User Tools

Site Tools


institute_lorentz:institutelorentz_remoteaccess

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
institute_lorentz:institutelorentz_remoteaccess [2017/03/07 09:28] lenocilinstitute_lorentz:institutelorentz_remoteaccess [2022/11/29 12:27] (current) – [SSH access/tunnelling behind firewalls] lenocil
Line 1: Line 1:
 ====== Remote Access to your Workstation ====== ====== Remote Access to your Workstation ======
-For security reasons, access to your Lorentz workstation is only possible within the Lorentz network.+For security reasons, access to your Lorentz workstation is only possible within the Lorentz Institute intranetRemote access can occur either securing your connection via an intermediate step called //SSH tunneling// (AKA //port forwarding//), through the [[:vpn|Lorentz Institute VPN service]] or via the [[institute_lorentz:remote_workspace|Lorentz Institute Remote Workspace]]. 
 + 
 +Following are some examples that demonstrate the concept of SSH tunnelling. For  alternative methods of connection, please see the relevant documentation. 
 +SSH access to our servers requires you to set up [[institute_lorentz:2fa|two-factor authentication]] (2FA) on your account for security reasons. 
 + 
 +:!: The examples below have been tested with OpenSSH v7.3+. 
 + 
 +===== SSH tunneling ===== 
 +By means of an SSH tunnel you can transport any arbitrary data over an encrypted SSH connection. Members of the Lorentz Institute can use   
 +this technique to gain remote shell access to their workstation across our firewall which would prevent access otherwise. 
 + 
 +==== How does it work? ==== 
 + 
 +|You must have an ssh client installed on your personal device -- e.g. laptop, PC -- in order to establish a //tunnelled// connection.| 
 +|The Lorentz Institute has a dedicated server (SSH server) ready to listen to any (authenticated) client connections.| 
 +|Once a client-server connection is established, a given application contacts the SSH client on a chosen port on which the client is listening.| 
 +|The SSH client in turns forwards all encrypted application data to the server which finally communicates with the actual application server.| 
 + 
 +For remote ssh connections to your IL workstation, the steps above can be summarised into the following. Establish an ssh client-server to our SSH server and instruct your SSH client to forward any new SSH-connection data that will be sent to an arbitrary port number to go via our SSH server. The server will then relay this information to the SSH server running on your workstation. 
  
 ==== Example 1 ==== ==== Example 1 ====
  
-Should you want to open an ssh session to your workstation and you are located outside the Lorentz network you can tunnel your request through ''ssh.lorentz.leidenuniv.nl''For example +Establish an SSH connection to ''workstation.lorentz.leidenuniv.nl'' via our SSH server ''styx.lorentz.leidenuniv.nl'' 
-<code> + 
-ssh -f <your_username>@ssh.lorentz.leidenuniv.nl -L 2222:<your_workstation>.lorentz.leidenuniv.nl:22 -N+<code bash
 +ssh -o ProxyCommand="ssh -W %h:%p username@styx.lorentz.leidenuniv.nl" username@workstation.lorentz.leidenuniv.nl
 </code> </code>
-instructs your machine to `tunnelrequests to local port 2222 through ''ssh.lorentz.leidenuniv.nl'' to finally reach port 22 (sshd) on your workstationUse ''ps'' to see if the command above executed successfully <code> + 
-ps  aux | grep ss[h] +:!: For connections that will use the DISPLAY environment variable (think of any application with a GUI), add the option ''-X'' to your SSH commands. 
-your_username   6217  0.0  0.0  89612  2948 ?        Ss   13:19   0:00 ssh -f your_username@ssh.lorentz.leidenuniv.nl -L 2222:your_workstation.lorentz.leidenuniv.nl:22 -N + 
-</code> + 
-At this point you are ready to initiate an ssh session to your workstation+==== Example 2 ==== 
 +As in //Example 1// but this time using your client ssh configuration file usually located at ''$HOME/.ssh/config'' on GNU/Linux systems 
 <code> <code>
-ssh -p 2222 localhost+# cat $HOME/.ssh/config 
 +Host workstation.lorentz.leidenuniv.nl workstation 
 +     ProxyCommand /usr/bin/ssh -W %h:%styx.lorentz.leidenuniv.nl 
 +     User username
 </code> </code>
  
-NOTE: Should you want ssh to set the DISPLAY environment variableyou can use option ''-X'' when you run ssh. You can invoke the ssh manual pages by typing ''man ssh''.+Once this configuration is in placea simple ''ssh workstation'' will get you to your workstation.
  
 +==== Example 3 ====
  
-=== Another possible trick: === +Establish a web browser connection to a jupyter notebook on ''workstation.lorentz.leidenuniv.nl'' port ''YYYY''.  
-Locally (e.gon your laptop), create a file ''.ssh/config'' with a section for the machine to which you want to log in, containing the ProxyCommand ssh option to do the tunnelling: + 
-<code> +Configure your local ''$HOME/.ssh/config'' as below 
-Host asselijn.lorentz.leidenuniv.nl asselijn + 
-ProxyCommand /usr/bin/ssh -W %h:%p ssh.lorentz.leidenuniv.nl+<code bash
 +Host styx 
 +   HostName styx.lorentz.leidenuniv.nl 
 +   LocalForward YYYY localhost:YYYY 
 + 
 +Host workstation 
 +   HostName workstation.lorentz.leidenuniv.nl 
 +   ProxyJump styx 
 +   LocalForward YYYY localhost:YYYY
 </code> </code>
-And if you have a different username locally and on the institute desktops, that can be added like this:+ 
 +Browse to ''http://localhost:YYYY''
 + 
 + 
 +==== Example 4 ==== 
 +Establish a web browser connection to a Jupyter Notebook session running on node marisXX when outside the IL intranet ((This method will only work if you have a slurm-controlled running jupyter session on marisXX. See [[institute_lorentz:xmaris|xmaris]]. \\ You are strongly encouraged to use [[institute_lorentz:xmaris#web_access|xmaris OOD]] facilities nonetheless. )) 
 <code> <code>
-Host asselijn.lorentz.leidenuniv.nl asselijn +Host lorentz 
-ProxyCommand /usr/bin/ssh -W %h:%p username@ssh.lorentz.leidenuniv.nl +     HostName ssh.lorentz.leidenuniv.nl 
-User username+     User username 
 + 
 +Host maris 
 +     HostName xmaris.lorentz.leidenuniv.nl 
 +     ProxyJump lorentz 
 +     User username 
 + 
 +Host marisXX 
 +     HostName marisXX.lorentz.leidenuniv.nl 
 +     ProxyJump maris 
 +     User username 
 +     LocalForward YYYY localhost:YYYY
 </code> </code>
-If you need access to multiple hosts, just copy and edit the example above. 
  
