Access from External Sites
Access from External Sites
Remote Access to the Data Analysis System
The Data Analysis System is accessible from outside KEK/J-PARC.
You can access either directly to a work server or via an access server.
Access via VPN or registered sites or hosts are allowed to access work servers.
Access from unregistered hosts must go through the access servers.
Server name | Access restriction | Granted users | |
---|---|---|---|
Work servers | cw.cc.kek.jp (login.cc.kek.jp) |
restricted | registered users on the Data Analysis System |
Access servers | sshcc1.kek.jp sshcc2.kek.jp |
unrestricted | registered users on access servers |
- sshcc1.kek.jp and sshcc2.kek.jp can be accessed from anywhere, except inside KEK.
- Application needs to be submitted in advance for an access server account.
- Access server consists of a primary and a secondary server. Please use the primary server (sshcc1.kek.jp) unless any issues are found.
- If the primary server is not accessible due to hardware or network failure, please use the secondary server. Secondary server is identical to the primary.
Warning
Be sure to set the passphrase to the authentication keys for ssh. The keys which passphrase isn't set to are deleted by administrator. Also, do not place unnecessary keys.
Connecting to the Work Servers from Remote Site
Only registered IP addresses can be the source when remotely connecting to work servers.
Please refer to Using Work Servers for guides.
Access via VPN
You can log in directly to the work server by using the VPN.
Please refer to VPN connection service
Connecting to the Access Servers from Remote Site
Remove "sshcc1.kek.jp", "sshcc2.kek.jp" lines from ~/.ssh/known_hosts
The next time you log in, you may get the following error messages and can not log in to the Access server.
(You can skip this step if you can log in)
Error messages connecting sshcc1.kek.jp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
4a:bd:cb:01:b0:c9:75:80:f4:32:ab:84:10:a2:5d:a6.
Please contact your system administrator.
Add correct host key in /home/local/ibm-mnak/.ssh/known_hosts to get rid of this message.
Offending key in /home/local/ibm-mnak/.ssh/known_hosts:46
RSA host key for sshcc1.kek.jp has changed and you have requested strict checking.
Host key verification failed.
Error messages connecting sshcc2.kek.jp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
d7:ef:45:ef:7a:01:9e:f9:4e:aa:10:3e:1d:83:bc:b8.
Please contact your system administrator.
Add correct host key in /home/local/ibm-mnak/.ssh/known_hosts to get rid of this message.
Offending key in /home/local/ibm-mnak/.ssh/known_hosts:47
RSA host key for sshcc2.kek.jp has changed and you have requested strict checking.
Host key verification failed.
If you get it, you have to remove "sshcc1.kek.jp" and "sshcc2.kek.jp" from ~/.ssh/known_hosts on your local machine.
After removed them, please try to log in to the Access server again.
#> vi ~/.ssh/known_hosts
( Remove lines "sshcc1.kek.jp" and "sshcc2.kek.jp" )
I could not connect after y2024 system in service
Since operating system of Access Server is renewed, old ssh clients may became unable to connect to sshcc1.kek.jp.
Following is connection failure using RHEL 6 ssh.
$ ssh user@sshcc1.kek.jp
no hostkey alg
$ _
This error means, that there is no common cipher suite between that of sshcc1 and the ssh client.
Please consider upgrading the ssh client (or the client OS).
If you will wish to contact this incident to KEKCC, please provide the information below:
- version of the ssh client (ssh -V)
- full log of
ssh -vvv user@sshcc1.kek.jp
- tried to sshcc1 or sshcc2
- IP address of the global side
- date and time (with seconds will help) when you tried to connect (since the error occurs before user name is sent to the ssh server, we cannot derive it from the server log)
Connecting to the Access Servers from Remote Site
Remote access to the Access Server is available from anywhere, except from KEK internal ( include VPN ).
The first time you log in, the passwd command is automatically executed. Once you have changed your password, the session will terminate once, so you have to log in again.
For password policy, please see the paragraph Password Rules. SSH ver2 is the required protocol to log in.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user a0019.
Enter login(LDAP) password: ← Input your current password
New password: ← Input your new password
Retype new password: ← Input your new password again
LDAP password information changed for a0019
passwd: all authentication tokens updated successfully.
Access Server Environment
home directory and work domain
Each user has a home directory of 100MB.
If you need to up/download a file larger than 100MB, use the space under /work. Quota for /work directory is set to 5GB for each user.
Files stored under /work will be deleted at 4 am, given the file has not been updated for 24 hours.
Replication for /home01 (for all users) and /work runs at 4 a.m. every morning.
Contents of primary servers will be replicated to respective secondary servers. Any unique files stored on secondary servers will be purged if not found on the primary servers.
X-forwarding
Use of X-forwarding is available on Access Servers.
Specify "-X" option to ssh command to enable X-forwarding and carry over your DISPLAY variable when going through more than one server.
Sample) logging in to login.cc.kek.jp with ssh from sshcc1.kek.jp
#> ssh -X login.cc.kek.jp
If you prefer keeping X-forwarding enabled by default and not using "–X" option, create a file under your home directory.
file name: $HOME/.ssh/config
parameter to be added: ForwardX11 yes
Changing Log-in Shell
To change your login shell, execute the command chsh with the option "-s" and the full path of your preferred shell as arguments. You can check the list of available shells by using the "-l" option. The change of shell will take effect at the next login.
[Usage]
$ chsh -l
/bin/sh
/bin/bash
/bin/ksh
/bin/tcsh
/bin/csh
$ chsh -s /bin/tcsh
Shell was changed.
$
Changing Password
To change your password, execute the command passwd on the access server.
[Usage]
$ passwd
Changing password for user a0019.
Enter login(LDAP) password: ← Input your current password
New password: ← Input your new password
Retype new password: ← Input your new password again
LDAP password information changed for a0019
passwd: all authentication tokens updated successfully.
Password Rules
Avoid specifying a password based on a Dictionary Word and follow the rules below.
- the password must have at least 9 characters,
- it must include a least 1 non-alphanumeric symbole (ex: $ % *),
- it must include a least 1 digit,
- it must include at least 1 lowercase alphabet letter,
- it must contain at least 5 different characters ("aa" is counted as 1, "ab" is counted as 2),
- the last 4 passwords used cannot be re-use.
Caution
/tmp directory
It is not allowed to use the directory /tmp. Please use /work directory instead.
sshfs
- DONOT use an access server (sshcc1/2) for sshfs. This will cause a serious impact on the system operation.
User Application
Remote access via Internet requires prior registration. Please see here for information on user application.