Table of Contents:
Table of Contents |
---|
Login Nodes
...
Projects:
- SSH Inbound Connections Reduction
* SLAC IT Cyber Security Owns this project, for more information please see the link. (SLAC Active Directory Login is required)
Login Nodes
To SSH to your on-site desktop, we recommend you use jump.slac.stanford.edu for network access and then SSH onto your computer on-site.
Load-balanced Hostname | Pool Name | Operating System | Authentication | Scientific File System |
---|---|---|---|---|
jump.slac.stanford.edu | jump | Rocky 9.x | Active Directory | No |
rocky8.slac.stanford.edu | rocky8 | Rocky 8.x | Active Directory | No |
rocky9.slac.stanford.edu | rocky9 | Rocky 9.x | Active Directory | No |
ubuntu-lts.slac.stanford.edu | ubuntu-lts | Ubuntu LTS 22.04 | Active Directory | No |
The following scientific bastion host The following machines can be used for remote SSH access to SLAC:
Load-balanced Hostname | Pool Name | Operating System | Authentication | Scientific File System | Guides |
---|---|---|---|---|---|
centos7.slac.stanford.edu | centos7 | CentOS 7.x |
Heimdal "Unix" | AFS & NFS | None | |||
sdf-login.slac.stanford.edu | sdf-login | RHEL 9.x | Active Directory | WEKA | SDF |
s3dflogin.slac.stanford.edu | s3dflogin | RHEL 9.x | Heimdal "Unix" | WEKA | S3DF |
s3dfnx.slac.stanford.edu | s3dfnx | RHEL 9.x | Heimdal "Unix" | WEKA | S3DF NoMachine |
nx.slac.stanford.edu | nx | CentOS 7.x | Heimdal "Unix" | AFS & NFS | NoMachine |
fastx3.slac.stanford.edu |
fastx3 | CentOS 7.x | Heimdal "Unix" | AFS & NFS | FastX |
rhel6-64.slac.stanford.edu and iris.slac.stanford.edu
...
are now on limited login. Work is being done by SLAC IT and Scientific Computing Systems to retire these system.
SCS is moving to WEKA with SDF/S3DF.
Restricted / Limited Login
Load-balanced Hostname | Pool Name | Authentication | Scientific File System |
---|---|---|---|
rhel6-64.slac.stanford.edu | rhel6-64 | Heimdal "Unix" | AFS & NFS |
cdlogin.slac.stanford.edu | cdlogin | Heimdal "Unix" | AFS & NFS |
ssrllogin1.slac.stanford.edu | ssrllogin1 | Heimdal "Unix" | |
ssrlxfs1.slac.stanford.edu | ssrlxfs1 | SSRL Active Directory |
Example usage:
Code Block | ||
---|---|---|
| ||
ssh centos7.slac.stanford.edu |
...
SSH is capable of forwarding X11 through the connection. This will be slow when you are connecting from a non-SLAC network. To display SLAC X11 / GUI applications to your remote desktop or laptop, we have .
SLAC IT recommends NoMachine over FastX.
SLAC has NoMachine and FastX available. For more information on the programs, see https://confluence.slac.stanford.edu/display/SCSPub/FastX and https://www.starnet.com/fastx/ .FastX works for LAN or WAN access, and is optimized for Remote Linux X Windows, and can be used if the default SSH X11 tunneling does not provide adequate performance.:
For NoMachine, see NoMachine
For FastX, see FastX
Data Transfer Nodes (DTN)
ssh and scp are not the most optimized tool for large data transfers. bbcp and/or globus are better choices. There are two Data Transfer Nodes available for this:
...
language | text |
---|
...
SDF and S3DF can help with transferring data. For more information, see:
SDF https://sdf.slac.stanford.edu
...
For more information, see /public/doc/#/data-transfer
S3DF https://confluences3df.slac.stanford.edu/displaypublic/doc/SCSPub/Transferring+Data .#/data-transfer
SSH between a non-SLAC machine and a SLAC machine
...
Turn on GSSAPI options in your ~/.ssh/config file.
Code Block # Specifies whether user authentication based on GSSAPI is allowed. GSSAPIAuthentication yes # Forward (delegate) credentials to the server. GSSAPIDelegateCredentials yes
On your non-SLAC machine:
Code Block language bash kinit --renew userid@SLAC.STANFORD.EDU || kinit --renewable userid@SLAC.STANFORD.EDU
OR
Code Block kinit -R userid@SLAC.STANFORD.EDU || kinit -r 7d userid@SLAC.STANFORD.EDU
replace 'userid' with your SLAC username, and replace 'machine' with a slac machine (eg, centos7.slac.stanford.edu). Note: the version of 'kinit' on your machine may have different options, please see your local documentation (eg, 'man kinit' or 'kinit --help'Then each time before you ssh (or at least once per day), renew your Kerberos ticket with this command (if the renew fails, then you will be prompted to enter your password to get a new Kerberos ticket). As long as your ticket remains renewable and hasn't expired, you can renew it for a longer period without having to enter your password again.
Code Block kinit --renew userid@SLAC.STANFORD.EDU || kinit --renewable userid@SLAC.STANFORD.EDU
OR
Code Block kinit -R userid@SLAC.STANFORD.EDU || kinit -r 7d userid@SLAC.STANFORD.EDU
Note: the version of 'kinit' on your machine may have different options, please see your local documentation (eg, 'man kinit' or 'kinit --help'You can run the 'klist' command on your remote machine to view your Kerberos ticket:
Code Block klist
'klist -v' will show more details.
Now you can ssh to slac using Kerberos GSSAPI Authentication:
Code Block ssh userid@machine.slac.stanford.edu
After you ssh to SLAC, you can run the 'tokens' command to verify you have an AFS token:
Code Block tokens
After you ssh to SLAC, you can renew your afs token with this command
Code Block kinit
If 'tokens' does not show an AFS token after you run the 'kinit' command, then you can run 'aklog' to get an AFS token from your Kerberos ticket:
Code Block aklog && aklog
If your ssh attempt to SLAC just hangs for a long time, or you are prompted for your password, that probably means your Kerberos ticket has expired. You can run 'klist' to verify that. You can run 'kdestroy' and then your ssh attempt won't hang (but you will be prompted to authenticate using a password).