[Paraview] server configuration with two factor authentication?

David E DeMarle dave.demarle at kitware.com
Sat Mar 21 12:15:23 EDT 2015 

I use a tiny executable called SocketRelay for the same purpose. We
borrowed it from VisIt.
On Mar 20, 2015 5:42 PM, "Burlen Loring" <burlen.loring at gmail.com> wrote:

>  there are 2 places I used netcat.
>
> 1) ssh policy on login node only allows us to connect to ssh tunnels from
> localhost. using ncat there fools ssh into thinking we are connecting on
> localhost. I think it's dumb that we have to do this, but our sys admins
> refuse to make the change. The ssh option is called GatewayPorts.
>
> 2) there is a different network protocol used on the compute nodes of our
> cray, the mom node understands that protocol and acts like a bridge to the
> login node. we create the tunnel from mom to login with netcat.
>
> there are other ways to forward the connections beside netcat, but it's
> easy to build, install, and use, and it's fast.
>
> On 03/20/2015 02:26 PM, Vanmoer, Mark W wrote:
>
>  Hi Burlen,
>
>
>
> Are you using ncat to setup those connections because of a policy (like no
> outside network connections allowed) or for a technical reason?
>
>
>
> Mark
>
> *From:* Burlen Loring [mailto:burlen.loring at gmail.com
> <burlen.loring at gmail.com>]
> *Sent:* Thursday, March 19, 2015 4:48 PM
> *To:* Vanmoer, Mark W; David E DeMarle
> *Cc:* paraview at paraview.org
> *Subject:* Re: [Paraview] server configuration with two factor
> authentication?
>
>
>
> Hi Mark,
>
> Yes to both. The way this could work on a simple cluster is: from the
> user's system which is assumed to be remote, the pvsc creates an ssh tunnel
> inside the xterm and calls the launch script on the compute system login
> node. the launch script submits the batch job. pvserver, when run in the
> batch script, connects back to the ssh tunnel on the login node. "client
> host" is the login node host name. "server port" is specified by the user
> in the pvsc.
>
> There's a slight complication with some Cray systems that means we need to
> involve a special node called the "mom" node in the tunnel.
>
> This will be clear if you see a complete example, for instance the
> following 3 scripts are used with NERSC's Cray Edison: pvsc
> <https://github.com/burlen/pvserver-configs/blob/master/pvsc/edison-unix.pvsc>,
> launch script
> <https://github.com/burlen/pvserver-configs/blob/master/servers/edison/4.3.1/start_pvserver.sh>,
> batch script
> <https://github.com/burlen/pvserver-configs/blob/master/servers/edison/4.3.1/start_pvserver.qsub>
> .
>
> Burlen
>
> On 03/19/2015 02:24 PM, Vanmoer, Mark W wrote:
>
> This great, thanks for sharing, guys. Using xterm would have never
> occurred to me.
>
>
>
> Are you setting the pvserver –client-host somehow? My old pvsc from Forge
> sent over the client’s hostname to the script. I tried that on Blue Waters
> and it works, but do I not need to actually do that? Also, are either of
> you setting –server-port in the launch script?
>
>
>
>
>
> *From:* David E DeMarle [mailto:dave.demarle at kitware.com
> <dave.demarle at kitware.com>]
> *Sent:* Thursday, March 19, 2015 1:28 PM
> *To:* Burlen Loring
> *Cc:* Vanmoer, Mark W; paraview at paraview.org
> *Subject:* Re: [Paraview] server configuration with two factor
> authentication?
>
>
>
> I liked this bit too as the windows version 'xterm -e ssh &'.
>
> <Command exec="cmd.exe" delay="10">
> <Arguments>
> <Argument value="/C"/>
> <Argument value="start"/>
> <Argument value="cmd.exe"/>
> <Argument value="/C"/>
> <Argument value="$SSH_EXEquot;/>
>
> Since windows isn't my first language, that took more hunting than I'ld
> like to admit. :)
>
>
>   David E DeMarle
> Kitware, Inc.
> R&D Engineer
> 21 Corporate Drive
> Clifton Park, NY 12065-8662
> Phone: 518-881-4909
>
>
>
> On Thu, Mar 19, 2015 at 2:18 PM, Burlen Loring <burlen.loring at gmail.com>
> wrote:
>
>  ""C:\Program Files (x86)\PuTTY\plink.exe""
>
>
>
> so that's the secret to paths with spaces! nice, thanks for sharing that!
>
>   On 03/19/2015 09:22 AM, David E DeMarle wrote:
>
>  Howdy Mark,
>
>
>
> Adding to what Burlen said.
>
>
>
> You can grab pvsc examples for ORNL, ANL and NERSC via
>
> paraview->File->Connect… Fetch servers.
>
> //File->Conenct…FetchServers->Edit Sources replace with pvsc
> http://www.paraview.org/files/pvscWindows Kitware Inc. on windows.
>
> Mac requires XQuartz, windows requires putty.
>
>
>
> Let me know when you get it working, with your permission I'ld love to add
> NCSA (and everywhere else) there so that users get it by default.
>
>
>
>
>
>
>   David E DeMarle
> Kitware, Inc.
> R&D Engineer
> 21 Corporate Drive
> Clifton Park, NY 12065-8662
> Phone: 518-881-4909
>
>
>
> On Thu, Mar 19, 2015 at 11:56 AM, Burlen Loring <burlen.loring at gmail.com>
> wrote:
>
>  Hi Mark,
>
> This works without anything special if you launch in an xterm. We did this
> at NICS which requires both ssh authentication and rsa secure id token.
> Here is an example
> <https://github.com/burlen/pvserver-configs/blob/master/pvsc/edison-unix.pvsc>
>
> Burlen
>
>
>
> On 03/19/2015 06:50 AM, Vanmoer, Mark W wrote:
>
>   Hi, is there a way to set up the server XML so that it works with two
> factor authentication, as in a token generator? This is for the Blue Waters
> machine at NCSA. What I mean is, something like how VisIt acts, which when
> doing the connection will prompt for the password and token.
>
>
>
> In the past, on machines without two factor auth, I’ve used
>
>
>
>
> http://www.paraview.org/Wiki/ParaView:Server_Configuration#Case_Eleven:_Launch_pvserver_on_a_cluster_using_PBS_-_use_reverse_connection_to_client
>
>
>
> but that requires having ssh keys set up.
>
>
>
> Thanks,
>
> Mark
>
>
>
> _______________________________________________
>
> Powered by www.kitware.com
>
>
>
> Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html
>
>
>
> Please keep messages on-topic and check the ParaView Wiki at: http://paraview.org/Wiki/ParaView
>
>
>
> Search the list archives at: http://markmail.org/search/?q=ParaView
>
>
>
> Follow this link to subscribe/unsubscribe:
>
> http://public.kitware.com/mailman/listinfo/paraview
>
>
>
>
> _______________________________________________
> Powered by www.kitware.com
>
> Visit other Kitware open-source projects at
> http://www.kitware.com/opensource/opensource.html
>
> Please keep messages on-topic and check the ParaView Wiki at:
> http://paraview.org/Wiki/ParaView
>
> Search the list archives at: http://markmail.org/search/?q=ParaView
>
> Follow this link to subscribe/unsubscribe:
> http://public.kitware.com/mailman/listinfo/paraview
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/paraview/attachments/20150321/de95af7e/attachment.html>

More information about the ParaView mailing list