Overiew
All the satellite DSMs have been updated, so all the DSM access methods described here should be working for those DSMs, except for the DSMs without power. 
The DSM can be accessed these ways:
- Local wifi.
- Local wired ethernet.
- Remote SSH.
- Local serial console.
Local wifi is probably the most convenient when available on-site, so it is described first. There is also a section on accessing the DSM dashboard.
Some of the notes here are taken from the DSM User Guide on google drive, thanks to Isabel for that!
Local Wifi
The DSM wireless access point should show up with an SSID matching the hostname of the DSM. Connect your device to that network using the wifi password for the project. The wifi subnet is 192.168.4, and all the DSMs use the same address on that subnet: 192.168.4.1. So you can ssh to the DSM using that address:
ssh daq@192.168.4.1
However, this means that when connecting to different DSMs through the same IP address, ssh will complain about the host key being different. If using the generated ssh host aliases described below, you can get around this by using the <dsm>-wifi alias:
ssh dc-wifi
If you’re on a mobile device you can install a SSH client app to be able to log in and access a terminal on the DSM. For example, the Termius app provides basic ssh and is available on iOS and Android.
The hostname dsm always resolves on the wifi subnet to 192.168.4.1, and the subnet has a domain name wlan . So both dsm and dsm.wlan should resolve to the 192.168.4.1 address. The dsm name should also resolve on the wifi, but right now it resolves to the static IP address of the wired interface (eth0), and that address cannot be routed if nothing is plugged into the wired interface. That can be fixed eventually.
Local Ethernet
You can connect to the DSM by wired ethernet, either directly to the Raspberry Pi ethernet port, or through a switch, or through the passthrough port on a Ubiquiti radio, when a radio is connected to the DSM.
You also need the IP address of the ethernet port on the DSM, usually included on the DSM manifest on the inside door.
Configure your laptop to have an IP address on the same subnet. We are generally on the 192.168.1.x subnet, but you can check /etc/hosts on ustar.
Log in:
ssh daq@<ip address>
Then enter the DSM password.
If you generated ssh configs ahead of time using the steps below, then there is a host alias equivalent to the command above using just the dsm name.
Dashboard Access
The remote ssh access does not by default provide access to the dashboard on the DSM web server. If you are running a browser from a host on a UCAR network, using VPN if necessary, then you can browse directly to the dashboard with a URL using the public IP. The example below is for Daniels Canyon.
Otherwise, it is possible to use ssh to forward ports for access to the DSM dashboard, if you can first log into the UCAR network through gate.
When connected locally over wifi or wired ethernet, the wifi name or address can be used to browse to the dashboard:
Remote SSH Access
The DSM firewall only allows public IP traffic from UCAR networks, 128.117, so you must be on the UCAR network to reach a DSM. If you are not on the UCAR network, you can first connect to the UCAR network with VPN, or you can login to an EOL host like barolo using gate.
The cell modem sites have Verizon USB730L modems plugged into the serial card hub in the DSM. The cell modems have a data plan with public, static IP addresses. The DSM registers it's IP address under the name <dsm>-isfs.dyndns.org. So the Memorial Hill DSM should be reachable at mh-isfs.dyndns.org.
Here is a plain ssh command for connecting to a site using the public DNS name:
ssh daq@mh-isfs.dyndns.org
However, usually it is better to use ssh host alias configs to connect to a site. This allows the host key for the same host to be shared no matter how ssh connects to it, and it allows the user to be omitted from the command. Here is an example:
Host mh Hostname mh-isfs.dyndns.org User daq Port 22 HostKeyAlias mh CheckHostIP no
SSH without VPN
When VPN is not available, it is still possible to log into the UCAR network if you have ssh and OTP authentication available (Duo). Connect to gate.ucar.edu with your CIT username. Enter your password as the UCAS Token Response, then accept the authentication notice in Duo. Once authenticated with gate, enter an EOL hostname in response to UCAR SSH Proxy, like barolo.eol.ucar.edu . Then you are connected to the ssh server on barolo, and you enter your credentials like usual.
Once logged into an EOL host, then of course you can ssh to any DSM using the information above.
Serial Console
The Raspberry Pi is configured to provide a serial console port, separate from the USB keyboard and video console. If you need to examine boot messages from the Pi, or the networking configuration is broken, then this is the only access method available for that. Connect the custom USB serial cable to the the DSM console jack, and plug the USB into a laptop. The console cable will come up with a device name that’s something like /dev/tty.usbserial-FT3RTE96. (On Linux it's typically /dev/ttyUSB0.) You can list /dev before and after plugging it in to see the device name. Then use minicom to connect to the DSM:
minicom -D /dev/tty.usbserial-FT3RT396
You may have to hit enter to see the login prompt. If not, or if the characters are garbled like there is a mismatch in baud rates, try sending a BREAK signal a few times. The default baud rate for the serial console is 115200, 8n1.
Enter the DSM username (daq) and password at the prompt.
Generating ssh configs for all hosts
The Hosts.py script can be used to replicate ssh configs for all the hosts in a project, using a template in the isfs projects tree. Run it like so:
cd ~/.ssh set_project CFACT $ISFS/projects/python/isfs/Hosts.py --template ssh_config config.cfact chmod 644 config.cfact
Then in the ~/.ssh/config file, you can include the CFACT configs by adding these lines at the end:
Host * Include config.cfact
This makes ssh host aliases available for all the CFACT sites. The tunnel suffix is for the ssh tunnel on eol-rt-data, while the public suffix uses the dynamic DNS name. For example, connect to the mh dsm with commands like these:
ssh mh-tunnel ssh mh-public ssh mh
The last alias uses the static local IP address assigned to that DSM, so it only works when connected directly to the DSM wired ethernet port. (If on the wired port, there is no DHCP provided, so your computer has to use a static IP address on the DSM subnet, 192.168.1.)
SSH Keys
The first time you log into a DSM, you need to accept the host key. It is possible to collect all the host keys ahead of time with a script using the ssh-keyscan tool, such as has been done for configuring the ssh tunnels. However, that has not yet been adapted to make it work with these ssh configs. Since the same DSM can be accessed through so many names and addresses, it is helpful to use the same HostKeyAlias across all those addresses.
If a DSM has been reconfigured and given new host keys, you may have to remove the old keys from the known_hosts file.