Document revision history
Click the “Details” toggle below for the revision history.
Details
-
1.2.2 — Restart the X11 server if changing the
X11 server remote access
selection -
1.2.1 — Add instructions for quad display; add missing final “s” to a few “Xresource”
-
1.2.0 — Minor release
-
1.1.6 — Add collapsible box for document revision history
-
1.1.5 — Add: CAPI certificate setup and use, disabling remote X11 connections, and promoting to oper on connecting
-
1.1.4 — Add display specific Xresources for remote
-
1.1.3 — Add testing
login shell
window configuration -
1.1.2 — Clarify which lines to change in .profile
-
1.1.1 — Add allowing for PC firewall and revision history
-
1.1.0 — Initial version
1. Introduction
This document covers customization for AUID (login) user accounts. As written, it describes customization of the oper account for AUID users on CIS hardened FSL11 systems (see the CIS hardening for FSL11 document), but it can adapted for use in other situations. Possible adaptations including:
-
Using this approach with the prog account in addition to oper. The adaption should essentially be trivial.
-
Using different .Xresources files for different remote connections for one AUID user. To fully automate this you may want to set an environment variable when connecting and use that to select the .Xresources (and other) file(s) used.
-
Using this approach with non-CIS hardening systems by adding non-oper (and non-prog) login accounts that can promote to being oper with oper_account (and prog with prog_account) as for AUID accounts with CIS hardening (see the Enabling user promotion to oper/prog and root section of the CIS hardening for FSL11 document for the details).
-
On non-CIS hardened systems without creating new accounts, providing special aliases (in ~/.bash_alias) to allow users to load different .Xresources files with one type-in. The rlxr alias can be used as a starting point for new aliases. There could also be aliases for running different versions of the .profile (starting alias rl) and .bashrc (starting alias rc) scripts.
For remote connections, detailed instructions are provided for the connection client currently used on PCs by stations with AUID accounts. The instructions could be adapted to other clients.
Two main areas are covered in this document:
-
rc file customization — Customizations in AUID specific versions of oper's .profile and .bashrc files
-
X11 resources customization — Customizations of xterm window placements and sizes
There are four appendices related to connections from a PC:
-
Create Client Session on a PC — This is useful for connecting to the FS computer from a PC.
-
Enable SSH Key Login from a PC — This can be used to streamline logging into the FS computer from a PC.
-
Create a connection through a jumpbox with a CAPI certificate from a PC — This explains how to setup using a CAPI key for a connection through a jumpbox.
-
Launch the FS from a PC — This covers how to start the FS when connecting from a PC.
2. rc file customization
With the standard AUID configuration (see Adding AUID accounts in the CIS hardening for FSL11 document, there are two rc (run command) files that can be used for customization of the oper account: ~oper/.profile_<AUID> and ~oper/.bashrc_<AUID> (where <AUID> is the user’s AUID account name). These files are described below. You may find it instructive to look at the normal ~oper/.profile and ~oper/.bashrc files to understand how they are typically used.
2.1. ~oper/.profile_<AUID>
This script is run for the <AUID> user at end of the ~oper/.profile script. As such, it is run only for interactive login shells. It is the appropriate place to set session wide environment variables and perform one-time login tasks. Since it is run at the end of ~oper/.profile, it can effectively override many things done by ~oper/.profile.
2.2. ~oper/.bashrc_<AUID>
This script is run for the <AUID> user at end of the ~oper/.bashrc script. As such, it is run only for interactive shells, both login and non-login. It is the appropriate place to set shell interactive information such as shell options, prompts, and command aliases. Since it is run at the end of ~oper/.bashrc, it can effectively override many things done by ~oper/.bashrc.
Note
|
.bashrc is run at the start of .profile for login shells. |
An example of using this file for the sysadmin's AUID account is given in the Setting hostname alias section of the Additional items for FS operations appendix of the CIS hardening for FSL11 document.
3. X11 resources customization
This section provides procedures for customizing FS xterm window placement and size using X11 resources files. This may be useful for defining different window configurations on the console or when connecting over ssh from a remote device, which may have a different display size.
