To access via ssh the Tier-1 user interfaces (UI) it first is necessary to connect establish a connection to bastion.cnaf.infn.it, the CNAF gateway.

VSCode

To request an account on this gateway please follow the procedure available here: https://www.cnaf.infn.it/utenti-faq/.
UI are machines with batch system, grid middleware and file management tools. The general purpose UI is ui-tier1.cr.cnaf.infn.it but also experiment UIs dedicated UIs existto experiments do exist.

Here below, a non-exhaustive list of such user interfaces is reported:

• ui01-gamma
• ui02-gamma
• ui-ams
• ui01-ams
• ui7-auger
• ui-borexino
• ui-cdf
• ui-cms
• ui-cuore
• ui-dampe
• ui-darks
• ui-demo
• ui-enubet
• ui01-foot
• ui02-foot
• ui-gerda
• ui-herd
• ui01-icarus
• ui02-icarus
• ui-juno
• ui-km3
• ui-ntof (ui-ntof.cloud.cr.cnaf.infn.it)
• ui01-lhcb
• ui01-lhcf
• ui01-pamela
• ui-qcdlat
• ui-tier1 (catch-all user interface, based on CentOS 7)ui02-ams.cr
• ui9-tier1 (catch-all user interface, based on AlmaLinux 9)
• ui01-virgo
• ui02-virgo
• neutrino-01 (131.154.161.32)

Password policy

Whenever the password account has to be set, the policy rules below must be followed:

• the new password must be different from the previous 5;
• the minimum password length needs to be 10 characters;
• at least, 3 of the following 4 classes must be used:
  • uppercase letters
  • lowercase letters
  • numbers
  • special symbols

ProxyJump

ProxyJump is a feature of SSH clients used to facilitate access to a remote server through one or more intermediary servers, known as "jump hosts". bastion.cnaf.infn.it

...

is a jump host.

How ProxyJump works

When using ProxyJump, the client establishes an SSH connection to the first server (the jump host) and then, through this server, establishes a second SSH connection to the target server. This process can be extended to multiple intermediary servers if needed.

Configuring ProxyJump for SSH into CNAF User Interfaces

It is possible to configure the ProxyJump by configuring the SSH client of your PC. The ~/.ssh/config file can be used to do so.

Host bastion
	hostname bastion

...

.cnaf.infn.it

...

	User <username>
Host t1
	hostname ui-

...

tier1.cr.cnaf.infn.it
	User <username>
	ProxyJump bastion

...

In the Host field, you can specify the name that you want to use to identify the target-server that you want to connect to.
Once this example file is written, it will be possible to SSH into ui-tier1 by just typing the following command:

ssh t1

You can also skip the configuration file and still make use of ProxyJump directly from the command line:

ssh -J <username>@bastion.cnaf.infn.it

...

 <username>@ui-

...

tier1.cr.cnaf.infn.it

Using SCP with ProxyJump

To use ProxyJump with scp without configuring the .ssh/config, you need to provide the option directly in the command line. Here’s how you can do it

...

:

scp -o 'ProxyJump <username>@bastion.

...

cnaf.infn.it' file-to-copy ui-tier1:file-on-ui-tier1

Secure Copy Protocol (SCP) can be used in conjunction with ProxyJump to copy files between hosts through an intermediary jump host. If you haven't configured your .ssh/config file, you can use the -o option in the scp command to specify ProxyJump.

• <username>: Replace with your actual username on the bastion host.
• bastionui-enubet.cr.cnaf.infn.it
• ui01-foot.cr.cnaf.infn.it
• ui02-foot.cr.cnaf.infn.it
• ui-gerda.cr.cnaf.infn.it
• ui-herd.cr.cnaf.infn.it
• ui01-icarus.cr.cnaf.infn.it
• ui02-icarus.cr.cnaf.infn.it
• ui-juno.cr.cnaf.infn.it
• ui-km3.cr.cnaf.infn.it
• ui01-lhcb.cr.cnaf.infn.it
• ui01-lhcf.cr.cnaf.infn.it
• neutrino-01 (131.154.161.32)
• ui01-pamela.cr.cnaf.infn.it
• ui-qcdlat.cr.cnaf.infn.it
• ui01-virgo.cr.cnaf.infn.it
• ui02-virgo.cr.cnaf.infn.it
ui7-virgo.cr.cnaf.infn.it
• : The address of the jump host
• file-to-copy: The file you want to copy from your local machine.
• ui-tier1: The target host (e.g., user@host).
• file-on-ui-tier1: The destination path on the target host.

