CRC Access to Shared Computing Resources

This guide describes methods to access Shared Computing Resources from off-campus.

Introduction

Direct logins to our Shared Computing Resources from off-campus are prohibited. In order to log in to these systems from off-campus, there are currently three methods as described below.

Method 1: SSH physically on campus

If you are a Rice faculty, staff, or student who has SSH login access to another system on campus (which allows off-campus access), you may log in to our Shared Computing Resources from off-campus with your SSH.

Your SSH login access might be for an office desktop system or a department server. If this is the case, then use SSH to log in to one of those systems first. Once you obtain a command line prompt on this host, use SSH to log in to the Shared Computing Resource. 

In other words, if you have access, there will be a two-step process to login to these systems:

  1. SSH login to anyhost.rice.edu where anyhost.rice.edu is the hostname of the system you are logging in to.
    (Note: Substitute the hostname of the campus system you are logging in to in place of anyhost.rice.edu.)
  2. From anyhost.rice.edu, SSH login to the Shared Compute Resource (such as nots.rice.edu, etc.)

If you don't have access to a campus resource that can connect to our Shared Computing Resources you may use our SSH gateway using the following steps:

  1. SSH login to gw.crc.rice.edu.
  2. From gw.crc.rice.edu, SSH login to the Shared Compute Resource (such as nots.rice.edu, etc.)

Method 2: SSH with VPN

Rice faculty, staff, students, and Visitors/Guests may log in to Shared Computing Resources from off-campus with SSH by connecting to the Rice network with VPN. VPN (Virtual Private Network) essentially makes the off-campus computer appear as if it were on the Rice network. To obtain a VPN account and software, please visit the Rice VPN website. 

The two-step process to login to these systems using SSH with VPN is as follows:

  1. Connect to the Rice network with VPN using the off-campus computer. Read about how to do that here.
  2. SSH login to the Shared Computing Resource (such as nots.rice.edu, etc...).

 Note: If you are a Visitor/Guest, by default, you won't have access to Rice Box. You may be able to use the Microsoft, Apple, iOS, or Android stores to download the AnyConnect client and use that instead.

Method 3:SSH off-campus without VPN

People who have accounts on the Shared Computing Systems will likely have SSH or VPN access to the Rice network. For all users with valid cluster logins, we automatically create an SSH Gateway account that will provide the same capability as the "SSH Only " section above. Using this account will mean that logging in to these systems will be a two-step process:

  1. SSH login to gw.crc.rice.edu from off-campus.
  2. SSH login to the Shared Computing Resource (such as nots.rice.edu, etc.) from gw.crc.rice.edu

 

Policies regarding Quotas, Data Transfers, and Out Bound Connections

Read below for the latest information on the SSH Gateway access policy.

SSH Access In Bound Only

Once you are logged into the SSH gateway, you will not be able to use SSH to log in to any system other than a shared computing resource. SSH access is restricted to inbound connections to the gateway. Outbound connections from the SSH Gateway to systems other than the shared computing resources are not allowed. You can not log in to an off-campus system from the gateway, for example.

To login to the SSH Gateway, use SSH to log in to the host gw.crc.rice.edu. Once there, you can use SSH to log in to any of the shared computing resources. It will be a two-step process to login to a shared computing resource:

1.  SSH login to gw.crc.rice.edu from off-campus using your netID credentials and DUO.

  • We recommend appropriately secure ssh keys to eliminate password entry as part of this workflow which is a modern public ssh key that is password protected.

2.  SSH login to the shared computing resources (such as nots.rice.edu) from gw.crc.rice.edu.

Regarding Data Transfers and Quotas

All accounts on the gateway have a quota of 250MB enforced on home directories and we no longer recommend staging data to the gateway, but rather through the gateway.

How to Transfer Files from Off-Campus

For the less experienced user:

We highly recommend using our Data Transfer Nodes (DTN) to transfer data to and from the clusters and RDF.

Additionally, to transfer files from a Linux or Unix machine to the Shared Computing Resources, you can use the SCP command. If you are using a VPN connection, then SCP will work exactly as described in our SSH FAQ as if you were on campus.

If you are not using VPN and are using an intermediate Rice host or the SSH Gateway as described earlier, then there will be an SSH ProxyJump step process to transfer files to these systems, as seen below:

scp -o 'ProxyJump netID@gw.crc.rice.edu' FILENAME netID@anyhost.rice.edu:/DESTINATION/

Note about SCP and gw: If you are using the SSH Gateway for the file transfer process, your home directory on the SSH Gateway has a 250MB quota. We no longer recommend staging your data on the SSH Gateway and then copying it to the destination cluster as ProxyJump. We recommend appropriately securing ssh keys to eliminate password entry as part of this workflow.

For the more experienced user:

There is an alternative method for transferring data through the gateway. The advanced method for file transfers will include the use of an ssh tunnel, an encrypted communication channel that will allow network protocols (in this case ssh/SCP) to travel seamlessly between two endpoints over a secure channel. To set up and use an ssh tunnel, follow these steps:

  • Step 1: Open an SSH tunnel
    • In a terminal window on your workstation, open an ssh tunnel to the login node of the cluster that you are trying to copy data to. For example, nots.rice.edu if you are trying to transfer data to NOTS.
    • Set up the tunnel exactly as shown here, substituting the cluster hostname place of hostname.rice.edu: 
      [username@workstation ~]$ ssh -L 2222:hostname.rice.edu:22 username@gw.crc.rice.edu
      [username@gw ~]$
    • You will be prompted for your password on gw.crc.rice.edu. With successful login, you will have an ssh tunnel connected to the cluster identified by hostname.rice.edu. You will also have a command prompt on gw.crc.rice.edu.

  • Step 2: Copy data through the tunnel

    • Leave the above terminal window open with the ssh tunnel established. Open a new terminal on your workstation and execute these commands:
      scp -o NoHostAuthenticationForLocalhost=yes \

      -P 2222 filename(s) username@localhost:/shared.scratch/username
    • In this example, the username will be your cluster username. When prompted for a password, use your cluster password.
    • This command will copy your files to port 2222 on your workstation. Port 2222 is connected to the ssh tunnel to gw.crc.rice.edu, which is in turn connected to the cluster defined by hostname.rice.edu in the first step above. Thus, with a single scp command, the files will be copied from your workstation to the cluster through the SSH Gateway via this tunnel.

More Information about SSH

For general instructions on how to use SSH, please see our CRC SSH FAQ.




Keywords:CRC Access to Shared Computing Resources   Doc ID:108238
Owner:Joseph G.Group:Rice University
Created:2021-01-11 10:36 CSTUpdated:2022-10-04 09:39 CST
Sites:Rice University
Feedback:  8   9