The National Institute for Computational Sciences

Access - SIP

To gain access to SIP resources, there is currently only one supported technology: RSA SecurID two factor authentication. RSA is a two-factor authentication method using hardware tokens. To get access to the SIP users will have to identify the system they will connect to SIP bastion host by submitting a support ticket to request access to the SIP. Once your system is setup for SIP bastion host access, then you can login to the bastion host (bastion host information TBD) with SSH then login to the hosts listed below.

ACF Login Host Name for UTHSCIP AddressAuthentication SupportedFile System Access
sip-login1.acf.utk.edu,
sip-login1.acf.tennessee.edu
192.249.8.91NICS username + RSAHome,
/lustre/sip
ACF Login Host Name for UTKIP AddressAuthentication SupportedFile System Access
sip-login2.acf.utk.edu,
sip-login2.acf.tennessee.edu
192.249.8.92NICS username + RSAHome,
/lustre/sip

RSA SecurID

RSA Keyfob

Logging in with OTP requires using a personal PIN plus the current code displayed on the token—this combination is referred to as your passcode. Along with your token, you will receive instructions on setting up your PIN for the first time. Use SSH along with your passcode to log in to resources, for example:

> ssh <username>@sip-login1.acf.tennessee.edu
Enter PASSCODE:

Note: No characters will appear when entering passcode.

About SSH

UNIX-based operating systems generally have an SSH client built in and Windows users may obtain free clients online, such as PuTTY.

Any SSH client used to log into resources should:

  • Support the SSH-2 protocol (supported by all modern SSH clients). Several security vulnerabilities exist in the SSH-1 protocol, therefore, access using a version 1 client is not allowed.
  • Support the encryption algorithms that our Secure Shell server version 5.8 supports.
  • Allow keyboard-interactive authentication to access NICS systems. For UNIX-based SSH clients, the following line should be in either the default ssh_config file or your  $HOME/.ssh/config file:
    PreferredAuthentications keyboard-interactive,password
    
    The line may also contain other authentication methods, so long as keyboard-interactive is included. For recent versions of SecureCRT or PuTTY, the setting can be made through the SSH connection properties menu.

Other Login Issues

Inactive accounts

Accounts that are not used for a period of three consecutive months are disabled. If you believe your account has been disabled for inactivity please submit a request to help@nics.utk.edu.

RSA Key Fingerprints

Occasionally, you may receive an error message upon logging in to a system such as the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the OTP host key has just been changed.

This can be a result of normal system maintenance that changes an RSA public key or could be an actual security incident. If these fingerprints do not match what your SSH/SCP/SFTP client shows you, do not continue authentication; instead, contact help@nics.utk.edu.

X11 and Other Port Forwarding

X11 forwarding is not allowed currently through the SIP bastion hosts. Also, no other port forwarding is allowed through the bastion hosts.

Changing Default Shell

You may change your default shell, by logging into the NICS User portal. After logging in to the portal, you may change your shell in the 'Login Information' section.

———————————