October 21, 2016

o Login to GFDL workstations with CAC is not forced by any technical means.
  You still could login with First.Last. However, if you do so you will
  get push-back and that could be escalated to the group leader. The reason
  for lack of technical solution is that VNC doesn't work with CAC.

o Currently you can login to the HPC sitting at GFDL from your workstation:
    (a) Using CAC
    (b) Using RSA

o To enable HPC CAC login there is a one-time setup to create profiles used
  to login to any of the following machines:
     analysis gaea gfdl jet theia
  You perform this setup using:
     setup-CAC

o The profile creation is a setup analogous to the use of "putty". The setup
   script bypasses the manual process. However, if you wish you can examine the
   information in the profiles by issuing the command:
     setup-CAC-edit
   This will pop-up a widget that looks somewhat like putty. If you wanted to
   you could alter the information that the setup script created, although
   there is no reason to do so.
   Note: These profiles in no way affect your ability to login to these
         machines using an RSA fob -- that is completely separate.
   Detailed info (not really needed) about this is found at:
      http://wiki.gfdl.noaa.gov/index.php/CAC

o Once the profiles have been created they are used to login to the
  appropriate machine via CAC using the "sshg3" command, e.g.:
     sshg3 analysis
     sshg3 gaea

o The first time you login to one of these machines via the profile you will
  be prompted for (in this order):
    (1) Setting up a host key (you should respond "save")
    (2) Your CAC pin
    (3) Your HPC passphrase
  After the initial login you will only be prompted for your CAC pin.

o You can still login to HPC systems using an RSA fob. The procedure is the
  same as it has always has been with one exception starting Nov. 1, 2016.
  Prior to Nov 1 the HPC hosts are:
     bastion-gaea.princeton.rdhpcs.noaa.gov
     bastion-theia.princeton.rdhpcs.noaa.gov
     bastion-jet.princeton.rdhpcs.noaa.gov
  Starting Nov 1 the above will accept CAC login only.
  Starting Nov 1 the following will accept RSA login only:
     gaea-rsa.princeton.rdhpcs.noaa.gov
     theia-rsa.princeton.rdhpcs.noaa.gov
     jet-rsa.princeton.rdhpcs.noaa.gov

o For the analysis machine there is no host name change on Nov 1.
  To login from a GFDL session to analysis use either the RSA fob, as before,
  or use the procedure (see above) using sshg3.

o For MAC users you will continue to connect to the GFDL system using an RSA
  fob. Once into GFDL you can connect to any of the HPC systems using an RSA
  as before, except that starting Nov 1 you need to use the new host names.

o Tectia is currently working on a MAC solution for CAC. Note however that
  the first request for a MAC solution was in 2010. It is not clear what
  happens if Tectia does not come up with a solution before RSA fobs reach
  their expiration date (there is no way to modify these). One option would be
  to purchase more fobs. Hans' opinion is that purchasing more is not likely
  and that we would probably end up using First.Last and NEMS password.

o There currently is no way to login to a role account using a CAC. Tectia
  and GFDL are working on a solution. Again, Han's opinion is that if no
  solution is found before RSA fobs expire then we will use First.Last and
  NEMS password.