Document revision history

Click the “Details” toggle below for the revision history.

Details

  • 1.2.2 — Restart the X11 server if changing the X11 server remote access selection

  • 1.2.1 — Add instructions for quad display; add missing final “s” to a few “Xresource”

  • 1.2.0 — Minor release

  • 1.1.6 — Add collapsible box for document revision history

  • 1.1.5 — Add: CAPI certificate setup and use, disabling remote X11 connections, and promoting to oper on connecting

  • 1.1.4 — Add display specific Xresources for remote

  • 1.1.3 — Add testing login shell window configuration

  • 1.1.2 — Clarify which lines to change in .profile

  • 1.1.1 — Add allowing for PC firewall and revision history

  • 1.1.0 — Initial version

1. Introduction

This document covers customization for AUID (login) user accounts. As written, it describes customization of the oper account for AUID users on CIS hardened FSL11 systems (see the CIS hardening for FSL11 document), but it can adapted for use in other situations. Possible adaptations including:

  • Using this approach with the prog account in addition to oper. The adaption should essentially be trivial.

  • Using different .Xresources files for different remote connections for one AUID user. To fully automate this you may want to set an environment variable when connecting and use that to select the .Xresources (and other) file(s) used.

  • Using this approach with non-CIS hardening systems by adding non-oper (and non-prog) login accounts that can promote to being oper with oper_account (and prog with prog_account) as for AUID accounts with CIS hardening (see the Enabling user promotion to oper/prog and root section of the CIS hardening for FSL11 document for the details).

  • On non-CIS hardened systems without creating new accounts, providing special aliases (in ~/.bash_alias) to allow users to load different .Xresources files with one type-in. The rlxr alias can be used as a starting point for new aliases. There could also be aliases for running different versions of the .profile (starting alias rl) and .bashrc (starting alias rc) scripts.

For remote connections, detailed instructions are provided for the connection client currently used on PCs by stations with AUID accounts. The instructions could be adapted to other clients.

Two main areas are covered in this document:

There are four appendices related to connections from a PC:

2. rc file customization

With the standard AUID configuration (see Adding AUID accounts in the CIS hardening for FSL11 document, there are two rc (run command) files that can be used for customization of the oper account: ~oper/.profile_<AUID> and ~oper/.bashrc_<AUID> (where <AUID> is the user’s AUID account name). These files are described below. You may find it instructive to look at the normal ~oper/.profile and ~oper/.bashrc files to understand how they are typically used.

2.1. ~oper/.profile_<AUID>

This script is run for the <AUID> user at end of the ~oper/.profile script. As such, it is run only for interactive login shells. It is the appropriate place to set session wide environment variables and perform one-time login tasks. Since it is run at the end of ~oper/.profile, it can effectively override many things done by ~oper/.profile.

2.2. ~oper/.bashrc_<AUID>

This script is run for the <AUID> user at end of the ~oper/.bashrc script. As such, it is run only for interactive shells, both login and non-login. It is the appropriate place to set shell interactive information such as shell options, prompts, and command aliases. Since it is run at the end of ~oper/.bashrc, it can effectively override many things done by ~oper/.bashrc.

Note
 .bashrc is run at the start of .profile for login shells.

An example of using this file for the sysadmin's AUID account is given in the Setting hostname alias section of the Additional items for FS operations appendix of the CIS hardening for FSL11 document.

3. X11 resources customization

This section provides procedures for customizing FS xterm window placement and size using X11 resources files. This may be useful for defining different window configurations on the console or when connecting over ssh from a remote device, which may have a different display size.

There are two ways to customize X11 resources, either use the same customization for all users, i.e., general, or different ones, per AUID account. The approaches can be mixed so some users get the general setup and others get an individual setup.

The methods given here will not work for programs that aren’t xterm based. In particular, the RDBE monitor and rdbemsg programs positions cannot be set this way, but have their own options for setting their geometries. Those options may be used on the lines for the programs in the /usr2/control/clpgm.ctl file for the client=…​ command and in the ~/.fvwm2rc file for hot-keys and menu options on the local console. Likewise, the appropriate line must be modified to explicitly set a geometry for a basic xterm window opened with the client=xterm command or with the window manager. Different layouts can be supported with different commands (lines) in the files. With additional changes, it would also be possible to use different ~/.fvwm2rc files for different users on the local console.

