Declaring the machines from which a user connects to IDRIS

Each machine from which a user wishes to access an IDRIS computer must be registered at IDRIS.

The user must provide, for each of his/her accounts, a list of machines which will be used to connect to the IDRIS computers (the machine's name and IP address). This is done at the creation of each account viathe eDARI portal.

The user must update the list of machines associated with a login account (adding/deleting) by using the FGC form (account administration form). After completing this form, it must be signed by both the user and the security manager of the laboratory.

Important note: Personal IP addresses are not authorised for connection to IDRIS machines.

The laboratory security manager is the network/security intermediary for IDRIS. This person must guarantee that the machine from which the user connects to IDRIS conforms to the most recent rules and practices concerning information security and must be able to immediately close the user access to IDRIS in case of a security alert.

The security manager's name and contact information are transmitted to IDRIS by the laboratory director on the FGC (account administration) form. This form is also used for informing IDRIS of any change in the security manager.

For security reasons, we cannot authorise access to IDRIS machines from non-institutional IP addresses. For example, you cannot have direct access from your personal connection.

The recommended solution for accessing IDRIS resources when you are away from your registered address (teleworking, on mission, etc.) is to use the VPN (Virtual Private Network) of your laboratory/institute/university. A VPN allows you to access distant resources as if you were directly connected to the local network of your laboratory. Nevertheless, you still need to register the VPN-attributed IP address of your machine to IDRIS by following the procedure described above. This solution has the advantage of allowing the usage of IDRIS services which are accessible via a web navigator (for example, the extranet or products such as Jupyter Notebook, JupyterLab and TensorBoard).

If using a VPN is impossible, it is always possible to connect via SSH to a proxy machine of your laboratory from which Jean Zay is accessible (which implies having registered the IP address of this proxy machine).

you@portable_computer:~$ ssh proxy_login@proxy_machine
proxy_login@proxy_machine~$ ssh idris_login@idris_machine

Note that it is possible to automate the proxy via the SSH options ProxyJump or ProxyCommand to be able to connect by using only one command (for example, ssh -J proxy_login@proxy_machine idris_login@idris_machine).

The user on mission must request machine authorisation by completing the corresponding box on page 3 of the FGC form. A temporary ssh access to all the IDRIS machines is then accorded.