Setting up New User on UltraScan-in-a-Box

Introduction

In order to set up a new user on the USiaB server, you will need to have administrator rights on the USiaB server and on the client PC. The client PC should have either Windows 10, MacOS, or Linux.

For this, we will take the user name to be 'ultrascan3' and assume the client has a Windows 10 PC.

INSTRUCTIONAL VIDEO

0:00:00 Introduction (5:31)
5:31:20 Adding a user account to USiaB (2:37)
8:09:04 Adding a user to the ssh permission list (3:53)
12:03:04 Setting up a VNC password (1:2)
13:05:07 Adding a user to the VNC user list and starting up the VNC server (1:53)
14:58:13 Adding a Unix account ssh key (RSA) (2:1)
16:59:18 Registering a new LIMS account (4:30)
21:30:06 Assigning LIMS permissions for the new user (3:15)
24:45:10 Setting up a VNC ssh tunnel for the user (2:44)
27:30:04 Setting up authorized_keys in the Unix account of the new user (3:55)
31:25:13 Setting up the ssh VNC tunnel on the client computer (4:54)
36:20:09 Logging into VNC from the client computer (1:36)
37:56:09 Registering the UltraScan desktop software (2:5)
40:02:03 Connecting UltraScan to the LIMS account (4:28)


SSH Keys

Adding a user account to USiaB

On the USiaB server, open the terminal. You must be an admin. The command 'sudo su' will place you into the root shell ('su' means superuser), and '-' will read the environment of the shell. The command 'udduser' will add a new user to the shell with the name that is provided. A password must be added for the user. The software will check for the complexity of the password; include upper case letters, lower caser letters, numbers, and special characters to increase password security. A new home directory will now be setup under the name 'ultrascan3'.

[marielle@uslims ~]$ sudo su -
[root@uslims ~]# adduser ultrascan3
[root@uslims ~]# passwd ultrascan3
    Changing password for user ultrascan3
    New password: *****
    Retype new password: *****
    passwd: all authentication tokens updated successfully.
[root@uslims ~]# cd /home
[root@uslims ~]# ls

Adding a user to the ssh permission list

Now we can configure a secure shell program so that the new user can login from a remote location with a secure shell protocol. The configuration for a secure shell daemon will be in a text file in the new user's home directory, which will need to be edited. The security model of USiaB means that each user must be individually exempt, as well as the IP addresses from which they will be coming from.

Find the 'sshd_config' file. This file is the configuration file for the daemon that will accept incoming connections. This file must be edited.

[root@uslims home]# cd /etc
[root@uslims etc]# cd ssh
[root@uslims ssh]# pwd
   /etc/ssh
[root@uslims ssh]# ls
   ssh_config    sshd_config
   ...           ...
[root@uslims ssh]# vi sshd_config

Now you will be in a server configuration file. Scroll down to end for a section of the form:

Match host 142.66.01.3/22, [ip1], [ip2]
    AllowUsers demeler marielle [new user name = ultrascan3]
Match all

Here, you can add specific IP addresses and user names. IP addresses are seperated by commas and user names are seperated by spaces. Click 'Esc' and type ':wq' to write and quit.

[root@uslims ssh]# systemctl restart sshd

Setting up a VNC password

Now, we can set up a VNC password for the new user by becoming the user using the 'sudo su' command.

[root@uslims ssh]# sudo su - ultrascan3
[ultrascan3@uslims ~]$ vncpasswd
    Password: ******
    Verify: ******
    Would you like to enter a view-only password (y/n)? {n}
    A view-only password is not used.
[ultrascan3@uslims ~] exit

Adding a user to the VNC user list and starting up the VNC server

Once the password has been set, we need to add the new user to the vnc user list. Every new user is assigned a private port number.

[root@uslims ssh]#  vncadmin add ultrascan3
    Info: adding user 'ultrascan3' to group vncusers
    Info: creating /home/ultrascan3/.vnc/config
    Notice: user 'ultrascan3' has been assigned vnc port 26

Now that the new user has been assigned a port number, open the vnc server as the user.

[root@uslims ssh]# sudo su - ultrascan3
[ultrascan3@uslims ~]$ sudo vncctl start
    vnc port for user ultrascan is :26
    for ssh tunneling use numerical port 5926

Adding a Unix account ssh key (RSA)

Now let us set up a RSA key for the new user. Use the command 'ssh-keygen -t rsa' t generate a RSA public/private key pair.

[ultrascan3@uslims ~]$ ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/ultrascan3/.ssh/id_rsa): {enter}
    Created directory '/home/ultrascan3/.ssh'.
    Enter passphrase (empty for no passphrase): {enter} 
    Enter same passphrase again: {enter}
    Your identification has been saved in /home/ultrascan3/.ssh/id_rsa.
    Your public key has been saved in /home/ultrascan3/.ssh/id_rsa.pub.
    The key fingerprint is:
    ...
    The key's randomart image is:
    ...