The naming convention for the X11 resources files in ~oper is:

  • .Xresources — General local values

  • .Xresources_remote — General remote values

  • .Xresources_<AUID> — Per AUID local values for account <AUID>

  • .Xresources_remote_<AUID> — Per AUID remote values for account <AUID>

  • .Xresources_remote_<AUID>_<display> — Per AUID remote values for <display> for account <AUID>

3.1. General X11 resources customization

The section provides procedures for customing the X11 resources so they are the same for all AUID users. The customization can be different for local and remote users; each is covered in sub-sections below. They can be combined with Per AUID account X11 resources customization to tailor the configuration for those users that want to deviate from the general one.

3.1.1. General X11 resources customization for a local connection

  1. Login in on the console with your AUID account.

  2. Enter the commands:

    mv .Xresources .Xresources.orig
ln -sfn ~oper/.Xresources .Xresources

  3. Start the GUI by entering oper_x11.

    1. Working in the login shell window:

      1. Enter your password when prompted.

      2. Start the FS: fs

        1. Adjust the windows to the sizes and positions you want.

          This can include the login shell window.

        2. Open an additional window to work in, e.g., use client=xterm in the Operator Input window

          1. Adjust the contents of ~oper/.Xresources using the method of Setting geometry values in .Xresources.

            Tip
            		 Copying text by dragging the mouse over it with the first button depressed and pasting with the middle mouse button may work best.
            Tip
            		 To test the settings for the login shell window, it will necessary to exit from the GUI and restart it with oper_x11.
            Note
            		 The referenced method is a section of the FS “Installation Reference Document” (https://nvi-inc.github.io/fs/releases/misc/install_reference.html).

          2. Enter exit to close the additional window.

        3. Terminate the FS (or client)

      3. Exit from the oper account shell.

      4. Exit from the AUID account shell (and login shell window).

  4. Login in on the console with your AUID account.

    1. Working in the login shell window:

      1. Promote to oper using the oper_account command.

      2. Enter your password when prompted.

      3. Start the FS: fs (or client: fsclient)

        The windows should appear as you set them. If not, you may need to iterate adjusting the ~oper/.Xresources file.

3.1.2. General X11 resources customization for a remote connection from a PC

This procedure assumes that you have created a client session for connecting to the FS computer on the PC according to the appendix Create Client Session on a PC.

Caution
 Before starting, you may want to make sure the PC has the display set to 100% scaling (this may require logging out and logging in again) and the Taskbar is set to automatically hide. This will give more screen space to work with.

  1. In the connection client program on the PC, double-click on the session you will be using.

    1. Enter your password if prompted for it. If prompted to save your password, click No.

    2. Working in the login shell window:

      1. Promote to oper using the oper_account command.

      2. Enter your password when prompted.

      3. Start the FS: fs

        1. Adjust the windows to the sizes and positions you want.

          This can include the login shell window.

        2. Open an additional window to work in, e.g., use client=xterm in the Operator Input window

          1. Edit the ~oper/.profile file:

            Change the xrdb -merge …​ line for a remote connection. This is the first one in the file. The following lines show the preceding comment to help identify it. Only the second line needs to be modified. Change:

            #       ssh from remote host with X display
        xrdb -merge ~/.Xresources

            to:

            #       ssh from remote host with X display
        xrdb -merge ~/.Xresources_remote

          2. If you have not already created the general file .Xresources_remote file according to Quad Display create one by copying the nominal file:

            cp .Xresources .Xresources_remote

          3. If needed, adjust the contents of ~oper/.Xresources_remote using the method of Setting geometry values in .Xresources.

            Tip

            Copying text by dragging the mouse over it with the first button depressed and pasting with the middle mouse button may work best.

            For testing the configuration for all windows except login shell, instead of using the rlxr alias, use the command:

            xrdb -merge ~oper/.Xresources_remote

            and restart the FS. To test for login shell, it will necessary to log-out of the AUID session completely and log back in again.
            Note
            		 The referenced method is a section of the FS “Installation Reference Document” (https://nvi-inc.github.io/fs/releases/misc/install_reference.html).

