Remote Access

From BNL Physics Computing

Contents 1 Important Note 2 Introduction to SSH keys 3 Using SSH 3.1 SSH Keys 3.2 Accessing internal machines through the gateways 3.3 Transferring files to and from internal machines 3.4 Using SSH Tunnels 3.4.1 Setting up a tunnel to the internal BNL HTTP Proxy 3.4.2 Configuring the Proxy in your web browser 3.4.3 Semi-automatic and automatic BNL internal HTTP proxy tunnel 3.5 Troubleshooting SSH 3.6 Advanced SSH Topics 4 Help with specific SSH applications

Most Physics department machines are not directly available from off-site. Authorized access can be achieved through SSH or VPN. VPN is handled centrally by ITD and is documented here. The rest of this page will describe the use of Physics departmental and group SSH gateways. Much of this applies to ITD owned SSH gateways. For more information specific to those start at this page.

Important Note

As of 30 September 2006 interactive passwords will no longer be an allowed form of authentication on any BNL SSH gateway. Instead, so called "two-factor" authentication must be used. This include SSH keys and CryptoCard. See this list for which gateway systems allow what form of authentication. CryptoCards can be requested from the Account Management Office. See above list and read on for more information on using SSH keys.

Introduction to SSH keys

SSH keys are actually key pairs: one "private" and one "public". They are a form of two factor authentication since you must possess both the private key and a passphrase to unlock it. To make use of keys the public key is first placed on the server. This tells the server that any client that can prove to be in possession of the coresponding private key may be allowed access. To prove this the server will encrypt a challenge message using the public key and send it to the client. If the client has the coresponding private key, the message is decrypted and sent back to the server and access is granted.

Using SSH

SSH Keys

The use of SSH public/private key pairs will simplify connections (once properly set up) and improve security relative to use of reuseable passwords. Note: Passwords are no longer allowed on any gateway machine at the Laboratory. All gateway machine accept SSH Keys as an authentication method.

• Generating and using SSH keys - UNIX/Linux
• Simplifying SSH access using an agent - UNIX/Linux
• Generating keys and using the agent under Windows

Accessing internal machines through the gateways

There are various methods of setting up access to internal machines where the gateway machine essentially becomes transparent. These methods are in addition to the simple method of logging in to a gateway machine and then logging in to an internal machine from the gateway machine prompt,

• Jumping through SSH gateways to internal hosts - UNIX/Linux
• Jumping through SSH gateways to internal hosts - Windows

Transferring files to and from internal machines

A number of file transfer programs have built in transparent SSH tunnels (see next topic for a discussion of SSH tunnels) so that they can be configured to automatically open connections to internal machines.

• WinSCP under Windows
• Fugu under Mac OS X

Using SSH Tunnels

An SSH tunnel is a mechanism for using an SSH connection to make your machine look like the machine at the end of the tunnel. Tunnels are used to access internal web servers (including PeopleSoft), Library services, license servers, etc. Using an SSH tunnels consists of two parts, namely, setting up the tunnel and configuring the application to use the tunnel. Since the most common use of an explicit tunnel will be to access internal BNL web servers (such as PeopleSoft or servers without conduits) from off-site or on the Corus network, this type of tunnel will be used in the following discussion. To tunnel other applications, substitute the appropriate server and port into the methods outlined below and configure your application to use the assigned port on your local machine.

Setting up a tunnel to the internal BNL HTTP Proxy

• From the command line - Unix, cygwin (Windows) or Mac OS
• Using a GUI
  • Windows - PuTTY
  • Mac OS - SSH Tunnel Manager

Configuring the Proxy in your web browser

• Firefox
• Internet Explorer 7

Once you have configured your web browser and started your tunnel, you can type the address of any internal web server visible to the BNL HTTP proxy just as you would on-site, and you will be presented with the corresponding web page.

Semi-automatic and automatic BNL internal HTTP proxy tunnel

There are a number of ways to partially automate and even fully automate the configuration of proxies and tunnels in order to simplify to use of a web browser on a laptop. Further discussion of one such method under Windows, Mac OS and Linux is available here

Troubleshooting SSH

• Trouble shooting problems with SSH

Advanced SSH Topics

• Accessing internal Web pages through SSH tunnels
• Forwarding ports through SSH to allow non SSH communication to internal systems
• Reusing an existing SSH connection for subsequent connects
• SSH keys for travelers
• Extra security measures with SSH
• Single Configuration Email with IMAP and SSH

Help with specific SSH applications

Most of these pages assume one is using OpenSSH on some Unix like OS (eg. Linux, Mac OS X). Specific information on other flavors of SSH is given in the following topics.

• Using PuTTY under Windows