The login service at UiO (SSH)

This document provides an overall description of the login-service at UiO, and a simple guide to using it.

? Norsk versjon av denne siden

1???Overall description

The login service at UiO is comprised of four servers that answers to ssh. Of the four servers two are set up with two-factor authentication (2FA) via Microsoft Azure, while the other two are set up to with two-factor authentication (2FA) via a local service at UiO:

login.uio.no

This service uses 2FA via Microsoft Azure, and is comprised of two backend servers:

  • morgoth.uio.no
    • Also known as login1.uio.no
    • Located at Blindern Campus
  • gothmog.uio.no
    • Also known as login2.uio.no
    • Located in Oslo city center (Tullinl?kka)
rlogin.uio.no

This service uses 2FA via a local service at UiO, and is comprised of two backend servers:

  • soria.uio.no
    • Also known as login3.uio.no
    • Located at Blindern Campus
  • moria.uio.no
    • Also known as login4.uio.no
    • Located in Oslo city center (Tullinl?kka)

These services have a lot in common:

  • They are comprised of two backend servers. When logging in using the service name (login or rlogin), which backend server one uses is chosen at random.
  • 2FA is only needed if connecting from outside of the UiO network. From inside UiO, a password or public key is enough.
  • They have the same software installed, and can be used in exactly the same way
  • They are both comprised of two backend servers placed in separate geographical locations (Blindern Campus / Tullinl?kka)
  • They are available from the internet
  • Both services listen to ssh connections on both port 22 and 443. The latter is available for cases where an outgoing firewall blocks port 22.

Differences between the services:

  • As login.uio.no uses 2FA via Microsoft Azure, the 2FA authentication here will only work for users that are exported to Microsoft Azure. Persons at UiO with more than one username will experience that only one of the usernames work with 2FA. This limitation is not present for rlogin.uio.no.
  • The login.uio.no service supports both "push notifications" via the mobile app "Microsoft Authenticator", and One-Time-Password (OTP) codes. For rlogin.uio.no, only OTP codes are supported
? login.uio.no rlogin.uio.no
Push notification ? ?
OTP codes ? ?
All users ? [1] ?
Available from the internet ? ?
SSH on port 443 ? ?
Geo redundancy ? ?
Supports public key ? ?
No 2FA from the inside ? ?

Footnotes

[1]Only available for users that are exported to Microsoft Azure

1.1???2FA Caching

Both login.uio.no and rlogin.uio.no caches the 2FA authentication for a period of 36 hours. If you log in from the same client (IP address) within the caching period 2FA is not required, as it has been pre-approved.

Note that the 2FA cache follows the host. As login.uio.no and rlogin.uio.no are each comprised of two hosts, and which of the two you're connecting to is random when using the name "login.uio.no" or "rlogin.uio.no", you 2FA may be required. This happens when you log into the one where you haven't logged in previously during the last 36 hours.

2???Getting started

2.1???Setting up 2FA

For login.uio.no, which uses 2FA via Microsoft, see Enable two-factor authentication (2FA) in advance

For rlogin.uio.no, which uses 2FA via a local UiO service, set up 2FA by pointing a browser to Password services and choose Local 2FA.

2.2???Logging in via ssh

When 2FA is set up as described above, logging in should work. You will open a terminal, e.g. powershell in Windows, and give one of the following commands:

ssh username@hostname
ssh hostname -l username
ssh hostname

In the first two variants, we specify the username. This is necessary if the logged in username is different from the UiO username. These to variants do exactly the same. Which variant to use is a matter of personal preferance. If the logged in username on the client is identical to the UiO username, the third variant may be used.

If the connection happens from outside of the UiO network, 2FA is required. This will look like this for login.uio.no:

$ ssh username@login.uio.no

This host utilizes two-factor authentication via Microsoft Azure.
If you are using the Microsoft Authenticator mobile application, you
should have received a notification which you need to accept in
order to proceed. If you are using One Time Password (OTP) codes,
enter the OTP code now.