          4. Enter Exit to close the additional window.

        3. Terminate the FS (or the client)

      4. Exit from the oper account shell

      5. Exit from the AUID account shell (and login shell window).

  2. Press Enter (in the session tab: to close it).

  3. Right-click on the session you are using.

    1. Click Edit session

      1. Click Advanced SSH settings

        1. Change the xrdb command part of the Execute command: text box (the part before the semi-colon, ;) to:

          xrdb -merge ~oper/.Xresources_remote
          Caution
          		 The changes are to the path and name of the X11 resources file.

    2. Click OK

  4. Double-click on the session you are working with.

    1. Enter your password if prompted for it. If prompted to save your password, click No.

    2. Working in the login shell window:

      1. Promote to oper using the oper_account command.

      2. Enter your password when prompted.

      3. Start the FS: fs (or client: fsclient)

        The windows should appear as you set them. If not, you may need to iterate adjusting the ~oper/.Xresources_remote file.

3.2. Per AUID account X11 resources customization

The steps in this introductory section only need to be done once. For each user that wants individualized settings, use the steps in the sub-sections below for local and remote connections as appropriate.

  1. Login on the console with your AUID account or double-click on the session in the connection client on the PC.

    If you are working from a PC, you must have already setup the session according to the appendix Create Client Session on a PC.

  2. Working in the login shell window:

    1. Promote to oper with the oper_account command.

    2. Enter your password when prompted.

    3. If the oper account has not already been setup according to General X11 resources customization for a remote connection from a PC or a .Xresources_remote file created according to Quad Display, create the general file for remote by copying the nominal file:

      cp .Xresources .Xresources_remote

    4. Edit the file ~oper/.profile to make two changes:

      1. Change the xrdb -merge …​ line for a remote connection.

        This is the first one in the file. The following lines show the preceding comment to help identify it. Only the second line needs to be modified. Change:

        Caution
        		 If the oper account has not already been setup according to General X11 resources customization for a remote connection from a PC, the old line will have ~/.Xresources instead of ~/.Xresources_remote. Replace it anyway. 
        #       ssh from remote host with X display
        xrdb -merge ~/.Xresources_remote

        to:

        #       ssh from remote host with X display
        if [ -f "$HOME/.Xresources_remote_$SUDO_USER" ]; then
          xrdb -merge ~/.Xresources_remote_$SUDO_USER
        else
          xrdb -merge ~/.Xresources_remote
        fi

      2. Change the xrdb -merge …​ line for a local connection.

        This is the last one in the file (the third including the one added above). The following lines show the preceding comment to help identify it. Only the second line needs to be modified. Change:

        #       login shell (because this is .profile) on the local X console
        xrdb -merge ~/.Xresources

        to:

        #       login shell (because this is .profile) on the local X console
        if [ -f "$HOME/.Xresources_$SUDO_USER" ]; then
          xrdb -merge ~/.Xresources_$SUDO_USER
        else
          xrdb -merge ~/.Xresources
        fi

    5. Enter exit to close the oper account shell

    6. Exit from the AUID account shell (and login shell window).

  3. If you connected from a PC, press Enter (in the session tab: to close it).

3.2.1. Per AUID account X11 resources customization for a local connection

Caution
 This procedure uses dhorsley as an example AUID (login) account name. You should substitute your login account name wherever dhorsley is used.

Except for the three items below, follow the same procedure as in General X11 resources customization for a local connection:

  1. Just after logging into the AUID account, dhorsley for this example, execute:

    Caution
    		 If the oper account has already been setup according to General X11 resources customization for a local connection, do not use the mv command below. 
    mv .Xresources .Xresources.orig
ln -sfn ~oper/.Xresources_dhorsley .Xresources

  2. When the additional window is opened, e.g., with client=xterm:

    1. Copy the nominal file:

      cp .Xresources .Xresources_dhorsley

    2. Adjust the contents of ~oper/.Xresources_dhorsley instead of ~oper/.Xresources.

      For testing the configuration for all windows except login shell, instead of using the rlxr alias, you can use the command:

      xrdb -merge ~oper/.Xresources_dhorsley

      and restart the FS. To test the settings for the login shell window, it will necessary to exit from the GUI and restart it with oper_x11.