There are two ways to customize X11 resources, either use the same customization for all users, i.e., general, or different ones, per AUID account. The approaches can be mixed so some users get the general setup and others get an individual setup.
The methods given here will not work for programs that aren’t
xterm based. In particular, the RDBE monitor and rdbemsg programs
positions cannot be set this way, but have their own options for
setting their geometries. Those options may be used on the lines for
the programs in the /usr2/control/clpgm.ctl file for the
client=…
command and in the ~/.fvwm2rc file for hot-keys and
menu options on the local console. Likewise, the appropriate line must
be modified to explicitly set a geometry for a basic xterm window
opened with the client=xterm
command or with the window manager.
Different layouts can be supported with different commands (lines) in
the files. With additional changes, it would also be possible to use
different ~/.fvwm2rc files for different users on the local console.
The naming convention for the X11 resources files in ~oper is:
-
.Xresources — General local values
-
.Xresources_remote — General remote values
-
.Xresources_<AUID> — Per AUID local values for account <AUID>
-
.Xresources_remote_<AUID> — Per AUID remote values for account <AUID>
-
.Xresources_remote_<AUID>_<display> — Per AUID remote values for <display> for account <AUID>
3.1. General X11 resources customization
The section provides procedures for customing the X11 resources so they are the same for all AUID users. The customization can be different for local and remote users; each is covered in sub-sections below. They can be combined with Per AUID account X11 resources customization to tailor the configuration for those users that want to deviate from the general one.
3.1.1. General X11 resources customization for a local connection
-
Login in on the console with your AUID account.
-
Enter the commands:
mv .Xresources .Xresources.orig ln -sfn ~oper/.Xresources .Xresources
-
Start the GUI by entering
oper_x11
.-
Working in the
login shell
window:-
Enter your password when prompted.
-
Start the FS:
fs
-
Adjust the windows to the sizes and positions you want.
This can include the
login shell
window. -
Open an additional window to work in, e.g., use
client=xterm
in theOperator Input
window-
Adjust the contents of ~oper/.Xresources using the method of Setting geometry values in .Xresources.
TipCopying text by dragging the mouse over it with the first button depressed and pasting with the middle mouse button may work best. TipTo test the settings for the login shell
window, it will necessary to exit from the GUI and restart it withoper_x11
.NoteThe referenced method is a section of the FS “Installation Reference Document” (https://nvi-inc.github.io/fs/releases/misc/install_reference.html). -
Enter
exit
to close the additional window.
-
-
Terminate the FS (or client)
-
-
Exit from the
oper
account shell. -
Exit from the AUID account shell (and
login shell
window).
-
-
-
Login in on the console with your AUID account.
-
Working in the
login shell
window:-
Promote to oper using the oper_account command.
-
Enter your password when prompted.
-
Start the FS:
fs
(or client:fsclient
)The windows should appear as you set them. If not, you may need to iterate adjusting the ~oper/.Xresources file.
-
-
3.1.2. General X11 resources customization for a remote connection from a PC
This procedure assumes that you have created a client session for connecting to the FS computer on the PC according to the appendix Create Client Session on a PC.
Caution
|
Before starting, you may want to make sure the PC has the display set to 100% scaling (this may require logging out and logging in again) and the Taskbar is set to automatically hide. This will give more screen space to work with. |
-
In the connection client program on the PC, double-click on the session you will be using.
-
Enter your password if prompted for it. If prompted to save your password, click
No
. -
Working in the
login shell
window:-
Promote to oper using the oper_account command.
-
Enter your password when prompted.
-
Start the FS:
fs
-
Adjust the windows to the sizes and positions you want.
This can include the
login shell
window. -
Open an additional window to work in, e.g., use
client=xterm
in theOperator Input
window-
Edit the ~oper/.profile file:
Change the
xrdb -merge …
line for a remote connection. This is the first one in the file. The following lines show the preceding comment to help identify it. Only the second line needs to be modified. Change:# ssh from remote host with X display xrdb -merge ~/.Xresources
to:
# ssh from remote host with X display xrdb -merge ~/.Xresources_remote
-
If you have not already created the general file .Xresources_remote file according to Quad Display create one by copying the nominal file:
cp .Xresources .Xresources_remote
-
If needed, adjust the contents of ~oper/.Xresources_remote using the method of Setting geometry values in .Xresources.
