The focus of this document is accessing the Open Enclave from various terminal programs using ssh (Secure Shell). To learn how to access the Open Enclave through OpenOnDemand in a web browser, please refer to the OpenOnDemand document. This document assumes you currently possess a valid user account and have familiarity with remote access methods.
To access Open Enclave resources, you must connect with a Secure Shell client. In MacOS and most Linux distributions, a ssh client is built-in to the operating system. On Windows, PuTTY and MobaXterm can be used to provide ssh capability. Review the documentation on those clients to learn about their usage. Recent updates to Windows 10 have added built-in support for ssh. If it is not installed on your version of Windows, please refer to Microsoft’s documentation on OpenSSH. It can then be accessed with the Command Prompt or Windows PowerShell in the same way you would access ssh from a terminal within MacOS or Linux.
In addition to a ssh client, you will need the Duo app on your mobile device. The app can be downloaded from the Apple App Store for iOS users or from Google Play for Android users. New users should be automatically enrolled in Duo; existing users, however, must associate their UT NetID with their NICS account. To do this, navigate to the NICS user portal and click the link to associate your UT NetID with your NICS account. If you skipped Duo enrollment when you created your NICS account, then you must also associate your UT NetID with your account. For more information on Duo, visit their website.
To begin, open a terminal. At the prompt, type
ssh <NetID>@acf-login.acf.tennessee.edu. Replace <NetID> with your UT NetID. When prompted, supply your NetID password. Next, type 1 and press Enter (Return). A Duo Push will be sent to your mobile device. You may use the 2 option to receive a SMS message on your mobile device with a code that you should provide at the prompt. Regardless of the Duo option you choose, you will be logged into the Open Enclave once you successfully authenticate.
On Windows, the process for connecting to the Open Enclave depends on the client you use. If you run an updated Windows 10 machine, you may use PowerShell or Command Prompt to access ssh. Either terminal will work for connecting to the Open Enclave. Once you open either PowerShell or Command Prompt, follow the same steps MacOS and Linux users use to connect to the Open Enclave.
For older Windows systems, such as Windows 7 or 8, you should use PuTTY to connect to the Open Enclave. Launch PuTTY. Make sure the “Session” menu is selected in the left pane. In the right pane, type acf-login.acf.tennessee.edu in the “Host Name (or IP address)” box. Verify that the port is set to 22 and that ssh is set as the connection type, then select “Open.” You will be prompted to provide your NetID, followed by your NetID password. Next, you will authenticate with Duo. The Duo options remain the same as they do for MacOS and Linux. Once you successfully authenticate, you will be logged into the Open Enclave.
Open Enclave resources support X11 forwarding, which enables the use of graphical tools. On most Linux distributions, X11 is built-in to the operating system. On MacOS, the XQuartz system handles X11. You can access XQuartz by typing xterm in a standard Terminal.
Open your X11 terminal of choice, then execute
ssh -X <NetID>@acf-login.acf.utk.edu to connect to the Open Enclave with X11 forwarding enabled. If the connection does not work, replace -X with -Y. Because the option is case-sensitive, make sure you use capital letters. Upon connecting to the Open Enclave, type
clock to verify that the X11 system is functional. If neither of those programs work, review the documentation for the client you chose and check your X11 terminal configuration.
Windows does not have a built-in X server to use for X11 forwarding; therefore, a third party X server must be installed to enable its use. If you require X11 forwarding on a Windows machine, it is best to use PuTTY as your ssh client and xming as the X server. Download and install both applications. Once they are installed, start xming, then open PuTTY. In the left pane, expand the “Connection” menu. Under the “SSH” menu, select “X11.” Check the box that says “Enable X11 forwarding.” Be aware that this will only apply to your current session unless you save it for future use. If you do not save the session, you must manually enable X11 forwarding each time you require it. With X11 enabled, use PuTTY to connect to the Open Enclave as you normally would. You may test X11 with the
Accounts that are not used for one year are disabled. If you believe your account has been disabled due to inactivity, please submit a ticket to the OIT Help Desk (see https://help.utk.edu).
If you know your current NetID password and desire to change it, navigate to the password management page and log in. Once you authenticate with your username, password, and Duo, continue through the account protection prompt. Specify a new password that complies with UT’s password policies and accept the AUP (acceptable use policy) to change your NetID password.
If you do not know your current NetID password and desire to change it, navigate to the password reset page. Provide the necessary information to authenticate, then continue through the account protection prompt. Provide a new password that complies with UT’s password policies and accept the AUP to change your NetID password.
If you continue to have issues with your NetID password, please submit a ticket to OIT HelpDesk.
When you log in to the Open Enclave for the first time, your ssh client will warn you about an unknown host key. This is normal behavior and should not cause alarm. Generally, the ssh client will show the host’s key fingerprint and ask if you wish to continue. Select “yes” when this option is presented to you. At that point, the Open Enclave’s host key will be added to your system, which will prevent future prompts. Be aware, however, that ssh host keys can change, and when they do, the ssh client will dramatically warn you. Figure 6.1 shows this warning. It is necessary to edit your ssh known_hosts file to remedy this error. If you have reasonable suspicion that this is a legitimate security concern and not a case of mismatched keys, please submit a ticket to firstname.lastname@example.org.
If you receive this warning, it means that the key your system associates with the Open Enclave is no longer valid. Again, this should not be cause for alarm unless there is reason to suspect a legitimate security concern. Instead, modify your known_hosts file to remove the old key so that ssh can register the new one. The ssh-keygen command allows you to modify this file without breaking ssh.
To edit your known_hosts file on a MacOS or Linux system, open a terminal. Type
ssh-keygen -R <hostname> and press Enter (Return). Replace the <hostname> argument with
acf-login.acf.utk.edu. Existing users should also run the ssh-keygen -R command with the
acf-login.nics.utk.edu hostname. After this change, the warning in Figure 6.1 will no longer appear, and ssh will allow you to save the new host key. If necessary, you can retrieve deleted keys from the known_hosts.old file that is created in the ~/.ssh directory.
On updated Windows 10 systems, follow the process used to remove ssh host keys from MacOS and Linux. Both PowerShell and Command Prompt support the ssh-keygen command.
For older Windows systems that run PuTTY, ssh host keys are stored within the registry. Proceed with caution when editing the Windows registry. Incorrect modifications could result in system instability. To begin, open the Registry Editor. You can open this utility by searching for it from the Start menu or by opening the Run menu and typing regedit. When it opens, navigate to the following location from the left pane:
All the host keys known to PuTTY will appear. Before you delete any of the keys, double-click on them to verify that they belong to the offending hosts. The name of the host will appear under the “Value name:” header. Figure 6.2 identifies where the hostname will appear. Once you verify that the key belongs to the offending host, right-click on it to delete it. PuTTY should then allow you to save the host’s new key upon your next login attempt.