Advantages of ProxyJump

• Enhanced security: minimizes direct exposure of the target server by using one or more jump hosts as intermediaries.
• Simplified access: automates the process of connecting to remote servers through intermediaries without manually running multiple SSH commands. It automatically works with port- and X11-forwarding.
• Simple configuration: easy to set up in the SSH configuration file, improving the management of complex connections.

Passwordless login with SSH keys

CNAF supports authentication via SSH keys.
SSH keys are a pair of public and private cryptographic keys that can be used to authenticate to an SSH server as an alternative to password-based logins.
The private key must be kept stored on your client PC, while the public key can be appended to the ~/.ssh/authorized_keys file on all the servers that support this authentication method.
The following sections will guide you through the process of creating, managing, and using effectively your SSH keys to connect to a CNAF UI.

Create SSH keys

The SSH-keys creation process depends on the operating system you are using. In the following, we will guide you through the process for Linux, macOS, and Windows.

Linux and macOS

The following command will create a new key pair using the ed25519 algorithm. The -C option is used to add a comment to the key, which is useful to identify the key later on.
The key pair will be saved in the ~/.ssh/ directory with the your_key name for the private key and your_key.pub for the public key:

$ ssh-keygen -t ed25519 -C "myLinux/macOS key" -f $HOME/.ssh/your_key

The tool will ask you to enter a passphrase to protect the private key. If you want to create a key pair without a passphrase, you can simply press Enter when prompted.

Windows

On Windows, you can use the OpenSSH client utilities to create a new key pair in the same way it is done on Linux and macOS. We suggest using this tool; however, some third-party clients offer utilities that can also be used to create the key pair. For more detailed information, you should refer to the documentation of the specific client you will be using. In this guide, we will show you how to use the OpenSSH client and, as an example for third-party clients, MobaXterm (https://mobaxterm.mobatek.net/) to create an OpenSSH-compatible key pair.

OpenSSH Client

The OpenSSH client is included in Windows 10 starting from version 1809. To enable it, open the “Settings” app, go to “Apps” and then “Optional features”. 

Image Added

Click on “Add a feature” and select “OpenSSH Client” from the list.

Image Added

Otherwise, you can use the following PowerShell command:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~

Open the PowerShell and use the following command:

ssh-keygen -t ed25519 -C "key for windows" -f %userprofile%/.ssh/your_key

The tool will ask you to enter a passphrase to protect the private key. If you want to create a key pair without a passphrase, you can simply press Enter when prompted.

MobaXterm

MobaXterm offers a built-in tool to create a new key pair. Open MobaXterm, click on the “Tools” item in the menu bar and select “MobaKeyGen (SSH key generator)” from the dropdown.

Image Added

In the new window that just opened, click on the “Generate” button to create a new key pair. The program will instruct you to move your mouse cursor inside the window to generate enough entropy to create the key pair.

Image Added

Once the key pair is created, you can see the public key in the text box at the top of the window and the private key in the “key fingerprint” text box. If you want to protect the private key with a password, you can enter it in the “Key passphrase” and “Confirm passphrase” text boxes. Instead, if you want to create a key pair without a passphrase, you can leave these text boxes empty. You can then save the private key by clicking on the “Save private key” button and the public key by clicking on the “Save public key” button.

Image Added

Use the private key in your SSH client

The process of using the private key in your SSH client depends on the operating system you are using and on the specific client. In all cases, however, you first need to make sure that the permissions on the private key file are set to 0600. We will guide you through the process for Linux, macOS, and Windows.

In the following instructions, we will assume that you have placed your private key, named your_key, in the ~/.ssh directory for Linux and macOS or in the %UserProfile%\.ssh directory for Windows.

Linux and macOS

Make sure the permissions on the private key file are set to 0600:

$ chmod 0600 ~/.ssh/your_key

You can now use the private key to connect to the UIs. The following command will connect to the UI using the private key:

$ ssh -i ~/.ssh/your_key -J <username>@bastion.cnaf.infn.it target-server.example.com

Remember to replace <username> and target-server.example.com with your actual username and the target server.

If you want to avoid specifying the private key every time you connect to a UI, you can add the following lines to the ~/.ssh/config file:

Host bastion
	hostname bastion.cnaf.infn.it
	User <username>
	IdentityFile ~/.ssh/your_key

If you have multiple UIs to connect to, you can either add multiple Host sections to the ~/.ssh/config file, one for each UI, or configure the SSH client to try to use the private key by default. To do so, you can add the following line to your ~/.ssh/config file:

IdentityFile ~/.ssh/your_key

If you have protected your private key with a password, you will need to enter it during each connection attempt. If you want to avoid entering the password every time you connect to a UI, you can use the ssh-agent to store the decrypted private key in memory. To do so, you can use the following commands on Linux:

$ eval "$(ssh-agent -s)"
$ ssh-add ~/.ssh/your_key

If you are using macOS you need to use the Apple keychain to store your password. To do so, you should replace the last command with the following:

$ ssh-add --apple-use-keychain ~/.ssh/your_key

This command works only with Apple’s standard version of ssh-add and for macOS versions starting from Monterey (12.0). For older versions of macOS, the --apple-use-keychain flag was used with the syntax -K. If you encounter an error, it may be because you don’t have Apple’s standard version of ssh-add installed.