TipCopying text by dragging the mouse over it with the first button depressed and pasting with the middle mouse button may work best.
For testing the configuration for all windows except
login shell
, instead of using the rlxr alias, use the command:xrdb -merge ~oper/.Xresources_remote
and restart the FS. To test for
login shell
, it will necessary to log-out of the AUID session completely and log back in again.NoteThe referenced method is a section of the FS “Installation Reference Document” (https://nvi-inc.github.io/fs/releases/misc/install_reference.html). -
Enter
Exit
to close the additional window.
-
-
Terminate the FS (or the client)
-
-
Exit from the oper account shell
-
Exit from the AUID account shell (and
login shell
window).
-
-
-
Press Enter (in the session tab: to close it).
-
Right-click on the session you are using.
-
Click
Edit session
-
Click
Advanced SSH settings
-
Change the
xrdb
command part of theExecute command:
text box (the part before the semi-colon,;
) to:xrdb -merge ~oper/.Xresources_remote
CautionThe changes are to the path and name of the X11 resources file.
-
-
-
Click
OK
-
-
Double-click on the session you are working with.
-
Enter your password if prompted for it. If prompted to save your password, click
No
. -
Working in the
login shell
window:-
Promote to oper using the oper_account command.
-
Enter your password when prompted.
-
Start the FS:
fs
(or client:fsclient
)The windows should appear as you set them. If not, you may need to iterate adjusting the ~oper/.Xresources_remote file.
-
-
3.2. Per AUID account X11 resources customization
The steps in this introductory section only need to be done once. For each user that wants individualized settings, use the steps in the sub-sections below for local and remote connections as appropriate.
-
Login on the console with your AUID account or double-click on the session in the connection client on the PC.
If you are working from a PC, you must have already setup the session according to the appendix Create Client Session on a PC.
-
Working in the
login shell
window:-
Promote to oper with the oper_account command.
-
Enter your password when prompted.
-
If the oper account has not already been setup according to General X11 resources customization for a remote connection from a PC or a .Xresources_remote file created according to Quad Display, create the general file for remote by copying the nominal file:
cp .Xresources .Xresources_remote
-
Edit the file ~oper/.profile to make two changes:
-
Change the
xrdb -merge …
line for a remote connection.This is the first one in the file. The following lines show the preceding comment to help identify it. Only the second line needs to be modified. Change:
CautionIf the oper account has not already been setup according to General X11 resources customization for a remote connection from a PC, the old line will have ~/.Xresources
instead of~/.Xresources_remote
. Replace it anyway.# ssh from remote host with X display xrdb -merge ~/.Xresources_remote
to:
# ssh from remote host with X display if [ -f "$HOME/.Xresources_remote_$SUDO_USER" ]; then xrdb -merge ~/.Xresources_remote_$SUDO_USER else xrdb -merge ~/.Xresources_remote fi
-
Change the
xrdb -merge …
line for a local connection.This is the last one in the file (the third including the one added above). The following lines show the preceding comment to help identify it. Only the second line needs to be modified. Change:
# login shell (because this is .profile) on the local X console xrdb -merge ~/.Xresources
to:
# login shell (because this is .profile) on the local X console if [ -f "$HOME/.Xresources_$SUDO_USER" ]; then xrdb -merge ~/.Xresources_$SUDO_USER else xrdb -merge ~/.Xresources fi
-
-
Enter
exit
to close the oper account shell -
Exit from the AUID account shell (and
login shell
window).
-
-
If you connected from a PC, press Enter (in the session tab: to close it).
3.2.1. Per AUID account X11 resources customization for a local connection
Caution
|
This procedure uses dhorsley as an example AUID (login) account name. You should substitute your login account name wherever dhorsley is used. |
Except for the three items below, follow the same procedure as in General X11 resources customization for a local connection:
-
Just after logging into the AUID account, dhorsley for this example, execute:
CautionIf the oper account has already been setup according to General X11 resources customization for a local connection, do not use the mv
command below.mv .Xresources .Xresources.orig ln -sfn ~oper/.Xresources_dhorsley .Xresources
-
When the additional window is opened, e.g., with
client=xterm
:-
Copy the nominal file:
cp .Xresources .Xresources_dhorsley
-
Adjust the contents of ~oper/.Xresources_dhorsley instead of ~oper/.Xresources.