 +Browse to ''http://localhost:YYYY''.
  
-==== Using Putty ==== +===== SSH access/tunnelling behind firewalls =====
-You will need to open two putty sessions. The first one opens a tunnel, the second one uses it. For the sake of clarity let us call the first session `Tunnel' and the second one `Tunnel_use'. In this example we will establish a connection to the Maris headnode ''novamaris'' through an ssh tunnel on ''ssh.lorentz.leidenuniv.nl''.  +
-=== Session 1: Tunnel === +
-Open putty and create a session called Tunnel, then set it according to the snapshots below+
  
-{{ :institute_lorentz:tunnel1.png |}}+There are situations in which SSH could be forbidden by firewall settings of the internet service provider. Think of countries which limit freedom of speech for example. Luckily Lorentz Institute provides its members with a special access server to overcome these restrictions.
  
-{{ :institute_lorentz:tunnel2.png |}}+In a nutshell, IL offers SSL-wrapped SSH access, that is it conceals SSH connections using the SSL protocol which is the protocol used by the world wide web to serve ''https'' connections. In other words, to the eavesdropper your SSH connection will just look like a normal web connection.
  
 +The set up on your side is rather simple and requires only editing a file on the SSH client you wish to use, e.g. laptop, workstation, etc..
  
 +Add the following stanza to your SSH client config file((The same result is obtained by executing directly ''ssh -o ProxyCommand="openssl s_client -quiet -connect access.lorentz.leidenuniv.nl:443" ssh.lorentz.firewall'' on the command line.)) (''~/.ssh/config'' on most GNU/Linux distros)
  
-Please note the settings in the port forwarding panelWe use an arbitrary port (2222), but you can choose any numbers above 1024 provided they are not currently in useBy pushing `Open', a terminal will appear so that you can authenticate using your Lorentz institute credentialsLeave this terminal open and proceed +<code bash> 
-with the creation of session `Tunnel_use'+Host ssh.lorentz.firewall 
 +  ProxyCommand openssl s_client -connect access.lorentz.leidenuniv.nl:443 -servername lorentz -quiet 
 +  User <Your IL username> 
 +</code>
  
-{{ :institute_lorentz:tunnel3.png |}}+Then to initiate a SSL-wrapped SSH connection open a terminal and type 
 + 
 +<code bash> 
 +$ ssh ssh.lorentz.firewall 
 +depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority 
 +verify return:
 +depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 
 +verify return:1 
 +depth=0 C = NL, ST = Zuid-Holland, O = Universiteit Leiden, CN = access.lorentz.leidenuniv.nl 
 +verify return:1 
 + 
 +-------------------------------------------------- 
 +    Welcome to the Lorentz Institute workstations 
 +    Access is allowed for authorized users only.  
 +    Any abuse will be tracked. 
 + 
 +    Helpdesk     Room HL40[7-9]   Tel 8484   
 +    https://helpdesk.lorentz.leidenuniv.nl 
 +    support@lorentz.leidenuniv.nl 
 +-------------------------------------------------- 
 + 
 +READ THIS CAREFULLY BEFORE PROCEEDING: 
 +------------------------------------- 
 +https://ilorentz.org/wiki/doku.php?id=institute_lorentz 
 + 
 +Last loginTue May 17 09:36:49 2022 from XX.XX.XX.XX 
 +***** 
 + 
 +
 +</code> 
 + 
 +When the connection is initiated you will be able to double-check the SSL certificate details, especially the ''CN'' entry (see above) which must correspond to our server ''access.lorentz.leidenuniv.nl''. Then upon a successful authentication, you will be let in and be able to use the command line as usual. 
 + 
 +Similarly it is possible to initiate an SSL-wrapped SSH SOCKS proxy connection useful to protect your browser sessions from eavesdroppers  as in the example below. Provided you set up your SSH client config as described above, type 
 + 
 +<code bash> 
 +ssh -ND 8888 ssh.lorentz.firewall 
 +</code>
  
-Now push `Open' and terminal will appear asking your authentication credentials on ''novamaris''. Any other putty connection to ''localhost:2222'' will ssh directly to ''novamaris''+then modify your browser settings to instruct it to redirect all connections to SOCKS proxy listening on ''localhost'' post ''8888''.
-===== VNC: GNU/Linux ===== +
-For detailed instructions on how to set up a vnc session you are encouraged to follow [[:vnc|these]] instructions. +
-===== VNC: Windows Users ===== +
-Please read [[linux:putty|here]].+
  
institute_lorentz/institutelorentz_remoteaccess.1488878924.txt.gz · Last modified: 2017/03/07 09:28 by lenocil