[Paraview] server configuration with two factor authentication?

Vanmoer, Mark W mvanmoer at illinois.edu
Fri Mar 20 17:26:18 EDT 2015 

Hi Burlen,

Are you using ncat to setup those connections because of a policy (like no outside network connections allowed) or for a technical reason?

Mark
From: Burlen Loring [mailto:burlen.loring at gmail.com]
Sent: Thursday, March 19, 2015 4:48 PM
To: Vanmoer, Mark W; David E DeMarle
Cc: paraview at paraview.org
Subject: Re: [Paraview] server configuration with two factor authentication?

Hi Mark,

Yes to both. The way this could work on a simple cluster is: from the user's system which is assumed to be remote, the pvsc creates an ssh tunnel inside the xterm and calls the launch script on the compute system login node. the launch script submits the batch job. pvserver, when run in the batch script, connects back to the ssh tunnel on the login node. "client host" is the login node host name. "server port" is specified by the user in the pvsc.

There's a slight complication with some Cray systems that means we need to involve a special node called the "mom" node in the tunnel.

This will be clear if you see a complete example, for instance the following 3 scripts are used with NERSC's Cray Edison: pvsc<https://github.com/burlen/pvserver-configs/blob/master/pvsc/edison-unix.pvsc>, launch script<https://github.com/burlen/pvserver-configs/blob/master/servers/edison/4.3.1/start_pvserver.sh>, batch script<https://github.com/burlen/pvserver-configs/blob/master/servers/edison/4.3.1/start_pvserver.qsub>.

Burlen
On 03/19/2015 02:24 PM, Vanmoer, Mark W wrote:
This great, thanks for sharing, guys. Using xterm would have never occurred to me.

Are you setting the pvserver –client-host somehow? My old pvsc from Forge sent over the client’s hostname to the script. I tried that on Blue Waters and it works, but do I not need to actually do that? Also, are either of you setting –server-port in the launch script?


From: David E DeMarle [mailto:dave.demarle at kitware.com]
Sent: Thursday, March 19, 2015 1:28 PM
To: Burlen Loring
Cc: Vanmoer, Mark W; paraview at paraview.org<mailto:paraview at paraview.org>
Subject: Re: [Paraview] server configuration with two factor authentication?

I liked this bit too as the windows version 'xterm -e ssh &'.

<Command exec="cmd.exe" delay="10">
<Arguments>
<Argument value="/C"/>
<Argument value="start"/>
<Argument value="cmd.exe"/>
<Argument value="/C"/>
<Argument value="$SSH_EXEquot;/>

Since windows isn't my first language, that took more hunting than I'ld like to admit. :)

David E DeMarle
Kitware, Inc.
R&D Engineer
21 Corporate Drive
Clifton Park, NY 12065-8662
Phone: 518-881-4909

On Thu, Mar 19, 2015 at 2:18 PM, Burlen Loring <burlen.loring at gmail.com<mailto:burlen.loring at gmail.com>> wrote:

""C:\Program Files (x86)\PuTTY\plink.exe""



so that's the secret to paths with spaces! nice, thanks for sharing that!
On 03/19/2015 09:22 AM, David E DeMarle wrote:
Howdy Mark,

Adding to what Burlen said.

You can grab pvsc examples for ORNL, ANL and NERSC via
paraview->File->Connect… Fetch servers.
//File->Conenct…FetchServers->Edit Sources replace with pvsc http://www.paraview.org/files/pvscWindows Kitware Inc. on windows.
Mac requires XQuartz, windows requires putty.

Let me know when you get it working, with your permission I'ld love to add NCSA (and everywhere else) there so that users get it by default.



David E DeMarle
Kitware, Inc.
R&D Engineer
21 Corporate Drive
Clifton Park, NY 12065-8662
Phone: 518-881-4909<tel:518-881-4909>

On Thu, Mar 19, 2015 at 11:56 AM, Burlen Loring <burlen.loring at gmail.com<mailto:burlen.loring at gmail.com>> wrote:
Hi Mark,

This works without anything special if you launch in an xterm. We did this at NICS which requires both ssh authentication and rsa secure id token. Here is an example<https://github.com/burlen/pvserver-configs/blob/master/pvsc/edison-unix.pvsc>

Burlen

On 03/19/2015 06:50 AM, Vanmoer, Mark W wrote:
Hi, is there a way to set up the server XML so that it works with two factor authentication, as in a token generator? This is for the Blue Waters machine at NCSA. What I mean is, something like how VisIt acts, which when doing the connection will prompt for the password and token.

In the past, on machines without two factor auth, I’ve used

http://www.paraview.org/Wiki/ParaView:Server_Configuration#Case_Eleven:_Launch_pvserver_on_a_cluster_using_PBS_-_use_reverse_connection_to_client

but that requires having ssh keys set up.

Thanks,
Mark


_______________________________________________

Powered by www.kitware.com<http://www.kitware.com>



Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html



Please keep messages on-topic and check the ParaView Wiki at: http://paraview.org/Wiki/ParaView



Search the list archives at: http://markmail.org/search/?q=ParaView



Follow this link to subscribe/unsubscribe:

http://public.kitware.com/mailman/listinfo/paraview


_______________________________________________
Powered by www.kitware.com<http://www.kitware.com>

Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html

Please keep messages on-topic and check the ParaView Wiki at: http://paraview.org/Wiki/ParaView

Search the list archives at: http://markmail.org/search/?q=ParaView

Follow this link to subscribe/unsubscribe:
http://public.kitware.com/mailman/listinfo/paraview




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/paraview/attachments/20150320/1336d27b/attachment.html>

More information about the ParaView mailing list