For testing the configuration for all windows except
login shell
, instead of using the rlxr alias, you can use the command:xrdb -merge ~oper/.Xresources_dhorsley
and restart the FS. To test the settings for the
login shell
window, it will necessary to exit from the GUI and restart it withoper_x11
.
-
-
If you need to iterate, adjust the file ~oper/.Xresources_dhorsley.
3.2.2. Per AUID account X11 resources customization for a remote connection from a PC
Caution
|
This procedure uses dhorsley as an example AUID (login) account name. You should substitute your login account name wherever dhorsley is used. |
Caution
|
This procedure assumes you are setting this up for a quad display as described at Quad Display. If you are doing it for say, your laptop, you can use laptop in place of quad in the instructions below. You can have both quad and laptop (and other additional) configurations for a given AUID user. This is helpful if you connect from different machines with different X11 resolutions or display sizes. |
Tip
|
If you are only making a non-display specific Xresources file, e.g., ~oper/.Xresources_remote_dhorsley for this user, drop the _quad in the instructions below and skip making the dummy ~oper/.Xresources_remote_dhorsley file. |
Except for the three items below, follow the same procedure as in General X11 resources customization for a remote connection from a PC:
-
When the additional window is opened, e.g., with
client=xterm
:-
Do not edit the ~oper/.profile file.
-
Do not copy to create the general remote file.
-
Instead, copy the general remote file to create the AUID remote file for this display:
cp .Xresources_remote .Xresources_remote_dhorsley_quad
-
Create a dummy .Xresources_remote_dhorsley file:
TipSkip this sub-step if you are making a non-display specific Xresources file for this user. NoteSince the display specific Xresources are set by the command that the PC client uses, this sub-step prevents the Xresources from being overwritten and removes additional (redundant) communication with the X11 server. cat <<EOT >.Xresources_dhorsley !if this file has no resources look for other .Xresources_remote_* files for this AUID EOT
-
Adjust the contents of ~oper/.Xresources_remote_dhorsley_quad instead of ~oper/.Xresources_remote.
For testing the configuration of all windows except
login shell
, the rlxr alias will not reload its resources, but you can use the command:xrdb -merge ~oper/.Xresources_remote_dhorsley_quad
and restart the FS. To test for
login shell
, it will necessary to log-out of the AUID session completely and log back in again.
-
-
When changing the
xrdb
command part of theExecute command:
text box (the part before the semi-colon,;
), make it:xrdb -merge ~oper/.Xresources_remote_dhorsley_quad
CautionThe changes are to the path and name of the X11 resources file. -
If you need to iterate, adjust the file ~oper/.Xresources_remote_dhorsley_quad.
Appendix A: Create Client Session on a PC
Details interactions are provided for the connection client used by stations that connect from PCs.
If you will be connecting with a CAPI certificate through a jumpbox, follow the directions in the Create a connection through a jumpbox with a CAPI certificate from a PC appendix before using these instructions.
Caution
|
This procedure uses dhorsley as an example login account name. You should substitute your login account name wherever dhorsley is used. |
Note
|
The first time you run the client connection program, you will
probably be prompted by the firewall about whether to allow
connections for its X11 server. If so, click Allow . Then you may be
prompted about whether to allow the firewall to make changes. If so,
click Yes .
|
-
In the client connection program on the PC, click
Session
-
Click
SSH
-
Use the IP address of the FS computer for the
Remote host *
. -
Check the
Specify username
box, and supply the AUID account name,dhorsley
(for this example). -
Click
Advanced SSH settings
-
Make sure the
X11-Forwarding
box is checked. -
Make sure the
Remote environment:
isInteractive shell
. -
In the
Execute command:
text box, enter:xrdb -merge ~/.Xresources ; xterm -ls -name login_sh
TipIf you want this session to directly promote to oper, add -e oper_account
to the end of the command (note the required leading spaceNoteQuad Display: If your FS display uses four monitors, a quad display (an arrangement that provides much more screen real estate), you may want to use a slightly different approach. Please click on the “Details” toggle below for more information.
