Connecting from outside

From CsWiki
Jump to: navigation, search

Introduction

HUJI/CSE allows remote access using Secure SHell connections, here we will describe how to access different resources.

In all the following methods to connect to our servers, you must choose a host to connect to. Usually you'd choose a public server such as river.

Please note that remote connections are only enabled to servers/clusters and not to workstations, aquarium computers or other lab machines.

In addition to this the Computing Authority offers a VPN service for which usage instructions can be found here.

Clients

SSH

  • On most *nix systems (Linux, *BSD, macOS) the ssh command comes pre-installed, if not available use the method relevant to your OS/distribution to install it.
  • Putty is a simple but powerful opensource and free SSH client for Windows.
  • Mobaxterm is a free SSH client for windows with an easy to use graphical interface, some functionality is limited in the free version.

SFTP

  • Like the ssh command the sftp command should be available on most *nix systems by default.
  • FileZilla is a free and opensource cross-platform graphical (S)FTP client.
  • FireFTP is a free and opensource extension to Firefox for graphical (S)FTP access (also cross-platform).
  • WinSCP is a free and opensource graphical (S)FTP client for Windows.

Basic access

All access runs through the gateway ("Shin Gimel"), direct access to hosts is always blocked by default, however the user also lack access to the gateway machine itself, it only exists to allow connections through to a different machine.

Therefor when the user connects through the gateway they have to already tell the machine ahead of time to which host they will connect, if this is not done the system will attempt to drop into a shell on the gateway, find that the user is not allowed to access it and close the connection.

A typical connection command for a user wishing to connect to the host river would look like this:

ssh user%river@gw.cs.huji.ac.il

Alternatively you can also define the username and hostname separately for instance connecting to hm-gw

ssh -l user%hm-gw sg.huji.ac.il

Note that at the time of writing sg and gw are alternative names for the same machine.

Tunnels and X11-Forwarding

Tunnels

To allow access to more advanced services inside of HUJI it may sometimes be useful to create a "tunnel" allowing a connection directly from the users' machine to whatever internal service they are seeking running over the encrypted channel created by SSH.

As an example we will deal with SSH/SFTP, if a user wants to create a tunnel from port 22222 on their station to SSH on hm-gw their connect command would look like this:

ssh -CL 22222:hm-gw:22 user%hm-gw@gw.cs.huji.ac.il

'-C' adds compression to the tunnel which is advisable if the user is connected using a not-so-fast connection.

Now connecting to localhost:22222 will actually be connecting to hm-gw:22.

Note that the target host of the tunnel and the target host for shell access do not have to be the same, as long as gw (the host that is creating the tunnel) has access to the host/port combination you can specify the forward, you can also specify multiple tunnels for instance, if we wanted to connect both to hm-gw:SSH and to a hypothetical MySQL server and a shell on river we'll call mysql the command would look like this:

ssh -CL 22222:hm-gw:22 -L 3306:mysql:3306 -l user%river gw.cs.huji.ac.il

Note that the localport can be the same as the remote port, however here there is the limitation that portnumbers <= 1024 are only available to privileged accounts (root/Administrator) on most OSes.

A nice graphical display of what happens when tunneling can be found here: [1]

Creating a tunnel in Putty

In the sidebar go to Connection > SSH > Tunnels.

For source port choose whatever number you like above 1024 and below 65535. For destination enter the target host:port.

SSH Putty Tunnel Create.png

Click Add now the window should look like this:

SSH Putty Tunnel Added.png

To enable compression go to Connection > SSH and enable compression.

SSH Putty Compression.png

To not have to re-enter these settings every time you open putty it is wise to save this as a session:

SSH Putty Session Create.png

Now next time you open putty you can either Load the previous session and possibly modify some settings before opening the connection or just double click it and open a connection with all the right settings:

SSH Putty Session Load.png

Once the shell is open you can now use your whatever client is needed to connect to the tunnel you created, in our case we can use a SFTP client to connect to localhost:22222 and we'll be connected to hm-gw:22 as long as you leave the shell open.

Using WinSCP to transfer Files

WinSCP comes with a built in option to create a tunnel through which to connect to the target server.

WinSCP Session.png

When creating a connection enter only the target server as Host name and your username then click Advanced.

In the sidebar go to Connection > Tunnel:

WinSCP Advanced.png

In the Tunnel setup section enter gw.cs.huji.ac.il as the host to connect to for username enter user%target, leave the password field in both windows blank.

If you wish to use the tunnel for other things too set the 'Local tunnel port' manually otherwise just leave it on 'Autoselect'.

X11-Forwarding

If the host you are connecting from supports the X11 protocol (most *nix system, special programs on Windows) it is possible to start graphical programs on the server and see their windows on your machine.

Please note that this requires high connection speeds to work at an usable speed, home DSL connections are usually not enough for a smooth experience, speeds like the links between HUJI campuses are.

To allow X forwarding add '-X' to the connection command:

ssh -CX user%host@gw.cs.huji.ac.il
  • On Mac OS X, you first need to run X11 (usually under /Applications/Utilities/X11). Then, from the opened xterm, run ssh -XC USERNAME%HOSTNAME@gw.cs.huji.ac.il as in Linux.
  • On Windows you can enable X forwarding in putty and use Xming or use MobaXterm as described in the next section.

Using MobaXterm for X11 on Windows

Using this connection type you can run applications which normally use a graphical user interface (GUI), such as emacs. For this to work you need to run an X server on your computer. The applications you run on the remote CSE machines connect to the X server in order to display windows on your own computer.

  • On Windows, you need to install and run a Mobaxterm client. Following are instruction for setting up and connecting using Mobaxterm:
    1. Download and install Mobaxterm.
    2. Launch Mobaxterm
    1. In the Session category, choose SSH
Session.png


enter gw.cs.huji.ac.il for remote host, check Specify Username box and enter username@csmachine username is your cs login and csmachine is the server you wish to connect:

Ssh.png
    1. At this point press OK to save the session.
    2. You will see the saved session on the left panel of Mobaxterm.
    3. Double click it and enter your OTP when prompted. Next you'll be asked to enter your regular UNIX password.


After following the above steps you can start your X application on the CSE host.

Socks Proxy

It is possible to route your internet traffic through whatever host you are connecting to, this is useful to allow access to resources that would otherwise only be accessible from inside the HUJI/CSE networks (think of journal databases, internal websites). This is done by setting up a socks5 proxy and configuring your browser to use it.

A typical command could look like this:

ssh -CD 8080 user%huji-cs-host@gw.cs.huji.ac.il

Security

It is highly recommended to make sure your client only connects using SSHv2 since there are Man-in-the-Middle attacks that downgrade the connection from the secure SSHv2 to SSHv1, most modern clients are set by default to only use SSHv2 but if you are using an older version of a client or created an SSH configuration in the past it is wise to check that said file does not override the default of SSHv2 only.

Also always make sure that your SSH client is up to date.


See also

  • FTP on how to transfer files between your computer and the CS file system