Access from External Sites

Remote Access to the Data Analysis System

The Data Analysis System is accessible from outside KEK/J-PARC.
You can access either directly to a work server or via an access server.
Access via VPN or registered sites or hosts are allowed to access work servers. Access from unregistered hosts must go through the access servers.

Server name	Access restriction	Granted users
Work servers	ccw.cc.kek.jp (login.cc.kek.jp) ccx.cc.kek.jp	restricted	registered users on the Data Analysis System
Access servers	sshcc1.kek.jp sshcc2.kek.jp	unrestricted	registered users on access servers

sshcc1.kek.jp and sshcc2.kek.jp can be accessed from anywhere, except inside KEK.
Application needs to be submitted in advance for an access server account.
Access server consists of a primary and a secondary server. Please use the primary server (sshcc1.kek.jp) unless any issues are found.
If the primary server is not accessible due to hardware or network failure, please use the secondary server. Secondary server is identical to the primary.

Warning

Be sure to set the passphrase to the authentication keys for ssh. The keys which passphrase isn't set to are deleted by administrator. Also, do not place unnecessary keys.

Connecting to the Work Servers from Remote Site

Only registered IP addresses can be the source when remotely connecting to work servers.
Please refer to Using Work Servers / Parallel Servers for guides.

Access via VPN

You can log in directly to the work server by using the VPN.
Please refer to VPN connection service

Connecting to the Access Servers from Remote Site

Remove "sshcc1.kek.jp", "sshcc2.kek.jp" lines from ~/.ssh/known_hosts

The next time you log in, you may get the following error messages and can not log in to the Access server.
(You can skip this step if you can log in)

Error messages connecting sshcc1.kek.jp

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
4a:bd:cb:01:b0:c9:75:80:f4:32:ab:84:10:a2:5d:a6.
Please contact your system administrator.
Add correct host key in /home/local/ibm-mnak/.ssh/known_hosts to get rid of this message.
Offending key in /home/local/ibm-mnak/.ssh/known_hosts:46
RSA host key for sshcc1.kek.jp has changed and you have requested strict checking.
Host key verification failed.

Error messages connecting sshcc2.kek.jp

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
d7:ef:45:ef:7a:01:9e:f9:4e:aa:10:3e:1d:83:bc:b8.
Please contact your system administrator.
Add correct host key in /home/local/ibm-mnak/.ssh/known_hosts to get rid of this message.
Offending key in /home/local/ibm-mnak/.ssh/known_hosts:47
RSA host key for sshcc2.kek.jp has changed and you have requested strict checking.
Host key verification failed.

If you get it, you have to remove "sshcc1.kek.jp" and "sshcc2.kek.jp" from ~/.ssh/known_hosts on your local machine.
After removed them, please try to log in to the Access server again.

#> vi ~/.ssh/known_hosts
( Remove lines "sshcc1.kek.jp" and "sshcc2.kek.jp" )

Connecting to the Access Servers from Remote Site

Remote access to the Access Server is available from anywhere, except from KEK internal ( include VPN ).
The first time you log in, the passwd command is automatically executed. Once you have changed your password, the session will terminate once, so you have to log in again.
For password policy, please see the paragraph Password Rules. SSH ver2 is the required protocol to log in.

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user a0019.
Enter login(LDAP) password:                ← Input your current password
New password:                              ← Input your new password
Retype new password:                       ← Input your new password again
LDAP password information changed for a0019
passwd: all authentication tokens updated successfully.

Access Server Environment

home directory and work domain

Each user has a home directory of 100MB.
If you need to up/download a file larger than 100MB, use the space under /work. Quota for /work directory is set to 5GB for each user.

Files stored under /work will be deleted at 4 am, given the file has not been updated for 24 hours.
Replication for /home01 (for all users) and /work runs at 4 a.m. every morning.
Contents of primary servers will be replicated to respective secondary servers. Any unique files stored on secondary servers will be purged if not found on the primary servers.

X-forwarding

Use of X-forwarding is available on Access Servers.
Specify "-X" option to ssh command to enable X-forwarding and carry over your DISPLAY variable when going through more than one server.

Sample) logging in to login.cc.kek.jp with ssh from sshcc1.kek.jp

#> ssh -X login.cc.kek.jp

If you prefer keeping X-forwarding enabled by default and not using "–X" option, create a file under your home directory.

file name:  $HOME/.ssh/config
parameter to be added： ForwardX11 yes

Changing Log-in Shell

To change your login shell, execute the command chsh with the option "-s" and the full path of your preferred shell as arguments. You can check the list of available shells by using the "-l" option. The change of shell will take effect at the next login.

[Usage]

$ chsh -l
/bin/sh
/bin/bash
/bin/ksh
/bin/tcsh
/bin/csh
$ chsh -s /bin/tcsh
Shell was changed.
$

Changing Password

To change your password, execute the command passwd on the access server.

[Usage]

$ passwd
Changing password for user a0019.
Enter login(LDAP) password:                ← Input your current password
New password:                              ← Input your new password
Retype new password:                       ← Input your new password again
LDAP password information changed for a0019
passwd: all authentication tokens updated successfully.

Password Rules

Avoid specifying a password based on a Dictionary Word and follow the rules below.

the password must have at least 9 characters,
it must include a least 1 non-alphanumeric symbole (ex: $ % *),
it must include a least 1 digit,
it must include at least 1 lowercase alphabet letter,
it must contain at least 5 different characters ("aa" is counted as 1, "ab" is counted as 2),
the last 4 passwords used cannot be re-use.

Caution

/tmp directory

It is not allowed to use the directory /tmp. Please use /work directory instead.

sshfs

DONOT use an access server (sshcc1/2) for sshfs. This will cause a serious impact on the system operation.

User Application

Remote access via Internet requires prior registration. Please see here for information on user application.