Differences between revisions 5 and 7 (spanning 2 versions)
Revision 5 as of 2018-01-24 20:24:58
Size: 2128
Editor: JakeGordon
Comment:
Revision 7 as of 2018-02-27 16:45:05
Size: 4581
Editor: JakeGordon
Comment:
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
Note that the systems described on this page are in the process of being implemented.

Implementation is expected to be complete in early 2018.
Line 9: Line 5:
Many of Babase's web pages are available to the public without restriction. However, those pages which access database content or allow data to be changed are restricted to those with [[https://oit.duke.edu/email-accounts/netid/|Duke NetIDs]]. Before accessing restricted pages, your Duke NetID, its password, and a [[https://idms-mfa.oit.duke.edu/mfa/help|second authentication check]] (a.k.a. multi-factor or two-step authentication) must be provided. Many of Babase's web pages are available to the public without restriction. However, those pages which access database content or allow data to be changed are restricted to those with [[https://oit.duke.edu/email-accounts/netid/|Duke NetIDs]]. Before accessing these restricted pages, your Duke NetID and its password must be provided. On a future date, a [[https://idms-mfa.oit.duke.edu/mfa/help|second authentication check]] (a.k.a. multi-factor or two-step authentication) may also be required.
Line 12: Line 8:

If you do not have a 2nd level of authentication, [[https://idms-mfa.oit.duke.edu/|set it up]]. (This requires having a Duke NetID.)
Line 19: Line 13:

By default, SSH access is not available to everyone. You must explicitly be granted permission by the Duke data manager before you can SSH into the VM.
Line 26: Line 22:
===== Connecting with SSH =====
When connecting with SSH Duke requires you use 2-factor authentication. But it's not always clear what sort of password must be entered where. These are the various prompts and how to respond to them:
===== SSH-ing in =====
(This will only work if you are on the Duke network)
Line 29: Line 25:
 * Password: This is a request for your Duke NetID password. You can skip this prompt
  . by configuring ~/.ssh/authorized_keys, adding your public key to the file as documented in sshd_config(5).
From a Unix or Unix-like terminal (In macOS, use "Terminal". In Windows, you'll need to get some 3rd party software, but [[https://www.putty.org/|PuTTY]] is common), enter:
Line 32: Line 27:
 * Passcode or option ...: The options are fairly clear. The passcode requested is
  . a one time password. These may be obtained from the Duke
  [[https://idms-mfa.oit.duke.edu/|multi-factor authentication site]] or generated by [[https://en.wikipedia.org/wiki/YubiKey|YubiKey]] hardware.
{{{
ssh MYDUKENETID@papio.biology.duke.edu
}}}
and hit enter. You will be asked for your NetID's password; when entering it, the cursor on the screen will not move, but rest assured that it is still accepting input. Hit enter to send the password, and you're in.

==== Transferring files to/from the VM with SCP ====
If you find a need to move files between your local computer and the VM, ideally you'd use [[https://en.wikipedia.org/wiki/Secure_copy|SCP]]. Feel free to Google up an SCP tutorial of your choice, if you aren't already familiar with it. However, there's a problem that you should be aware of.

Duke's OIT requires the use of "user private groups". If you're unfamiliar with this idiom, again feel free to Google it. Usually, you should leave it enabled, but this keeps SCP commands from functioning. So you must temporarily disable it.

===== Disabling user private groups =====
There are lots of reasons why you might want to disable UPG. This is addressed here, related to SCP, because you need to disable UPG for SCP to work. If you have some other task that might be improved by disabling UPG, then you're likely an advanced-enough user that you know what you're doing and don't need this wiki to learn how.

After SSH-ing into the VM, enter:

{{{
emacs ~/.bashrc
}}}
A file will open, which will include the following text:

{{{
# Turn on the user-private-group idiom to collaborate with others.
# See: https://security.ias.edu/how-and-why-user-private-groups-unix
# THIS SHOULD ALWAYS COME AFTER THE SOURCING OF GLOBAL DEFINITIONS;
# it effectively aborts and re-executes bash, but must not come before
# the sourcing of global definitions because the global definitions
# change the umask.
#
#echo 'Please consider editing ~/.bashrc and turning on collaboration'
# If you do this, scp and remote ssh commands BREAK. But if you don't
# anything you create, with scp or otherwise, will be editable only by
# you. The recommended approach is to turn UPG collaboration off
# whenever you scp, then scp into your home directory, then turn UPG
# back on and ssh in again and copy the data into the desired location
# for collaboration.
#
# To turn collaboration on, uncomment the line below and comment
# the "echo" above.
source /usr/local/bin/upg_enable
}}}
In this case, UPG--or "collaboration", as described above--is already enabled. To turn it off, add a "#" to the beginning of the "source" line. Normally, you'd also want to remove the "#" from the beginning of the "echo" line; removing that "#" ensures that you get a text alert that UPG is turned off. However, this text alert also breaks SCP.

