Differences between revisions 1 and 3 (spanning 2 versions)
Revision 1 as of 2016-08-02 22:34:06
Size: 636
Editor: KarlPinc
Comment: New page
Revision 3 as of 2016-08-03 12:32:43
Size: 3188
Editor: KarlPinc
Comment: Add ssh access
Deletions are marked like this. Additions are marked like this.
Line 12: Line 12:
Before accessing restricted pages your Duke NetID, it's password, and a
[[https://idms-mfa.oit.duke.edu/mfa/help|second authentication check]]
must be performed.
Line 13: Line 16:
Before accessing restricted pages your Duke NetID, it's password, and a second authentication
check must be used.
If you do not have a Duke NetID contact the Lab for sponsorship.
Line 16: Line 18:
Be sure to have cookies turned on for this. [[https://idms-mfa.oit.duke.edu/|Setup your own]] 2nd level of authentication.
(Called multi-factor or two-step authentication.) The first step is to
login using your Duke NetID.

Be sure to have cookies turned on for all of the above.

==== Access to the Unix prompt with SSH ====

For most people the Babase web interface is all that's needed. More advanced
users, particularly the data managers, have access to the Unix command prompt
using SSH.

==== The Duke VPN ====

To use ssh you must first sign in to the Duke VPN. Most will use the Duke-supplied
VPN software but FOSS users may wish to use the Open Source [[http://www.infradead.org/openconnect/|openconnect]] program instead.

===== Basic openconnect usage =====

The '''openconnect''' command must be run as root.

The usual command for this is:

  openconnect -u ''YourDukeNetID'' --authgroup '-Default-' https://vpn.duke.edu/

Supplying your NetID and the authgroup saves you a bit of typing later.

You will be prompted for a password. This is your Duke NetID password.

The Duke VPN uses TCP port 443 at the Duke end. It also typically uses UDP port 443.
Your firewall will need to be configured to allow outbound traffic to these ports.
TCP 443 is used for https connections and will typically already be open.

The alternative to opening UDP port 443 is to use the '''--no-dtls''' argument. This will
also work if Duke changes their configuration to use port different from UDP 443.

===== Advanced openconnect usage =====

The problem with the above command, and the regular Duke VPN software, is that it
changes both the routing and the DNS server used by your box. This can cause problems,
from not being able to connect to non-web-based email servers to problems accessing
local LAN services like X clients or printers. Fortunately there is a solution that
sets up what amounts to a local virtual machine, though which you then connect
to the Duke side of things. This is established using the '''vpnc-script-sshd'''
helper script as follows (note the \ line continuation character):

  openconnect -u ''YourDukeNetID'' --script=/usr/share/vpnc-scripts/vpnc-script-sshd \
  --authgroup '-Default-' https://vpn.duke.edu/

The path to the '''vpnc-script-sshd''' script may vary on your system. The above
is for Debian based systems.

The next step is to use the new virtual machine. (Really, this is a new network namespace
on your local box.)

Accessing Duke's Systems and Logging In

Note that the systems described on this page are in the process of being implemented.

Implementation is expected to be complete by 2017.

Web Page Access

Many of Babase's web pages are available to the public without restriction. However, those pages which access database content or allow data to be changed are restricted to those with Duke NetIDs. Before accessing restricted pages your Duke NetID, it's password, and a second authentication check must be performed.

If you do not have a Duke NetID contact the Lab for sponsorship.

Setup your own 2nd level of authentication. (Called multi-factor or two-step authentication.) The first step is to login using your Duke NetID.

Be sure to have cookies turned on for all of the above.

Access to the Unix prompt with SSH

For most people the Babase web interface is all that's needed. More advanced users, particularly the data managers, have access to the Unix command prompt using SSH.

The Duke VPN

To use ssh you must first sign in to the Duke VPN. Most will use the Duke-supplied VPN software but FOSS users may wish to use the Open Source openconnect program instead.

Basic openconnect usage

The openconnect command must be run as root.

The usual command for this is:

Supplying your NetID and the authgroup saves you a bit of typing later.

You will be prompted for a password. This is your Duke NetID password.

The Duke VPN uses TCP port 443 at the Duke end. It also typically uses UDP port 443. Your firewall will need to be configured to allow outbound traffic to these ports. TCP 443 is used for https connections and will typically already be open.

The alternative to opening UDP port 443 is to use the --no-dtls argument. This will also work if Duke changes their configuration to use port different from UDP 443.

Advanced openconnect usage

The problem with the above command, and the regular Duke VPN software, is that it changes both the routing and the DNS server used by your box. This can cause problems, from not being able to connect to non-web-based email servers to problems accessing local LAN services like X clients or printers. Fortunately there is a solution that sets up what amounts to a local virtual machine, though which you then connect to the Duke side of things. This is established using the vpnc-script-sshd helper script as follows (note the \ line continuation character):

  • openconnect -u YourDukeNetID --script=/usr/share/vpnc-scripts/vpnc-script-sshd \ --authgroup '-Default-' https://vpn.duke.edu/

The path to the vpnc-script-sshd script may vary on your system. The above is for Debian based systems.

The next step is to use the new virtual machine. (Really, this is a new network namespace on your local box.)

DukeAuthentication (last edited 2018-02-27 16:45:05 by JakeGordon)

Wiki content based upon work supported by the National Science Foundation under Grant Nos. 0323553 and 0323596. Any opinions, findings, conclusions or recommendations expressed in this material are those of the wiki contributor(s) and do not necessarily reflect the views of the National Science Foundation.