|
The Secure Unattended Proxy (SUP) offers a method of transferring data from a local host to Columbia without the use of securID at the time of the operation. You must obtain special SUP keys using securID authentication, after which those keys can be used to perform operations interactively or from unattended jobs and/or scripts.
SUP keys are currently allowed to execute the commands: scp, sftp, bbftp, qstat, rsync, and test. Each SUP key is valid for a period of one week from the time it is generated. Users may have multiple SUP keys at the same time that each expire asynchronously.
Below are the steps for setting up and using the SUP from an example host, crow:
- Generate the private/public key pair for the local host, if there is not one already. Note that if you forget the passphrase, it cannot be recovered; you will need to generate a new key pair:
crow> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
XX:c1:50:29:2b:1f:5c:e7:YY:96:ff:99:26:a6:86:ZZ user@crow |
- Copy an OpenSSH authorized_keys file to sup-key.nas.nasa.gov. This should include the public key of the local host:
[crow ~/.ssh]$ ssh -Ax -oPubkeyAuthentication=no \
user@sup-key.nas.nasa.gov mesh-keygen --init < ~/.ssh/id_rsa.pub
----------------------------------------------------------------------
* * * W A R N I N G W A R N I N G * * *
U.S. GOVERNMENT COMPUTER
----------------------------------------------------------------------
Password:
Enter PASSCODE:
Key xx:xx:xx uploaded successfully
Note: Remember to include your NAS username if it differs from that on the local host. |
- Start an ssh agent (or use one currently running). Use '-c' if your shell is csh/tcsh, or '-s' if your shell if sh/bash:
[crow ~/.ssh]$ eval `ssh-agent -c`
Agent pid 24008 |
- Add your private key to the ssh agent:
[crow ~/.ssh]$ ssh-add ~/.ssh/id_rsa
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa) |
- Invoke the "mesh-keygen" command on sup.nas.nasa.gov to generate your SUP key, and direct it to a file:
[crow ~/.ssh]$ ssh -A -oPubkeyAuthentication=no user@sup.nas.nasa.gov \
mesh-keygen |tee ~/.ssh/supkey.`date +%Y%m%d.%H%M`
The authenticity of host 'sup.nas.nasa.gov (129.99.242.6)' can't be established.
RSA key fingerprint is XX:f3:61:9b:9c:73:YY:4d:22:cb:f3:cd:9a:29:4e:ZZ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'sup.nas.nasa.gov,129.99.242.6' (RSA) to the list of known hosts.
----------------------------------------------------------------------
* * * W A R N I N G W A R N I N G * * *
U.S. GOVERNMENT COMPUTER
----------------------------------------------------------------------
Password:
Enter PASSCODE:
-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQDUQwVrxv1SrSeA6/g/P6ud5JLyFZs2b/w+FsYBzvnJISAA7YY5
...
jEAcALZryqYaRDG7Xy8Quh/eqORVUm89EdZgbkO/
-----END RSA PRIVATE KEY----- |
- Restrict permission on the SUP key file:
[avnish@crow ~/.ssh]$ chmod 600 supkey.20060920.1429 |
- Add the SUP key to the SSH agent:
[crow ~/.ssh]$ ssh-add supkey.20060920.1429
Identity added: supkey.20060920.1429 (supkey.20060920.1429) |
- Create a ~/.meshrc file on columbia to specify which directories (on Columbia) will have write access via the SUP. By default, only read access is enabled. Eg:
cfe1.user 90> cat .meshrc
/u/user
/nobackup |
- At this point, the SUP is ready for use. Applications supported by the SUP include scp, bbscp, sftp, and bbftp. All but bbftp requires a wrapper. The wrapper for scp and sftp consists of:
#!/bin/sh
exec ssh -Aqx -oBatchMode=yes user@sup.nas.nasa.gov ssh -q $@
Save this file as ~/supwrap, set its permission to 700, and invoke it with scp (or sftp):
[crow ~]$ scp -S ./supwrap 100mb.file user@columbia.nas.nasa.gov:.
100mb.file 100% 100MB 356.8KB/s 04:47
Note: There was no need for SecurID here.
Same transfer using bbftp (8 streams):
[crow ~]$ bbftp -V -L "ssh -Aqx -oBatchMode=yes user@sup.nas.nasa.gov ssh -q"\
-e "put 100mb.file" -p8 columbia.nas.nasa.gov
>> COMMAND : put 100mb.file 100mb.file
<< OK
104857600 bytes send in 5.87 secs (1.75e+04 Kbytes/sec or 136 Mbits/s)
The following aliases make the SUP commands easier to use. Define them in ~/.profile or ~/.cshrc, depending upon whether you are using sh/bash or csh/tcsh shell, respectively.
alias sup_keygen='ssh -A -oPubkeyAuthentication=no sup.nas.nasa.gov mesh-keygen'
alias sup_scp='scp -S ~/supwrap'
alias sup_sftp='sftp -S ~/supwrap'
alias sup_bbftp='bbftp -L "ssh -Aqx -oBatchMode=yes sup.nas.nasa.gov ssh -q"'
alias sup_bbscp='bbscp -L "ssh -Aqx -oBatchMode=yes sup.nas.nasa.gov ssh -q"'
alias sup_qstat='ssh -Aqx -oBatchMode=yes sup.nas.nasa.gov ssh -q cfe1 qstat'
alias sup_rsync='rsync -e "ssh -Aqx -oBatchMode=yes sup.nas.nasa.gov ssh -q"'
alias sup_ctest='ssh -Aqx -oBatchMode=yes sup.nas.nasa.gov ssh -q cfe1 test'
The above command syntax applies to sh/bash shells; for csh/tcsh, just replace '=' with space. |
Usage Notes
- The SUP key is valid for one week; after that, a new one must be generated.
- The above example sets up SUP from a single local host. For multiple hosts, the authorized_keys file must be concatenated with the public keys of the respective hosts before uploading it to sup-key.nas.nasa.gov.
- The ssh-agent process (step 3) will typically end when the session ends, i.e. when you log out. So when starting a new session on your local host, remember to restart the ssh-agent and add your private key and SUP key to it (steps 4 and 7) before using the SUP.
For more information, including troubleshooting tips, see the NAS SUP page.
 More NASA on the Web: |
|
|
|