  3. If you need to iterate, adjust the file ~oper/.Xresources_dhorsley.

3.2.2. Per AUID account X11 resources customization for a remote connection from a PC

Caution
 This procedure uses dhorsley as an example AUID (login) account name. You should substitute your login account name wherever dhorsley is used.
Caution
 This procedure assumes you are setting this up for a quad display as described at Quad Display. If you are doing it for say, your laptop, you can use laptop in place of quad in the instructions below. You can have both quad and laptop (and other additional) configurations for a given AUID user. This is helpful if you connect from different machines with different X11 resolutions or display sizes.
Tip
 If you are only making a non-display specific Xresources file, e.g., ~oper/.Xresources_remote_dhorsley for this user, drop the _quad in the instructions below and skip making the dummy ~oper/.Xresources_remote_dhorsley file.

Except for the three items below, follow the same procedure as in General X11 resources customization for a remote connection from a PC:

  1. When the additional window is opened, e.g., with client=xterm:

    1. Do not edit the ~oper/.profile file.

    2. Do not copy to create the general remote file.

    3. Instead, copy the general remote file to create the AUID remote file for this display:

      cp .Xresources_remote .Xresources_remote_dhorsley_quad

    4. Create a dummy .Xresources_remote_dhorsley file:

      Tip
      		 Skip this sub-step if you are making a non-display specific Xresources file for this user.
      Note
      		 Since the display specific Xresources are set by the command that the PC client uses, this sub-step prevents the Xresources from being overwritten and removes additional (redundant) communication with the X11 server. 
      cat <<EOT >.Xresources_dhorsley
!if this file has no resources look for other .Xresources_remote_* files for this AUID
EOT

    5. Adjust the contents of ~oper/.Xresources_remote_dhorsley_quad instead of ~oper/.Xresources_remote.

      For testing the configuration of all windows except login shell, the rlxr alias will not reload its resources, but you can use the command:

      xrdb -merge ~oper/.Xresources_remote_dhorsley_quad

      and restart the FS. To test for login shell, it will necessary to log-out of the AUID session completely and log back in again.

  2. When changing the xrdb command part of the Execute command: text box (the part before the semi-colon, ;), make it:

    xrdb -merge ~oper/.Xresources_remote_dhorsley_quad
    Caution
    		 The changes are to the path and name of the X11 resources file.

  3. If you need to iterate, adjust the file ~oper/.Xresources_remote_dhorsley_quad.

Appendix A: Create Client Session on a PC

Details interactions are provided for the connection client used by stations that connect from PCs.

If you will be connecting with a CAPI certificate through a jumpbox, follow the directions in the Create a connection through a jumpbox with a CAPI certificate from a PC appendix before using these instructions.

Caution
 This procedure uses dhorsley as an example login account name. You should substitute your login account name wherever dhorsley is used.
Note
 The first time you run the client connection program, you will probably be prompted by the firewall about whether to allow connections for its X11 server. If so, click Allow. Then you may be prompted about whether to allow the firewall to make changes. If so, click Yes.

  1. In the client connection program on the PC, click Session

    1. Click SSH

      1. Use the IP address of the FS computer for the Remote host *.

      2. Check the Specify username box, and supply the AUID account name, dhorsley (for this example).

      3. Click Advanced SSH settings

        1. Make sure the X11-Forwarding box is checked.

        2. Make sure the Remote environment: is Interactive shell.

        3. In the Execute command: text box, enter:

          xrdb -merge ~/.Xresources ; xterm -ls -name login_sh
          Tip
          		 If you want this session to directly promote to oper, add  -e  oper_account to the end of the command (note the required leading space  , in the string to be added). When connecting, it will be necessary to enter the AUID account password when prompted by sudo to promote to oper.
          Note

          Quad Display: If your FS display uses four monitors, a quad display (an arrangement that provides much more screen real estate), you may want to use a slightly different approach. Please click on the “Details” toggle below for more information.

