Connecting from outside - old
Contents
Notice
This page is deprecated!
The information on this page is old and not relevant anymore.
To view the updated page view here: connecting remotely.
Introduction
HUJI/CSE allows remote access using Secure SHell connections, here we will describe how to access different resources.
In all the following methods to connect to our servers, you must choose a host to connect to. Usually you'd choose a public server such as river.
Please note that remote connections are only enabled to servers/clusters and not to workstations, aquarium computers or other lab machines.
In addition to this the Computing Authority offers a VPN service for which usage instructions can be found here.
Clients
SSH
- On most *nix systems (Linux, *BSD, macOS) the ssh command comes pre-installed, if not available use the method relevant to your OS/distribution to install it.
- Putty is a simple but powerful opensource and free SSH client for Windows.
- Mobaxterm is a free SSH client for windows with an easy to use graphical interface, some functionality is limited in the free version.
SFTP
- Like the ssh command the sftp command should be available on most *nix systems by default.
- FileZilla is a free and opensource cross-platform graphical (S)FTP client.
- WinSCP is a free and opensource graphical (S)FTP client for Windows.
Basic access
All access runs through the gateway ("Shin Gimel"), direct access to hosts is always blocked by default, however the user also lacks access to the gateway machine itself, it only exists to allow connections through to a different machine.
Therefore when the user connects through the gateway they have to already tell the machine ahead of time to which host they will connect. If this is not done the system will attempt to drop into a shell on the gateway, discover that the user is not allowed to access it and close the connection.
A typical connection command for a user wishing to connect to the host river would look like this:
ssh user%river@gw.cs.huji.ac.il
Alternatively you can also define the username and hostname separately for instance connecting to hm-gw
ssh -l user%hm-gw sg.huji.ac.il
Note that at the time of writing sg and gw are alternative names for the same machine.
Tunnels and X11-Forwarding
Tunnels
To allow access to more advanced services inside of HUJI it may sometimes be useful to create a "tunnel" allowing a connection directly from the users' machine to whatever internal service they are seeking running over the encrypted channel created by SSH.
As an example we will deal with SSH/SFTP, if a user wants to create a tunnel from port 22222 on their station to SSH on hm-gw their connect command would look like this:
ssh -CL 22222:hm-gw:22 user%hm-gw@gw.cs.huji.ac.il
hm-gw can be replaced by other CS host, for example river. ssh -CL 22222:river:22 user%river@gw.cs.huji.ac.il
'-C' adds compression to the tunnel which is advisable if the user is connected using a not-so-fast connection.
Now connecting to localhost:22222 will actually be connecting to hm-gw:22.
Note that the target host of the tunnel and the target host for shell access do not have to be the same, as long as gw (the host that is creating the tunnel) has access to the host/port combination you can specify the forward, you can also specify multiple tunnels for instance, if we wanted to connect both to hm-gw:SSH and to a hypothetical MySQL server and a shell on river we'll call mysql the command would look like this:
ssh -CL 22222:hm-gw:22 -L 3306:mysql:3306 -l user%river gw.cs.huji.ac.il
Note that the localport can be the same as the remote port, however here there is the limitation that portnumbers <= 1024 are only available to privileged accounts (root/Administrator) on most OSes.
A nice graphical display of what happens when tunneling can be found here: [1]
Creating a tunnel in Putty
In the sidebar go to Connection > SSH > Tunnels.
For source port choose whatever number you like above 1024 and below 65535. For destination enter the target host:port.
Click Add now the window should look like this:
To enable compression go to Connection > SSH and enable compression.
To not have to re-enter these settings every time you open putty it is wise to save this as a session:
Now next time you open putty you can either Load the previous session and possibly modify some settings before opening the connection or just double click it and open a connection with all the right settings:
Once the shell is open you can now use your whatever client is needed to connect to the tunnel you created, in our case we can use a SFTP client to connect to localhost:22222 and we'll be connected to hm-gw:22 as long as you leave the shell open.
Using WinSCP to transfer Files
WinSCP comes with a built in option to create a tunnel through which to connect to the target server.
When creating a connection enter only the target server as Host name and your username then click Advanced.
In the sidebar go to Connection > Tunnel:
In the Tunnel setup section enter gw.cs.huji.ac.il as the host to connect to for username enter user%target, leave the password field in both windows blank.
If you wish to use the tunnel for other things too set the 'Local tunnel port' manually otherwise just leave it on 'Autoselect'.
X11-Forwarding
If the host you are connecting from supports the X11 protocol (most *nix system, special programs on Windows) it is possible to start graphical programs on the server and see their windows on your machine.
Please note that this requires high connection speeds to work at an usable speed, home DSL connections are usually not enough for a smooth experience, speeds like the links between HUJI campuses are.
To allow X forwarding add '-X' to the connection command:
ssh -CX user%host@gw.cs.huji.ac.il
- On Mac OS X, you first need to run X11 (usually under /Applications/Utilities/X11). Then, from the opened xterm, run
ssh -XC USERNAME%HOSTNAME@gw.cs.huji.ac.ilas in Linux.
- On Windows you can enable X forwarding in putty and use Xming or use MobaXterm as described in the next section.
Using MobaXterm for X11 on Windows
Using this connection type you can run applications which normally use a graphical user interface (GUI), such as emacs. For this to work you need to run an X server on your computer. The applications you run on the remote CSE machines connect to the X server in order to display windows on your own computer.
- On Windows, you need to install and run a Mobaxterm client. Following are instruction for setting up and connecting using Mobaxterm:
- Download and install Mobaxterm.
- Launch Mobaxterm
- In the Session category, choose SSH
enter gw.cs.huji.ac.il for remote host, check Specify Username box and enter username@csmachine username is your cs login and csmachine is the server you wish to connect:
- At this point press OK to save the session.
- You will see the saved session on the left panel of Mobaxterm.
- Double click it and enter your OTP when prompted. Next you'll be asked to enter your regular UNIX password.
After following the above steps you can start your X application on the CSE host.
Socks Proxy
It is possible to route your internet traffic through whatever host you are connecting to, this is useful to allow access to resources that would otherwise only be accessible from inside the HUJI/CSE networks (think of journal databases, internal websites). This is done by setting up a socks5 proxy and configuring your browser to use it.
A typical command could look like this:
ssh -CD 8080 user%huji-cs-host@gw.cs.huji.ac.il
Security
It is highly recommended to make sure your client only connects using SSHv2 since there are Man-in-the-Middle attacks that downgrade the connection from the secure SSHv2 to SSHv1, most modern clients are set by default to only use SSHv2 but if you are using an older version of a client or created an SSH configuration in the past it is wise to check that said file does not override the default of SSHv2 only.
Also always make sure that your SSH client is up to date.
See also
- FTP on how to transfer files between your computer and the CS file system