Details
In the
Execute command:
text box, enter instead:xrdb -merge ~oper/.Xresources_remote ; bash
This command will open a bash shell prompt on the target machine. From there, you can open xterms that will be sized and positioned according to the oper Xresources file (which must be installed, see below). For example, you can define Xresources for a window named
xterm_2
and start such an xterm with:xterm -name xterm_2 &
If you promote to oper before opening the xterm, it will run in the oper account instead of the AUID account.
Example files for use with a quad display are included in /root/fsl11/quad_display/:
-
fsy — A script to open a
login shell
running the FS, or running the client if the FS is already running. It is intended to be run after promoting to oper in the bash shell session opened by the connection. -
xterm_2 — A script to open an xterm with the name
xterm_2
. This is also intended to be run from the bash shell session opened by the connection, but it may be before or after promoting to oper depending on what is needed. -
.Xresources_remote — An example quad display Xresources file that includes example window lay-outs, including for
xterm_2
.
The scripts can be placed in ~oper/bin by root:
cd ~oper/bin cp /root/fsl11/quad_display/fsy . cp /root/fsl11/quad_display/xterm_2 . chown oper.rtx fsy xterm_2 chmod o-x fsy
The Xresources file can be placed in ~oper by root:
cd ~oper cp /root/fsl11/quad_display/.Xresources_remote . chown oper.rtx .Xresources_remote
If the file already exists in ~oper you will be asked to confirm the cp. If it is safe to overwrite, you can answer
y
. Working as oper, you can modify the size and placement of the windows in ~oper/.Xresources_remote as you wish.Working as oper, you can setup additional xterms:
xterm_3
, etc,, either by cloning and modifying ~oper/bin/xterm_2 or adding them to that script. The resources forxterm_2
in ~oper/.Xresources_remote can be copied-and-pasted for each additional xterm and the copies modified. -
-
Make sure the
Do not exit after command ends
is not checked.
-
-
Click
Bookmark settings
-
Optionally, change the
Session name:
to something more meaningful, for this example:fs1‑12m
ordhorsley@fs1‑12m
.
-
-
If you will be using a CAPI certificate to connect through a jumpbox, click on the Details toggle below for additional steps that are needed.
Details
-
Click on
Network settings
-
Click on
SSH gateway (jump host)
-
Enter the jumpbox address in the
Gateway host
text box. -
Enter your user name on the jumpbox in the
Username
text box -
Enter the port (usually
22
) on the jumpbox in thePort
text box. -
Check
Use SSH key
, but do not select a key file in the field below it. -
Click
OK
-
-
NoteYou can create tunnels for additional connections through the jumpbox using the Tunnels
menu in the top level of the client connection program. These tunnels can be started automatically when you start the program by selecting the blue “runner” icon on the corresponding line. -
-
Click
OK
The client will attempt to connect.
-
-
If you are asked to accept the connection (maybe
connexion
) and the displayed IP address is correct, clickAccept
. -
Enter your password when prompted. If prompted to save your password, click
No
.The
login shell
window should appear, but it may be oddly placed/sized. -
Working in the
login shell
window:-
Enter
exit
.
-
-
-
Press Enter (in the session tab: to close it).
-
For improved security, click
Settings
-
Click
X11
-
For
X11 remote access
, selectdisabled
.
-
-
Click
OK
-
If you changed the setting, you will need restart the X11 server. Click
Yes
if you are given that option.
-
Tip
|
You can create a desktop shortcut to open the connection. In the connection client:
|
If you aren’t using a CAPI certificate, please see the appendix Enable SSH Key Login from a PC for a way to streamline logging in without using a password. That is better than having the connection client remember your password since that may change.
Appendix B: Enable SSH Key Login from a PC
If you are not using a CAPI certificate, you can avoid the need to enter your password each time you login by using an ssh key. The key will work across password changes, but will not work if the password has expired.