          Details

          In the Execute command: text box, enter instead:

          xrdb -merge ~oper/.Xresources_remote ; bash

          This command will open a bash shell prompt on the target machine. From there, you can open xterms that will be sized and positioned according to the oper Xresources file (which must be installed, see below). For example, you can define Xresources for a window named xterm_2 and start such an xterm with:

          xterm -name xterm_2 &

          If you promote to oper before opening the xterm, it will run in the oper account instead of the AUID account.

          Example files for use with a quad display are included in /root/fsl11/quad_display/:

          • fsy — A script to open a login shell running the FS, or running the client if the FS is already running. It is intended to be run after promoting to oper in the bash shell session opened by the connection.

          • xterm_2 — A script to open an xterm with the name xterm_2. This is also intended to be run from the bash shell session opened by the connection, but it may be before or after promoting to oper depending on what is needed.

          • .Xresources_remote — An example quad display Xresources file that includes example window lay-outs, including for xterm_2.

          The scripts can be placed in ~oper/bin by root:

          cd ~oper/bin
cp /root/fsl11/quad_display/fsy .
cp /root/fsl11/quad_display/xterm_2 .
chown oper.rtx fsy xterm_2
chmod o-x fsy

          The Xresources file can be placed in ~oper by root:

          cd ~oper
cp /root/fsl11/quad_display/.Xresources_remote .
chown oper.rtx .Xresources_remote

          If the file already exists in ~oper you will be asked to confirm the cp. If it is safe to overwrite, you can answer y. Working as oper, you can modify the size and placement of the windows in ~oper/.Xresources_remote as you wish.

          Working as oper, you can setup additional xterms: xterm_3, etc,, either by cloning and modifying ~oper/bin/xterm_2 or adding them to that script. The resources for xterm_2 in ~oper/.Xresources_remote can be copied-and-pasted for each additional xterm and the copies modified.

        4. Make sure the Do not exit after command ends is not checked.

      4. Click Bookmark settings

        1. Optionally, change the Session name: to something more meaningful, for this example: fs1‑12m or dhorsley@fs1‑12m.

      5. If you will be using a CAPI certificate to connect through a jumpbox, click on the Details toggle below for additional steps that are needed.

        Details

        1. Click on Network settings

          1. Click on SSH gateway (jump host)

            1. Enter the jumpbox address in the Gateway host text box.

            2. Enter your user name on the jumpbox in the Username text box

            3. Enter the port (usually 22) on the jumpbox in the Port text box.

            4. Check Use SSH key, but do not select a key file in the field below it.

            5. Click OK

        Note
        		 You can create tunnels for additional connections through the jumpbox using the Tunnels menu in the top level of the client connection program. These tunnels can be started automatically when you start the program by selecting the blue “runner” icon on the corresponding line.

      6. Click OK

        The client will attempt to connect.

    2. If you are asked to accept the connection (maybe connexion) and the displayed IP address is correct, click Accept.

    3. Enter your password when prompted. If prompted to save your password, click No.

      The login shell window should appear, but it may be oddly placed/sized.

    4. Working in the login shell window:

      1. Enter exit.

  2. Press Enter (in the session tab: to close it).

  3. For improved security, click Settings

    1. Click X11

      1. For X11 remote access, select disabled.

    2. Click OK

    3. If you changed the setting, you will need restart the X11 server. Click Yes if you are given that option.

Tip

You can create a desktop shortcut to open the connection. In the connection client:

  1. Select the Sessions icon.

  2. Right-click on the session from the drop-down list and select Edit session.

  3. Select Create a desktop shortcut to this session

  4. Check both Hide terminal on startup and Close …​ on exit boxes and select OK.

  5. If you are using the Quad Display approach above, in the Start session in drop-down box select Detached tab.

  6. Select OK.

If you aren’t using a CAPI certificate, please see the appendix Enable SSH Key Login from a PC for a way to streamline logging in without using a password. That is better than having the connection client remember your password since that may change.