If you have set up 2FA at Microsoft to use OTP codes instead of push notifications, the following text will also appear:

Enter Your Microsoft verification code

Approve the push notification via Microsoft Authenticator, og type in the OTP code and press enter, to proceed. The service will then ask for a password:

Password:

Write your password and press enter, and you will be logged in.

For rlogin.uio.no things look slightly different:

$ ssh username@rlogin.uio.no

This host utilizes two-factor authentication via a local RADIUS service.
Set up your two-factor codes at [https://passord.uio.no/]

Verification_Code:

Write the OTP code, and it asks for the passwork like for login.uio.no as described above.

3???The sftp service

Like the other login services the sftp service consists of two servers, hosted in different locations (Blindern Campus and Oslo city center) for redundancy and robustness:

$ host login-sftponly.uio.no
login-sftponly.uio.no has address 129.240.114.46
login-sftponly.uio.no has address 129.240.114.54
login-sftponly.uio.no has IPv6 address 2001:700:100:8071::54
login-sftponly.uio.no has IPv6 address 2001:700:100:8070::46

The purpose of this service is to provide simple sftp, scp [2] and sshfs for anyone who wants if, but without two-factor authentication. It therefore has some important limitations:

  • It only allow SSH public key authentication. You can't use this service unless you have previously set up SSH keys as described here:

    Remember to set a pass phrase on the key! You can use ssh-agent, either directly or via programs suchs as the GNOME keyring, to avoid having to type the pass phrase every time.

  • It only allows sftp or services that use sftp, like scp [2] and sshfs. It does not allow interactive logins.

  • It can not be used as proxyjump to other hosts

3.1???Simple usage of the sftp service

The sftp service can be used for sftp, scp [2] and sshfs. In all examples we use login-sftponly.uio.no. If you want, you can use any of the aliases instead:

  • sftp.uio.no
  • scp.uio.no
  • sshfs.uio.no

It doesn't matter which of these you use, or to what. Use any of them or the real name login-sftponly.uio.no.

sftp

This service has functionality that mimics that of normal FTP, and can be used directly. Example:

$ sftp username@login-sftponly.uio.no
sftp> ls
[... lists remote files ...]
sftp> get fil1.txt
Fetching /uio/kant/uio-u1/username/fil1.txt to fil1.txt
fil1.txt                          100%   13KB   4.8MB/s   00:00
sftp> lls
[... lists local files ...]
sftp> put fil2.txt
Uploading fil2.txt to /uio/kant/uio-u1/username/fil2.txt
fil2.txt                          100%  451   522.8KB/s   00:00
sftp> quit

In the example we use ls to list remote files, and we then use get to fetch a file from the server. We then list up local files with lls and use put to upload a file to the server.

scp

Notat

Only with newer openssh clients, in which scp uses the SFTP protocol

This command is well-known for regular SSH users. It is a simple way of transferring files. Example:

$ scp username@login-sftponly.uio.no:fil1.txt .
fil1.txt                          100%  13KB  224.2KB/s   00:00

$ scp fil2.txt username@login-sftponly.uio.no:
fil2.txt                          100%  451   456.4KB/s   00:00

In the example we first fetch a file from the server, and then we upload another file to the server.

sshfs

In order to mount your UiO home directory as a file system locally via SSH, you can use sshfs. Example:

First we'll create a folder as a mount point. This is only needed if it doesn't already exist:

$ mkdir uiohome

Then we can mount via sshfs:

$ sshfs username@login-sftponly.uio.no: uiohome

Your UiO home directory is now available under the folder "uiohome", and can be accessed and used as a normal file system locally. When you no longer want to have it mounted/available, the file system can be unmounted:

$ umount uiohome
[2](1, 2, 3)

scp only works with newer openssh clients, where scp uses the SFTP protocol. Your openssh version is too old if you get this error message when attempting scp:

This service allows sftp connections only.

In this case, switching to using sftp directly is the best option.
Av Trond Hasle Amundsen
Publisert 22. mai 2024 14:56
Del p? e-post