The National Institute for Computational Sciences

Access and Login - SIP


Introduction


The focus of this document is accessing the ACF-SIP through the SIP Bastion host and SIP login nodes. This document assumes you currently possess a valid user account on the ACF, have access to a project on the ACF-SIP, and have familiarity with remote access methods.

Prerequisites for Access


At the time of this writing, ssh (Secure Shell) is used to access the ACF-SIP. To use this protocol, you will need an ssh client. For MacOS and Linux users, an ssh client is built-in to the operating system. For Windows 10 users with the latest updates, ssh is also built-in to the operating system. It can be used from the Command Prompt or PowerShell. For more information on ssh in Windows, please consult Microsoft’s official documentation. For Windows 7 and 8 users, the PuTTY ssh client is the recommended option. Please note that the Secure Enclave Citrix environment will be used to access the ACF-SIP in the future.

In addition to an ssh client, you will need the Duo app on your mobile device. For iOS users, download the app from the Apple App Store. For Android users, download it from the Google Play store. For more information on Duo, please visit their website.

If you wish to access the ACF-SIP on networks outside of the UTK or UTHSC networks, you must use the appropriate VPN for your institution to access the ACF-SIP. For UTK users, please consult the OIT Knowledge Base for information on setting up and using the VPN. For UTHSC users, please refer to the UTHSC VPN Access page.

Connecting to the ACF-SIP


For security reasons, the ACF-SIP may only be accessed through a Bastion host. This special-purpose node enables secure access from UT networks and VPNs. From the Bastion host you may reach the ACF-SIP login nodes. The process for connecting to the login nodes through the Bastion host differs slightly for MacOS, Linux, and Windows users.

For MacOS and Linux Users

To begin, open a terminal. At the prompt, type ssh <NetID>@sip-bh1.acf.utk.edu. Replace <NetID> with your UT NetID. When prompted, supply your NetID password. Next, type 1 and press Enter (Return). A Duo Push will be sent to your mobile device. You may use the 2 option to receive a SMS message on your mobile device with a code that you should provide at the prompt. Once you successfully authenticate, you will connect to the ACF-SIP Bastion host.

From the Bastion host, connect to the appropriate login node for your institution. For UTK users, type ssh <NetID>@sip-login1.acf.utk.edu. For UTHSC users, type ssh <NetID>@sip-login2.acf.utk.edu. Follow the same authentication process used for the Bastion Host. After you successfully authenticate, you will be logged into the ACF-SIP.

For Windows Users

On Windows, the process for connecting to the ACF-SIP depends on the client you use. If you run an updated Windows 10 machine, you may use PowerShell or Command Prompt. Either terminal will work. Once you open one of these terminals, follow the same steps MacOS and Linux users use to connect to the ACF-SIP.

For older Windows systems, such as Windows 7 and 8, use PuTTY to connect to the ACF-SIP. Launch PuTTY. Make sure the “Session” menu is selected in the left pane. In the right pane, type sip-bh1.acf.utk.edu in the “Host Name (or IP address)” box. Verify that the port is set to 22 and that ssh is set as the connection type, then select “Open.” Provide your NetID, followed by your NetID password. Next, authenticate with Duo. The Duo options are the same as they are for MacOS and Linux. Once you successfully authenticate, you will connect to the ACF-SIP Bastion host.

From the Bastion host, use PuTTY to connect to the appropriate login node for your institution. For UTK users, type ssh <NetID>@sip-login1.acf.utk.edu. For UTHSC users, type ssh <NetID>@sip-login2.acf.utk.edu. Follow the same authentication process used for the Bastion Host. After you successfully authenticate, you will be logged into the ACF-SIP.

Troubleshooting Login Issues


Inactive Accounts

Accounts that are not used for one year are disabled. If you believe your account has been disabled due to inactivity, please submit a ticket to help@acf.utk.edu.

Password Changes

If you know your current NetID password and desire to change it, navigate to the UT OIT password management page and log in. Once you authenticate with your username, password, and Duo, continue through the account protection prompt. Specify a new password that complies with UT’s password policies and accept the AUP (acceptable use policy) to change your NetID password.

If you do not know your current NetID password and desire to change it, navigate to the UT OIT password reset page. Provide the necessary information to authenticate, then continue through the account protection prompt. Provide a new password that complies with UT’s password policies and accept the AUP to change your NetID password.

If you continue to have issues with your NetID password, please submit a ticket through UT's OIT contact form.

Key Mismatches

When you log in to the ACF-SIP for the first time, your ssh client will warn you about an unknown host key. This is normal behavior and should not cause alarm. Generally, the ssh client will show the host’s key fingerprint and ask if you wish to continue. Select “yes” when this option is presented to you. At that point, the ACF-SIP’s host key will be added to your system, which will prevent future prompts. Be aware, however, that ssh host keys can change, and when they do, the ssh client will dramatically warn you. Figure 4.1 shows this warning. It is necessary to edit your ssh known_hosts file to remedy this error. If you have reasonable suspicion that this is a legitimate security concern and not a case of mismatched keys, please submit a ticket to help@acf.utk.edu.

ssh Key Change Warning
Figure 4.1 - ssh Key Change Warning

If you receive this warning, it means that the key your system associates with the ACF-SIP is no longer valid. Again, this should not be cause for alarm unless there is reason to suspect a legitimate security concern. Instead, modify your known_hosts file to remove the old key so that ssh can register the new one. The ssh-keygen command allows you to modify this file without breaking ssh.

To edit your known_hosts file on a MacOS or Linux system, open a terminal. Type ssh-keygen -R <hostname> and press Enter (Return). Replace the <hostname> argument with sip-bh1.acf.utk.edu, sip-login1.acf.utk.edu, and sip-login2.acf.utk.edu. In total, execute the ssh-keygen -R command three times, once for each hostname. After this change, the warning in Figure 4.1 will no longer appear, and ssh will allow you to save the new host key. If necessary, you can retrieve deleted keys from the known_hosts.old file that is created in the ~/.ssh directory.

On updated Windows 10 systems, follow the process used to remove ssh host keys from MacOS and Linux. Both PowerShell and Command Prompt support the ssh-keygen command.

For older Windows systems that run PuTTY, ssh host keys are stored within the registry. Proceed with caution when editing the Windows registry. Incorrect modifications could result in system instability. To begin, open the Registry Editor. You can open this utility by searching for it from the Start menu or by opening the Run menu and typing regedit. When it opens, navigate to the following location from the left pane: HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

All the host keys known to PuTTY will appear. Before you delete any of the keys, double-click on them to verify that they belong to the offending hosts. The name of the host will appear under the “Value name:” header. Figure 4.2 identifies where the hostname will appear. Once you verify that the key belongs to the offending host, right-click on it to delete it. PuTTY should then allow you to save the host’s new key upon your next login attempt.

Hostname for a ssh host key in the Windows Registry
Figure 4.2 - Hostname for a ssh host key in the Windows Registry

X11 Forwarding

At the time of this writing, the ACF-SIP does not support X11 forwarding.



Return to Top


Last Updated: 02 / 21 / 2020