Appendix B: Enable SSH Key Login from a PC

If you are not using a CAPI certificate, you can avoid the need to enter your password each time you login by using an ssh key. The key will work across password changes, but will not work if the password has expired.

Note
 You will still need to use your password to promote to oper on the FS machine.

This procedure assumes that you have created a client session for connecting to the FS computer on the PC according to the appendix Create Client Session on a PC.

  1. In the PC connection client program on the PC, click Tools

    1. Click the option with (SSH key generator)

      1. Make sure RSA is selected for Type of key to generate.

      2. Make sure 2048 is entered for Number of bits in a generated key.

      3. Click Generate

        Move the mouse around the blank area to generate some randomness until a key is displayed.

      4. Click Save Private key

        1. When prompted, click Yes to confirm saving the key without a passphrase.

        2. Click the (your) Documents folder.

        3. Enter a File Name: id_rsa. A .ppk extension is added automatically.

        4. Click Save

      5. Use the mouse to copy the text in the Public key for …​ field.

        Select the entire text (starting with ssh-rsa through the rsh-key-YYYYMMDD) by dragging the mouse over it with the first button depressed. You may need to drag downward to force scrolling in the text box to get it all. Then enter Control+C to copy it.

      6. Close the window with the X in the upper right corner.

  2. Double-click on the session you want to connect to.

    Note
    		 If this method for transferring the public key, specifically the pasting, doesn’t work, you can try the Alternative method in the NOTE below.

    1. Enter your password when prompted. If prompted to save your password, click No.

    2. Working in the login shell window:

      1. Enter:

        cat >>~/.ssh/authorized_keys

      2. Paste the copied text into the window by pressing the middle mouse button.

      3. Press Enter.

      4. Press Control+D.

      5. Enter exit to close the connection to the FS computer.

  3. Press Enter (in the session tab: to close it).

    Note

    Alternative: If the above method for transferring the public key does not work, this may (click on Details to open/close):

    Details

    1. Click Start local terminal

      1. Use ssh to connect to the FS machine, using your AUID account name instead of dhorsley and the FS machine’s IP address in place of xxx.xxx.xxx.xxx:

        ssh dhorsley@xxx.xxx.xxx.xxx

        ssh will attempt to connect.

      2. If prompted to confirm the remote host’s key, enter yes, unless you have some reason to believe it is incorrect.

      3. Enter your password when prompted. If prompted to save your password, click No.

      4. In the connection to the FS, enter:

        cat >>~/.ssh/authorized_keys

      5. Paste the copied text into the window with Shift+Insert, or right-click in the window and click Paste.

        When right-clicking, if you are prompted to assign Actions of mouse buttons, click right-click action as Show context menu, click OK and then click Paste from the context menu.

        If you are prompted for …​ paste confirmation, click OK.

      6. Press Enter.

      7. Press Control+D.

      8. Enter exit to close the connection to the FS computer.

      9. Enter exit to close the local terminal.

  4. Right-click on the session where you will install the key (fs1-12m in this example).

    1. Click Edit session

      1. Click Advanced SSH settings

        1. Make sure the Use private key box is checked.

        2. Click on the browse icon in the text entry field for Use private key.

          1. Double-click on the private key file you created, id_rsa (Type: PuTTY Private Key File; extension .ppk) , in the (your) Documents directory.

      2. Click OK

  5. Test the connection, by double-clicking on the session.

    The login shell window should appear.

    1. Working in the login shell window:

      1. Enter exit.

  6. Press Enter (in the session tab: to close it).

Appendix C: Create a connection through a jumpbox with a CAPI certificate from a PC

Caution
 These instructions have not been verified, but should be close to being correct. Please report any discrepancies.

  1. Run the key agent

    For example, using the search box in the Start window, type the name of the key agent, then select the displayed app.

  2. In the Task bar, in the System Tray (usually on the right side), right-click on the key agent icon. It looks like a computer/monitor with a black-hat tilted to the right. If the icon is not displayed, you may need to click the “up” arrow in the System Tray to show all the apps. Once the app is display, right-click on it.

    1. Select Add CAPI Cert

      If a dialog box appears asking to confirm loading the certificate/key, click Ok (or Yes).