Note
|
You will still need to use your password to promote to oper on the FS machine. |
This procedure assumes that you have created a client session for connecting to the FS computer on the PC according to the appendix Create Client Session on a PC.
-
In the PC connection client program on the PC, click
Tools
-
Click the option with
(SSH key generator)
-
Make sure
RSA
is selected forType of key to generate
. -
Make sure
2048
is entered forNumber of bits in a generated key
. -
Click
Generate
Move the mouse around the blank area to generate some randomness until a key is displayed.
-
Click
Save Private key
-
When prompted, click
Yes
to confirm saving the key without a passphrase. -
Click the (your)
Documents
folder. -
Enter a
File Name:
id_rsa. A .ppk extension is added automatically. -
Click
Save
-
-
Use the mouse to copy the text in the
Public key for …
field.Select the entire text (starting with
ssh-rsa
through thersh-key-YYYYMMDD
) by dragging the mouse over it with the first button depressed. You may need to drag downward to force scrolling in the text box to get it all. Then enter Control+C to copy it. -
Close the window with the
X
in the upper right corner.
-
-
-
Double-click on the session you want to connect to.
NoteIf this method for transferring the public key, specifically the pasting, doesn’t work, you can try the Alternative method in the NOTE below. -
Enter your password when prompted. If prompted to save your password, click
No
. -
Working in the
login shell
window:-
Enter:
cat >>~/.ssh/authorized_keys
-
Paste the copied text into the window by pressing the middle mouse button.
-
Press Enter.
-
Press Control+D.
-
Enter
exit
to close the connection to the FS computer.
-
-
-
Press Enter (in the session tab: to close it).
NoteAlternative: If the above method for transferring the public key does not work, this may (click on Details to open/close):
Details
-
Click
Start local terminal
-
Use ssh to connect to the FS machine, using your AUID account name instead of
dhorsley
and the FS machine’s IP address in place ofxxx.xxx.xxx.xxx
:ssh dhorsley@xxx.xxx.xxx.xxx
ssh will attempt to connect.
-
If prompted to confirm the remote host’s key, enter
yes
, unless you have some reason to believe it is incorrect. -
Enter your password when prompted. If prompted to save your password, click
No
. -
In the connection to the FS, enter:
cat >>~/.ssh/authorized_keys
-
Paste the copied text into the window with Shift+Insert, or right-click in the window and click
Paste
.When right-clicking, if you are prompted to assign
Actions of mouse buttons
, clickright-click action
asShow context menu
, clickOK
and then clickPaste
from the context menu.If you are prompted for
… paste confirmation
, clickOK
. -
Press Enter.
-
Press Control+D.
-
Enter
exit
to close the connection to the FS computer. -
Enter
exit
to close the local terminal.
-
-
-
Right-click on the session where you will install the key (fs1-12m in this example).
-
Click
Edit session
-
Click
Advanced SSH settings
-
Make sure the
Use private key
box is checked. -
Click on the browse icon in the text entry field for
Use private key
.-
Double-click on the private key file you created, id_rsa (
Type
: PuTTY Private Key File; extension .ppk) , in the (your) Documents directory.
-
-
-
Click
OK
-
-
-
Test the connection, by double-clicking on the session.
The
login shell
window should appear.-
Working in the
login shell
window:-
Enter
exit
.
-
-
-
Press Enter (in the session tab: to close it).
Appendix C: Create a connection through a jumpbox with a CAPI certificate from a PC
Caution
|
These instructions have not been verified, but should be close to being correct. Please report any discrepancies. |
-
Run the key agent
For example, using the search box in the
Start
window, type the name of the key agent, then select the displayed app. -
In the
Task bar
, in theSystem Tray
(usually on the right side), right-click on the key agent icon. It looks like a computer/monitor with a black-hat tilted to the right. If the icon is not displayed, you may need to click the “up” arrow in theSystem Tray
to show all the apps. Once the app is display, right-click on it.-
Select
Add CAPI Cert
If a dialog box appears asking to confirm loading the certificate/key, click
Ok
(orYes
).
