Information Services Division


Operating System upgrade to Socrates Unix timesharing service - Tuesday 21st June 2022, 9:00-10:00am

15 June 2022

Further information on the Operating System upgrade to Socrates Unix timesharing service - Tuesday 21st June 2022, 9:00-10:00am

Please note that on Tuesday 21st June 2022 the Socrates Unix timesharing service will be unavailable between 9am - 10am in order to carry out an operating system upgrade. Anyone logged in to the system at the time is likely to have their session terminated.

System Changes

The upgrade will not significantly change the user experience but there are a few infrastructural changes to be aware of. Most of these will only be relevant for advanced Unix users. The key differences are as follows:

1. System identification

The IP address and SSH host key for the system will change. This may require updates to firewalls, etc. Connecting with SSH will initially produce an error stating that the host key has changed. The ssh-keygen command (e.g. "ssh-keygen -R socrates.ucl.ac.uk") can be used to remove the old SSH host key before connecting.

2. Network restrictions

It will no longer be possible to connect directly to Socrates from systems outside the UCL network perimeter. Access will need to be via the UCL VPN or via a ssh gateway system (e.g. ssh-gateway.ucl.ac.uk). There will be no restrictions on login access within the UCL campus or from the Desktop@UCL Anywhere service. Details of how to reconfigure client systems to use an ssh gateway system are given below.

3. Login restrictions

Logins will be limited to UCL userids with a valid UCL association (i.e. staff, students and visitors) and dedicated web accounts. It will no longer be possible to login using service accounts, role accounts or similar.

4. Directory changes

Following the upgrade, Socrates will use the UCL Active Directory infrastructure for authentication and directory services. This will mean that users are in a much larger number of Unix groups so the outputs from commands such as "groups" and "id" will be significantly different and these commands may take longer to execute.

Configuring SSH clients to access Socrates via an SSH gateway

To access Socrates from outside UCL, it will first be necessary to connect to the UCL VPN service, login to the Desktop@UCL Anywhere service or connect to an SSH gateway system such as ssh-gateway.ucl.ac.uk.

A drawback of this is that it is necessary to enter login credentials twice. However, for regular users it is generally possible to configure SSH client software to use key-based authentication and seamlessly pass through an SSH gateway system.

It is not feasible to provide detailed instructions for all SSH client software products, but the following notes apply to the OpenSSH software which is available on most operating systems. Configuration generally involves a fairly similar process for other client software.

1. Create a key pair for SSH ( this is not required if you already have a key pair)

          ssh-keygen -t rsa

2. Copy the public key onto the ssh gateway system

          ssh-copy-id ucaa123@ssh-gateway.ucl.ac.uk

   (replace ucaa123 with your own UCL userid)

3. Login to the ssh-gateway system

          ssh ssh-gateway.ucl.ac.uk

4. Activate your key for logins to the ssh gateway

          copy-ssh-keys -copy

5. From the ssh-gateway, copy your public key on to the Socrates system

   (if not already done)

          ssh-copy-id ucaa123@socrates.ucl.ac.uk

   (replace ucaa123 with your own UCL userid)

6. Log out of the ssh-gateway system

7. Create a .ssh/config file on your client machine, containing the following lines:

          Host ssh-gateway

                     Hostname ssh-gateway.ucl.ac.uk

                     User ucaa123

                     ForwardX11Trusted yes

                     ForwardX11 yes

          Host socrates

                     Hostname socrates.ucl.ac.uk

                     User ucaa123

                     ProxyJump ssh-gateway

                     ForwardX11Trusted yes

                     ForwardX11 yes

   (replace ucaa123 with your own UCL userid)

8. Test it

          ssh socrates

9. You may also wish to set up ssh-agent and run ssh-add to cache your private key passphrase in order to avoid entering it repeatedly. Please see appropriate documentation/manpages available on your system for further details.

During internal testing it was noted that some (older) versions of OpenSSH may not work with the ProxyJump command. In this case, this configuration line above should be replaced with:  ProxyCommand ssh -q -W %h:%p ssh-gateway.

Please raise a ticket for the Cloud Platforms team via the IT Services Helpdesk if you experience any problems following the Socrates upgrade or require additional advice on client configuration.