  3. Right click on key agent icon again

    1. Select View Keys & Certs

      1. In the …​ Key List window, select the key, if it isn’t already.

      2. Click on Copy To Clipboard

        Mail the key to the system administrator of the jumpbox system. Wait until you get confirmation from the system administrator that your key has been installed before continuing. It may take several hours for this to happen.

  4. After you receive confirmation from the jumpbox system administrator that your key has been installed:

    1. Following the directions in the first three steps above to add your CAPI certificate (if it is no longer present) and copy it to the clipboard.

    2. Right click on key agent icon again

      1. Click on New Session

        1. Enter your jumpbox hostname (or IP) in the Host Name (or IP address) text box.

        2. Click on Data under Connection on the left side.

          Enter your user name (perhaps your AUID) in the Auto-login username text box

        3. Click the plus sign,+, to left of SSH under Connection on the left side.

        4. Click on Auth under SSH

          Make sure Attempt authentication using Pagent is checked.

        5. Click on Session on the left side (at the top)

          1. Enter a suitable name in the Saved Sessions box text box, perhaps jumpbox

          2. Click Save

          3. Click Open

            You should be prompted for your SmartCard PIN and then logged into a jumpbox session.

            1. From the jumpbox session, connect to your target host with ssh using your user name for AUID (in fact, perhaps your AUID) and the hostname (or IP) of the target host for target:

               ssh AUID@target

              Enter your password when prompted. That should log you into that system.

            2. On your target system, enter

              cat >>~/.ssh/authorized_keys

            3. Paste the clipboard into the target system with Ctrl+V.

            4. Press Enter.

            5. End input to the cat command with Ctrl+D.

            6. Exit from the target session: exit.

            7. Exit from the jumpbox session: exit.

    3. Right click on key agent icon again

      1. Highlight the session for the jumpbox, perhaps jumpbox, under Saved Sessions.

      2. Click Load

      3. Click on of SSH under Connection on the left side

        Enter exit for the Remote Command

      4. Click on Session on the left side (at the top)

      5. Click Save

Appendix D: Launch the FS from a PC

This procedure assumes that you have created a client session with an ssh key for login according to the appendix Enable SSH Key Login from a PC.

It may be helpful to customize the windows according to the General X11 resources customization for a remote connection from a PC section in the main document above, but that is not necessary. It also possible to customize them per AUID account for a remote connection as described in the Per AUID account X11 resources customization section in the main document.

  1. If you require a CAPI certificate to connect, it will need to be loaded and you will need to enter your PIN each time after rebooting (and possibly after removing and reinserting your SmartCard). Click on the Details toggle below for the steps needed.

    Details

    1. Run the key agent

      For example, using the search box in the Start window, type the name of the key agent, then select the displayed app.

    2. In the Task bar, in the System Tray (usually on the right side), right click on the key agent icon. It looks like a computer/monitor with a black-hat tilted to the right. If the icon is not displayed, you may need to click the “up” arrow in the System Tray to show all the apps.

      1. Select Add CAPI Cert

        A dialog box will appear asking to confirm loading the certificate/key, click Ok (or Yes).

    3. Right-click the key agent icon in the System Tray again.

      1. Select Saved Sessions, then select the appropriate session, perhaps jumpbox.

        A dialog box will appear prompting you for your PIN, enter it and select OK.

      A window for the connection will appear. If everything goes okay, it will disappear. If it doesn’t disappear, it may contain useful information about what went wrong.

  2. In the PC connection client program on the PC, if you don’t see the list of User sessions, click the star (favorite) icon under Quick connect …​ on the left.

  3. Double-click on the session you will be using.

    1. Working in the login shell window:

      1. Promote to oper using the oper_account command.

      2. Enter your password when prompted.

      3. Start the FS: fs

        If the window placement isn’t convenient, you can customize it using the references above.

  4. To exit:

    1. Working in the login shell window:

      1. Close the client with Control+C.

        Alternatively, you can terminate the FS.

      2. Enter exit to close the oper shell.

      3. Exit from the AUID account shell (and login shell window).

  5. Press Enter (in the session tab: to close it).