X11 and Other Port Forwarding
X11 forwarding is not allowed currently through the SIP bastion hosts. Also, no other port forwarding is allowed through the bastion hosts.
Changing Default Shell
You may change your default shell, by logging into the NICS User portal. After logging in to the portal, you may change your shell in the 'Login Information' section.———————————