|
Size: 4305
Comment: Clean up sentences and paragraphs. Add ssh connection docs
|
Size: 2174
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| <<TableOfContents>> |
|
| Line 2: | Line 4: |
| Line 5: | Line 6: |
| Implementation is expected to be complete by 2017. | Implementation is expected to be complete in early 2018. |
| Line 8: | Line 9: |
| Many of Babase's web pages are available to the public without restriction. However, those pages which access database content or allow data to be changed are restricted to those with [[https://oit.duke.edu/email-accounts/netid/|Duke NetIDs]]. Before accessing these restricted pages, your Duke NetID and its password must be provided. On a future date, a [[https://idms-mfa.oit.duke.edu/mfa/help|second authentication check]] (a.k.a. multi-factor or two-step authentication) may also be required. | |
| Line 9: | Line 11: |
| Many of Babase's web pages are available to the public without restriction. However, those pages which access database content or allow data to be changed are restricted to those with [[https://oit.duke.edu/email-accounts/netid/|Duke NetIDs]]. Before accessing restricted pages your Duke NetID, it's password, and a [[https://idms-mfa.oit.duke.edu/mfa/help|second authentication check]] must be performed. If you do not have a Duke NetID contact the Lab for sponsorship. [[https://idms-mfa.oit.duke.edu/|Setup your own]] 2nd level of authentication. (Called multi-factor or two-step authentication.) The first step is to login using your Duke NetID. |
If you do not have a Duke NetID, contact the lab for sponsorship. |
| Line 25: | Line 16: |
| For most people the Babase web interface (phpPgAdmin) is all that's needed. More advanced users, particularly the data managers, require access to the Unix command prompt using SSH. | |
| Line 26: | Line 18: |
| For most people the Babase web interface is all that's needed. More advanced users, particularly the data managers, have access to the Unix command prompt using SSH. |
===== Be on Duke's network ===== To use SSH you must first be connected to Duke's network. Ways to do this: |
| Line 30: | Line 21: |
| ==== The Duke VPN ==== | * Be physically present at Duke * Set up the [[DukeVPN|Duke VPN]] |
| Line 32: | Line 24: |
| To use ssh you must first sign in to the Duke VPN. Most will use the Duke-supplied VPN software but FOSS users may wish to use the Open Source [[http://www.infradead.org/openconnect/|openconnect]] program instead. '''openconnect''' is probably already packaged by your OS supplier so try installing the OS supplied package first. |
===== Connecting with SSH ===== When connecting with SSH Duke requires you use 2-factor authentication. If you do not have a 2nd level of authentication, [[https://idms-mfa.oit.duke.edu/|set it up]]. (This requires having a Duke NetID.) |
| Line 36: | Line 27: |
| ===== Basic openconnect usage ===== The '''openconnect''' command must be run as root. The usual command for this is: openconnect -u ''YourDukeNetID'' --authgroup '-Default-' https://vpn.duke.edu/ Supplying your NetID and the authgroup saves you a bit of typing later. You will be prompted for a password. This is your Duke NetID password. The Duke VPN uses TCP port 443 at the Duke end. It also uses UDP port 443 (although this is undocumented). Your firewall will need to be configured to allow outbound traffic to these ports. This will probably not be a problem. TCP 443 is used for https connections and will typically already be open. Most firewalls are not configured using the most secure "default deny" policy and so allow users on the LAN to connect to any port at all at the remote end. The alternative to opening outbound connections to UDP port 443 is to use the '''--no-dtls''' argument. This will also work should Duke change their configuration to use a different UDP port. ===== Advanced openconnect usage ===== The problem with the above command, and the Duke supplied VPN software, is that both the routing and the DNS server used by your box are changed. This can cause problems, from not being able to connect to non-web-based email servers to problems accessing local LAN services like X clients or printers. Fortunately there is a solution that sets up what amounts to a local virtual machine, though which you then connect to the Duke side of things. This is established using the '''vpnc-script-sshd''' helper script as follows (note the \ line continuation character): openconnect -u ''YourDukeNetID'' --script=/usr/share/vpnc-scripts/vpnc-script-sshd \ --authgroup '-Default-' https://vpn.duke.edu/ The path to the '''vpnc-script-sshd''' script may vary on your system. The above path is for Debian based systems. The next step is to use the new virtual machine. (Really, this is a new network namespace on your local box.) ==== Connecting with SSH ==== When connecting with SSH Duke requires you use 2-factor authentication. But it's not always clear what sort of password must be entered where. These are the various prompts and how to respond to them: |
It may not always be clear what sort of password must be entered where. These are the various prompts and how to respond to them: |
| Line 86: | Line 30: |
| by configuring ~/.ssh/authorized_keys, adding your public key to the file as documented in sshd_config(5). |
. by configuring ~/.ssh/authorized_keys, adding your public key to the file as documented in sshd_config(5). |
| Line 90: | Line 33: |
| a one time password. These may be obtained from the Duke [[https://idms-mfa.oit.duke.edu/|multi-factor authentication site]] or generated by [[https://en.wikipedia.org/wiki/YubiKey|YubiKey]] hardware. |
. a one time password. These may be obtained from the Duke [[https://idms-mfa.oit.duke.edu/|multi-factor authentication site]] or generated by [[https://en.wikipedia.org/wiki/YubiKey|YubiKey]] hardware. |
Contents
Accessing Duke's Systems and Logging In
Note that the systems described on this page are in the process of being implemented.
Implementation is expected to be complete in early 2018.
Web Page Access
Many of Babase's web pages are available to the public without restriction. However, those pages which access database content or allow data to be changed are restricted to those with Duke NetIDs. Before accessing these restricted pages, your Duke NetID and its password must be provided. On a future date, a second authentication check (a.k.a. multi-factor or two-step authentication) may also be required.
If you do not have a Duke NetID, contact the lab for sponsorship.
Be sure to have cookies turned on for all of the above.
Access to the Unix prompt with SSH
For most people the Babase web interface (phpPgAdmin) is all that's needed. More advanced users, particularly the data managers, require access to the Unix command prompt using SSH.
Be on Duke's network
To use SSH you must first be connected to Duke's network. Ways to do this:
- Be physically present at Duke
Set up the Duke VPN
Connecting with SSH
When connecting with SSH Duke requires you use 2-factor authentication. If you do not have a 2nd level of authentication, set it up. (This requires having a Duke NetID.)
It may not always be clear what sort of password must be entered where. These are the various prompts and how to respond to them:
- Password: This is a request for your Duke NetID password. You can skip this prompt
- by configuring ~/.ssh/authorized_keys, adding your public key to the file as documented in sshd_config(5).
- Passcode or option ...: The options are fairly clear. The passcode requested is
- a one time password. These may be obtained from the Duke
multi-factor authentication site or generated by YubiKey hardware.
- a one time password. These may be obtained from the Duke