On Windows, you can use the built-in OpenSSH client to connect to the UIs, or you can use any third-party SSH client. However, each has its own way of handling the SSH key pair, so you should refer to the documentation of the specific client you will be using. In this guide, as mentioned before, we will show you how to use the OpenSSH client and, as an example for third-party clients, MobaXterm.

Set key file permission

Before proceeding to set up your SSH client, you should check that the private key file has the correct permissions. You can do this using the command line or the Windows Graphical User Interface (GUI).

If you want to use the GUI you should right-click on the file, select “Properties” and then click on the “Security” tab. Now, press the “Advanced” button in the bottom right corner of the window.

Image Added

In the new window that just opened, check that the “Owner” is your current Windows account.

Image Added

If not, press on the “Change” link next to the “Owner” field, and a pop-up will open: enter your username in the text box and press “Check names”.

Image Added

If your Windows account is linked to a Microsoft account, you should enter the email address associated with the Microsoft account. Otherwise, if you are using a local-only account, you can just enter the username. If the checks succeed, you will see your full account name in the text field. Now you can press “OK” to close the window.

Next, move to the “Permission Entries” section and remove all the entries except for your username. If your username is not listed, you can add it by pressing the “Add” button and then “Select a principal” in the newly opened window.

Image Added

A pop-up, similar to the one shown above, will appear where you have to once again enter either your username (local account) or your Microsoft email address (Microsoft account) and press “Check names”. Press “OK” to close the pop-up and ensure the permission is set to “Full Control” if it is not already set.

Image Added

Press “OK” to close the window and then “OK” again to close the properties window.

If you prefer to use the command line, you can simply use the following commands for the Command Prompt:

icacls "%UserProfile%\.ssh\your_key" /c /t /Inheritance:d
icacls "%UserProfile%\.ssh\your_key" /c /t /Grant %UserName%:F
icacls "%UserProfile%\.ssh\your_key" /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

icacls "$env:UserProfile\.ssh\your_key" /c /t /Inheritance:d
icacls "$env:UserProfile\.ssh\your_key" /c /t /Grant ${env:UserName}:F
icalcs "$env:UserProfile\.ssh\your_key" /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

OpenSSH Client

Once the permissions are set correctly, you can use the private key with the OpenSSH client to connect to the UI by issuing the following commands in the Command Prompt:

$ ssh -i "%UserProfile%\.ssh\your_key" <username>@bastion.cnaf.infn.it

or in the PowerShell:

$ ssh -i "$env:UserProfile\.ssh\your_key" <username>@bastion.cnaf.infn.it

If you have protected your private key with a password, you will need to enter it during each connection attempt. If you want to avoid entering the password every time you connect to a UI, you can use the ssh-agent to store the decrypted private key in memory. To do so, you need to enable and start the ssh-agent service with the following commands:

Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service
start-ssh-agent.cmd

Now you can add the private key to the agent with the following commands:

$ ssh-agent
$ ssh-add "$env:UserProfile\.ssh\your_key"

MobaXterm

Open MobaXterm and click on the “Session” button in the top left corner.

Image Added

Select “SSH” from the list of available sessions and enter the IP address of the UI in the “Remote host” field. Flag the “Specify username” option and insert your username. Now click on the “Advanced SSH settings” tab and then on the “Use private key” checkbox. To import your key, click on the button to the right of the text field (labeled as “Import key button” in the following figure) and select your key from the file chooser window that just opened. Alternatively, you can paste the path of the private key in the text box (in our example should be “%UserProfile%.sshyour_key”). Eventually, you can press the “OK” button to save the settings.

Image Added

To connect to the UI you can now double-click on the corresponding entry in the left panel of the main MobaXterm window.

Anchor
x2go x2go

x2go

Due to popular demand, we set up a x2go server on our main UI, ui-tier1.cr.cnaf.infn.it.

The connection still requires the user to cross our jump host (bastion.cnaf.infn.it) hence the user must setup the x2go client specifying to use a proxy server; xfce is the only option as session manager. See the included picture as a reference.

The support of this service is still experimental, we must evaluate the impact on both the jump host and the user interface itself: these are shared nodes and we are not sure the available resources are enough to stand the overhead of this service.

...