-
-
Right click on key agent icon again
-
Select
View Keys & Certs
-
In the
… Key List
window, select the key, if it isn’t already. -
Click on
Copy To Clipboard
Mail the key to the system administrator of the jumpbox system. Wait until you get confirmation from the system administrator that your key has been installed before continuing. It may take several hours for this to happen.
-
-
-
After you receive confirmation from the jumpbox system administrator that your key has been installed:
-
Following the directions in the first three steps above to add your CAPI certificate (if it is no longer present) and copy it to the clipboard.
-
Right click on key agent icon again
-
Click on
New Session
-
Enter your jumpbox hostname (or IP) in the
Host Name (or IP address)
text box. -
Click on
Data
underConnection
on the left side.Enter your user name (perhaps your AUID) in the
Auto-login username
text box -
Click the plus sign,
+
, to left ofSSH
underConnection
on the left side. -
Click on
Auth
underSSH
Make sure
Attempt authentication using Pagent
is checked. -
Click on
Session
on the left side (at the top)-
Enter a suitable name in the
Saved Sessions box
text box, perhapsjumpbox
-
Click
Save
-
Click
Open
You should be prompted for your SmartCard PIN and then logged into a jumpbox session.
-
From the jumpbox session, connect to your target host with
ssh
using your user name forAUID
(in fact, perhaps your AUID) and the hostname (or IP) of the target host fortarget
:ssh AUID@target
Enter your password when prompted. That should log you into that system.
-
On your target system, enter
cat >>~/.ssh/authorized_keys
-
Paste the clipboard into the target system with Ctrl+V.
-
Press Enter.
-
End input to the cat command with Ctrl+D.
-
Exit from the target session:
exit
. -
Exit from the jumpbox session:
exit
.
-
-
-
-
-
Right click on key agent icon again
-
Highlight the session for the jumpbox, perhaps
jumpbox
, underSaved Sessions
. -
Click
Load
-
Click on of
SSH
underConnection
on the left sideEnter
exit
for theRemote Command
-
Click on
Session
on the left side (at the top) -
Click
Save
-
-
Appendix D: Launch the FS from a PC
This procedure assumes that you have created a client session with an ssh key for login according to the appendix Enable SSH Key Login from a PC.
It may be helpful to customize the windows according to the General X11 resources customization for a remote connection from a PC section in the main document above, but that is not necessary. It also possible to customize them per AUID account for a remote connection as described in the Per AUID account X11 resources customization section in the main document.
-
If you require a CAPI certificate to connect, it will need to be loaded and you will need to enter your PIN each time after rebooting (and possibly after removing and reinserting your SmartCard). Click on the Details toggle below for the steps needed.
Details
-
Run the key agent
For example, using the search box in the
Start
window, type the name of the key agent, then select the displayed app. -
In the
Task bar
, in theSystem Tray
(usually on the right side), right click on the key agent icon. It looks like a computer/monitor with a black-hat tilted to the right. If the icon is not displayed, you may need to click the “up” arrow in theSystem Tray
to show all the apps.-
Select
Add CAPI Cert
A dialog box will appear asking to confirm loading the certificate/key, click
Ok
(orYes
).
-
-
Right-click the key agent icon in the
System Tray
again.-
Select
Saved Sessions
, then select the appropriate session, perhapsjumpbox
.A dialog box will appear prompting you for your PIN, enter it and select
OK
.
A window for the connection will appear. If everything goes okay, it will disappear. If it doesn’t disappear, it may contain useful information about what went wrong.
-
-
-
In the PC connection client program on the PC, if you don’t see the list of
User sessions
, click the star (favorite) icon underQuick connect …
on the left. -
Double-click on the session you will be using.
-
Working in the
login shell
window:-
Promote to oper using the oper_account command.
-
Enter your password when prompted.
-
Start the FS:
fs
If the window placement isn’t convenient, you can customize it using the references above.
-
-
-
To exit:
-
Working in the
login shell
window:-
Close the client with Control+C.
Alternatively, you can
terminate
the FS. -
Enter
exit
to close the oper shell. -
Exit from the AUID account shell (and
login shell
window).
-
-
-
Press Enter (in the session tab: to close it).