So, to disable UPG to allow SCP:

 1. Comment out both the "echo" and "source" lines with "#"
 1. Save these changes by entering Ctrl-X, Ctrl-S
 1. Leave emacs by entering Ctrl-X, Ctrl-C

You will need to logout of Papio and back in if you want this UPG change to take effect in any already-active connection(s) you may have to the VM.

Accessing Duke's Systems and Logging In

Web Page Access

Many of Babase's web pages are available to the public without restriction. However, those pages which access database content or allow data to be changed are restricted to those with Duke NetIDs. Before accessing these restricted pages, your Duke NetID and its password must be provided. On a future date, a second authentication check (a.k.a. multi-factor or two-step authentication) may also be required.

If you do not have a Duke NetID, contact the lab for sponsorship.

Be sure to have cookies turned on for all of the above.

Access to the Unix prompt with SSH

For most people the Babase web interface (phpPgAdmin) is all that's needed. More advanced users, particularly the data managers, require access to the Unix command prompt using SSH.

By default, SSH access is not available to everyone. You must explicitly be granted permission by the Duke data manager before you can SSH into the VM.

Be on Duke's network

To use SSH you must first be connected to Duke's network. Ways to do this:

  • Be physically present at Duke
  • Set up the Duke VPN

SSH-ing in

(This will only work if you are on the Duke network)

From a Unix or Unix-like terminal (In macOS, use "Terminal". In Windows, you'll need to get some 3rd party software, but PuTTY is common), enter:

ssh MYDUKENETID@papio.biology.duke.edu

and hit enter. You will be asked for your NetID's password; when entering it, the cursor on the screen will not move, but rest assured that it is still accepting input. Hit enter to send the password, and you're in.

Transferring files to/from the VM with SCP

If you find a need to move files between your local computer and the VM, ideally you'd use SCP. Feel free to Google up an SCP tutorial of your choice, if you aren't already familiar with it. However, there's a problem that you should be aware of.

Duke's OIT requires the use of "user private groups". If you're unfamiliar with this idiom, again feel free to Google it. Usually, you should leave it enabled, but this keeps SCP commands from functioning. So you must temporarily disable it.

Disabling user private groups

There are lots of reasons why you might want to disable UPG. This is addressed here, related to SCP, because you need to disable UPG for SCP to work. If you have some other task that might be improved by disabling UPG, then you're likely an advanced-enough user that you know what you're doing and don't need this wiki to learn how.

After SSH-ing into the VM, enter:

emacs ~/.bashrc

A file will open, which will include the following text:

# Turn on the user-private-group idiom to collaborate with others.
# See: https://security.ias.edu/how-and-why-user-private-groups-unix
# THIS SHOULD ALWAYS COME AFTER THE SOURCING OF GLOBAL DEFINITIONS;
# it effectively aborts and re-executes bash, but must not come before
# the sourcing of global definitions because the global definitions
# change the umask.
#
#echo 'Please consider editing ~/.bashrc and turning on collaboration'
# If you do this, scp and remote ssh commands BREAK.  But if you don't
# anything you create, with scp or otherwise, will be editable only by
# you.  The recommended approach is to turn UPG collaboration off
# whenever you scp, then scp into your home directory, then turn UPG
# back on and ssh in again and copy the data into the desired location
# for collaboration.
#
# To turn collaboration on, uncomment the line below and comment
# the "echo" above.
source /usr/local/bin/upg_enable

In this case, UPG--or "collaboration", as described above--is already enabled. To turn it off, add a "#" to the beginning of the "source" line. Normally, you'd also want to remove the "#" from the beginning of the "echo" line; removing that "#" ensures that you get a text alert that UPG is turned off. However, this text alert also breaks SCP.

So, to disable UPG to allow SCP:

  1. Comment out both the "echo" and "source" lines with "#"
  2. Save these changes by entering Ctrl-X, Ctrl-S
  3. Leave emacs by entering Ctrl-X, Ctrl-C

You will need to logout of Papio and back in if you want this UPG change to take effect in any already-active connection(s) you may have to the VM.

DukeAuthentication (last edited 2018-02-27 16:45:05 by JakeGordon)

Wiki content based upon work supported by the National Science Foundation under Grant Nos. 0323553 and 0323596. Any opinions, findings, conclusions or recommendations expressed in this material are those of the wiki contributor(s) and do not necessarily reflect the views of the National Science Foundation.