The file 'id_rsa' contains your personal private key. Never share this key. The file 'id_rsa.pub' is the public key for the public to see. You can share this key.

[ultrascan3@uslims ~]$ cd .ssh
[ultrascan3@uslims .ssh]$ ls
    id_rsa
    id_rsa.pub

UltraScan LIMS

Registering a new LIMS account

APPLY FOR ACCOUNT ON LIMS Go to uslims.uleth.ca Click on institution. CCH. Click on Login. Go to New users and sign up. Enter Captcha Register with personal information. first last name, organization, address, city, province, postal ode, country, phone, email. select create new account. New accoutn registration is mailed to email. follow directions within one week from cch.uleth.ca called "Your new UltraScan3 LIMS portal Account". click on link. login with temporary password. Under Change my Info to change password. Click update. Logout.

Assigning LIMS permissions for the new user

Assume role of administrator with superuser permissions who can change LIMS settings for new users so they can enter with elevated permissions. Go to Admin Info and Edit User Info. Find new user. Under User Level, edit to user level3 (admin). Provide access to us3lab-node0 super computer. Assign instrument permissions. Update. Logout.

VNC

Setting up a VNC ssh tunnel for the user

On the client computer, open the command prompt.

C:\Users\ultrascan3> ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (C:\Users\ultrascan3/.ssh/id_rsa):
    Created directory 'D:\Users\ultrascan3/.ssh'.
    Enter passphrase (empty for no passphrase): {enter}   
    Enter same passphrase again: {enter}
    Your identification has been saved in ...
    Your public key has been saved in ...
    The key fingerprint is:
    ....
    The key's randomart image is:
    ...
C:\Users\ultrascan3> cd .ssh
C:\Users\ultrascan3/.ssh> dir
        1,679 id_rsa
          409 id_rsa.pub
        ...

The public key, 'id_rsa.pub', needs to be installed on the remote USiaB server on the new users account. The easiest way to do this is the main the public key to the administrator.

Setting up authorized_keys in the Unix account of the new user

Access the public key to download and open the file through a new terminal window.

[marielle@uslims ~]$ cd Downloads/
[marielle@uslims Downloads]$ ls -ltra
[marielle@uslims Downloads]$ vi id_rsa.pub

Copy key and move to the new user's terminal window.

[ultrascan3@uslims .ssh]$ vi authorized_keys

This will create a new file called 'authorized_keys'. In this file, paste the public RSA key into a single line. There should not be any line breaks. Click 'Esc' and type :wq to write and quit.

We can check the permissions of the 'authorized_key' file. They will be '-rw-rw-r--'. This allows read/write powers to the owner and group, and read powers to others.

[ultrascan3@uslims .ssh]$ ls - l

We need to change it to read/write powers for the owner only.

[ultrascan3@uslims .ssh]$ chmod 600 authorized_keys

Setting up the ssh VNC tunnel on the client computer

Now we can check to see if the VNC is active and running. Note the vnc port and numerical port.

[ultrascan3@uslims ~]$ sudo vncctl status

On the client computer, open the command shell. Since this is the first connection, there will be warnings.

C:\Users\ultrascan3> ssh ultrascan3@uslims.uleth.ca
    The authenticity of host 'ultrascan3@uslims.uleth.ca (142.66.17.10)' can't be established.
    ECDSA key fingerprint is SHA256:etc.
    Are you sure you want to continue connecting (yes/no)? {yes}

    Warning: Permanently adding 'uslims.uleth.ca,142.66.17.10' (ECDSA) to the list of known hosts. 
    Activate the web console with: systemctl enable --now cockpit.socket
    Last Login: Fri Aug 20

    Activate the web console with: systemctl enable --now cockpit.socket
    Last Login: Fri Aug 20

Now we have access to the new user's account on the USiaB server. Next, we can tunnel the VNC connection to our local host. 'NCL' will run the command in the background, compress the connection, and create a forward tunnel to the following ports, with the local port number coming first.

C:\Users\ultrascan3> ssh -NCL 5901:localhost:5926 ultrascan3@uslims.uleth.ca

Logging into VNC from the client computer

Download a VNC viewer, For Windows 10, use TightVNC. Download the application to install it. Make sure to change the settings to include the viewer only; the server is not necessary.

Open the viewer. The remote host will be 'localhost:1'. Enter the new user's password to enter the VNC.

UltraScan Desktop Software

Registering the UltraScan desktop software

Register for UltraScan III Software. Email will be set to confirm your registration request. Once emial is confirmed, click finish registration. Close and reopen ultrascan.

Connecting UltraScan to the LIMS account

Now registar info from LIMS to US. In US:Edit: Preferences. change to database not local disk set password set other preferences Set database preferences to add new instance Database description: CCH Open LIMS account to copy over information from "database login info" Click "Test database connetivity" If successfuly, save. This completes configuration.

In US: Database: Manage Investigator you can see if it has worked.