Remote Access
From PhysDeptComp
Contents
|
Most Physics department machines are not directly available from off-site. Authorized access can be achieved through SSH or VPN. VPN is handled centrally by ITD and is documented here. The rest of this page will describe the use of Physics departmental and group SSH gateways. Much of this applies to ITD owned SSH gateways. For more information specific to those start at this page.
Important Note
As of 30 September 2006 interactive passwords will no longer be an allowed form of authentication on any BNL SSH gateway. Instead, so called "two-factor" authentication must be used. This include SSH keys and CryptoCard. See this list for which gateway systems allow what form of authentication. CryptoCards can be requested from the Account Management Office. See above list and read on for more information on using SSH keys.
Introduction to SSH keys
SSH keys are actually key pairs: one "private" and one "public". They are a form of two factor authentication since you must possess both the private key and a passphrase to unlock it. To make use of keys the public key is first placed on the server. This tells the server that any client that can prove to be in possession of the corresponding private key may be allowed access. To prove this the server will encrypt a challenge message using the public key and send it to the client. If the client has the coresponding private key, the message is decrypted and sent back to the server and access is granted.
Using SSH
SSH Keys
The use of SSH public/private key pairs will simplify connections (once properly set up) and improve security relative to use of reuseable passwords. Note: Passwords are no longer allowed on any gateway machine at the Laboratory. All gateway machine accept SSH Keys as an authentication method.
- Generating and using SSH keys - UNIX/Linux/Cygwin
- Simplifying SSH access using an agent - UNIX/Linux/Cygwin
- Generating keys and using the agent with Putty under Windows
Accessing internal machines through the gateways
There are various methods of setting up access to internal machines where the gateway machine essentially becomes transparent. These methods are in addition to the simple method of logging in to a gateway machine and then logging in to an internal machine from the gateway machine prompt,
- Jumping through SSH gateways to internal hosts - UNIX/Linux
- Jumping through SSH gateways to internal hosts - Windows
Transferring files to and from internal machines
A number of file transfer programs have built in transparent SSH tunnels (see next topic for a discussion of SSH tunnels) so that they can be configured to automatically open connections to internal machines.
- WinSCP under Windows
- Fugu under Mac OS X
Using GNOME VFS
If you use the GNOME desktop you can set up convenient icons representing SCP connections. See the Gnome Connect To Server topic.
Using SSH Tunnels
An SSH tunnel is a mechanism for using an SSH connection to make your machine look like the machine at the end of the tunnel. Tunnels are used to access internal web servers (including PeopleSoft), Library services, license servers, etc. Using an SSH tunnels consists of two parts, namely, setting up the tunnel and configuring the application to use the tunnel. Below are discussions on using tunnels for accessing internal BNL web servers, mounting file systems and accessing printers. To tunnel other applications, substitute the appropriate server and port into the methods outlined below and configure your application to use the assigned port on your local machine.
Tunneling to internal BNL Websites
Setting up a tunnel to the internal BNL HTTP Proxy
- From the command line - Unix, cygwin (Windows) or Mac OS
- Using a GUI
- Windows - PuTTY
- Mac OS - SSH Tunnel Manager
Configuring the Proxy in your web browser
- Firefox
- Internet Explorer 7
Once you have configured your web browser and started your tunnel, you can type the address of any internal web server visible to the BNL HTTP proxy just as you would on-site, and you will be presented with the corresponding web page.
Semi-automatic and automatic BNL internal HTTP proxy tunnel
There are a number of ways to partially automate and even fully automate the configuration of proxies and tunnels in order to simplify to use of a web browser on a laptop. Further discussion of one such method under Windows, Mac OS and Linux is available here
Accessing Electronic Journals
The electronic journals available through the BNL Research Library can be viewed through an ssh tunnel if all HTTP traffic is directed through the ssh tunnel to the internal web proxy. To use the BNL subscription to an electronic journal, the journal web site verifies that the request is coming from a bnl.gov IP address. If you setup your browser's proxy configuration to emulate a VPN, then your request will come from the BNL proxy and you will be able to access the journals. If you have setup your browser with a location dependent proxy using a pac file, then the requests to a journal's website will not come from a bnl.gov address, if you are not on-site, and you will not be able to access the journal. In this case, you will need to reconfigure your browser's proxy configuration to send all of the traffic through the tunnel. If you use a proxy manager such as FoxyProxy, then you can setup two configurations - your default one using the pac file and one where you send everything to the localhost tunnel. The proxy manager would then allow you to easily switch between the two configurations when you need to access the journals.
Mounting file systems through a tunnel
Mounting Samba/Windows Shares through a tunnel
You can mount a file system served via Samba or by a Windows machine through a tunnel on a Linux or Windows machine. It may be possible to do this on a Mac, but so far tests have failed with the Mac operating systems complaining that the file system is local (i.e., tunnel usage is not recognized).
- CIFS/Samba mount on Linux
- CIFS/Samba mount on Windows
Accessing printers through a tunnel
Tunneling to a CUPS server
It is certainly possible to open individual tunnels to individual printers, but it is often more convenient to open a single tunnel to a CUPS server and thus get access to all of the printers served by the CUPS server with a single tunnel. The CUPS Tunnel page has a discussion on printing through an SSH tunnel to a printer on the Physics Department's CUPS server.
Accessing license servers through a tunnel
Most licensed applications can access their associated license server through an ssh tunnel.
Mathematica
To run Mathematica, you need to add the license server name to the mathpass file. On Windows, the mathpass file should be <Installation directory>\Configuration\Licensing\mathpass. On Mac, the file should be /Library/Mathematica/Licensing/mathpass. On Linux, the file should be $InstallationDirectory/Configuration/Licensing/mathpass. Wherever your file is, add the following lines to the top of the file:
!license.itd.bnl.gov !127.0.0.1
Note the leading exclamation points. The first line will allow connections to the license server if your machine is connected either directly to the bnl.gov network or through the VPN. The second line will allow connections to the license server through an ssh tunnel. Configure your tunnel to use port 16286 on your machine and the same port on license.itd.bnl.gov. A command line invocation of the tunnel for Mathematica would be
ssh -L 16286:license.itd.bnl.gov:16286 user@gateway.machine.bnl.gov
where you should substitute your actual gateway machine in the above. Of course, you can start the tunnel with your tunnel manager.
Once the tunnel is setup, Mathematica should start normally.
Troubleshooting SSH
- Trouble shooting problems with SSH
Advanced SSH Topics
- Accessing internal Web pages through SSH tunnels
- Forwarding ports through SSH to allow non SSH communication to internal systems
- Reusing an existing SSH connection for subsequent connects
- SSH keys for travelers
- Extra security measures with SSH
- Single Configuration Email with IMAP and SSH
- Connecting to Wireless Laptops
Help with specific SSH applications
Most of these pages assume one is using OpenSSH on some Unix like OS (eg. Linux, Mac OS X). Specific information on other flavors of SSH is given in the following topics.
- Using PuTTY under Windows