This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
institute_lorentz:institutelorentz_remoteaccess [2017/03/07 09:38] – [Example 3] lenocil | institute_lorentz:institutelorentz_remoteaccess [2022/11/29 12:27] (current) – [SSH access/tunnelling behind firewalls] lenocil | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Remote Access to your Workstation ====== | ====== Remote Access to your Workstation ====== | ||
- | For security reasons, access to your Lorentz workstation is only possible within the Lorentz | + | For security reasons, access to your Lorentz workstation is only possible within the Lorentz |
+ | |||
+ | Following are some examples that demonstrate the concept of SSH tunnelling. For alternative methods of connection, please see the relevant documentation. | ||
+ | SSH access to our servers requires you to set up [[institute_lorentz: | ||
+ | |||
+ | :!: The examples below have been tested with OpenSSH v7.3+. | ||
+ | |||
+ | ===== SSH tunneling ===== | ||
+ | By means of an SSH tunnel you can transport any arbitrary data over an encrypted SSH connection. Members of the Lorentz Institute can use | ||
+ | this technique to gain remote shell access to their workstation across our firewall which would prevent access otherwise. | ||
+ | |||
+ | ==== How does it work? ==== | ||
+ | |||
+ | |You must have an ssh client installed on your personal device -- e.g. laptop, PC -- in order to establish a // | ||
+ | |The Lorentz Institute has a dedicated server (SSH server) ready to listen to any (authenticated) client connections.| | ||
+ | |Once a client-server connection is established, | ||
+ | |The SSH client in turns forwards all encrypted application data to the server which finally communicates with the actual application server.| | ||
+ | |||
+ | For remote ssh connections to your IL workstation, | ||
==== Example 1 ==== | ==== Example 1 ==== | ||
- | Should you want to open an ssh session | + | Establish |
- | < | + | |
- | ssh -f < | + | < |
- | </ | + | ssh -o ProxyCommand=" |
- | instructs your machine to `tunnel' | + | |
- | ps aux | grep ss[h] | + | |
- | your_username | + | |
- | </ | + | |
- | At this point you are ready to initiate an ssh session to your workstation | + | |
- | < | + | |
- | ssh -p 2222 localhost | + | |
</ | </ | ||
- | NOTE: Should you want ssh to set the DISPLAY environment variable, | + | :!: For connections that will use the DISPLAY environment variable |
==== Example 2 ==== | ==== Example 2 ==== | ||
- | Case scenario: you are at home and you would like to connect to your workstation named `asselijn' | + | As in //Example 1// but this time using your client ssh configuration |
- | Locally (e.g. on your laptop), create a file '' | + | |
< | < | ||
- | Host asselijn.lorentz.leidenuniv.nl | + | # cat $HOME/ |
- | ProxyCommand / | + | Host workstation.lorentz.leidenuniv.nl |
+ | | ||
+ | User username | ||
</ | </ | ||
- | And if you have a different username locally and on the institute desktops, that can be added like this: | + | |
- | < | + | Once this configuration is in place, |
- | Host asselijn.lorentz.leidenuniv.nl asselijn | + | |
- | ProxyCommand /usr/bin/ssh -W %h:%p username@ssh.lorentz.leidenuniv.nl | + | |
- | User username | + | |
- | </ | + | |
- | If you need access | + | |
==== Example 3 ==== | ==== Example 3 ==== | ||
- | You sit in your office at the IL and have started | + | |
+ | Establish a web browser connection to a jupyter notebook on '' | ||
+ | |||
+ | Configure | ||
+ | |||
+ | <code bash> | ||
+ | Host styx | ||
+ | | ||
+ | | ||
+ | |||
+ | Host workstation | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | Browse to '' | ||
+ | |||
+ | |||
+ | ==== Example 4 ==== | ||
+ | Establish a web browser connection to a Jupyter Notebook session running on node marisXX when outside the IL intranet ((This method will only work if you have a slurm-controlled running jupyter session on marisXX. See [[institute_lorentz: | ||
< | < | ||
+ | Host lorentz | ||
+ | | ||
+ | User username | ||
+ | |||
Host maris | Host maris | ||
- | HostName | + | HostName |
- | LocalForward YYYY localhost: | + | ProxyJump lorentz |
+ | User username | ||
Host marisXX | Host marisXX | ||
- | HostName marisXX | + | HostName marisXX.lorentz.leidenuniv.nl |
- | | + | |
- | | + | User username |
+ | LocalForward YYYY localhost: | ||
+ | </ | ||
+ | Browse to '' | ||
+ | |||
+ | ===== SSH access/ | ||
+ | |||
+ | There are situations in which SSH could be forbidden by firewall settings of the internet service provider. Think of countries which limit freedom of speech for example. Luckily Lorentz Institute provides its members with a special access server to overcome these restrictions. | ||
+ | |||
+ | In a nutshell, IL offers SSL-wrapped SSH access, that is it conceals SSH connections using the SSL protocol which is the protocol used by the world wide web to serve '' | ||
+ | |||
+ | The set up on your side is rather simple and requires only editing a file on the SSH client you wish to use, e.g. laptop, workstation, | ||
+ | |||
+ | Add the following stanza to your SSH client config file((The same result is obtained by executing directly '' | ||
+ | |||
+ | <code bash> | ||
+ | Host ssh.lorentz.firewall | ||
+ | ProxyCommand openssl s_client -connect access.lorentz.leidenuniv.nl: | ||
+ | User <Your IL username> | ||
</ | </ | ||
- | Yiu are now ready to tunnel your connections through novamaris and visualize your notebook at '' | + | Then to initiate a SSL-wrapped SSH connection |
- | ==== Using Putty ==== | + | |
- | You will need to open two putty sessions. The first one opens a tunnel, the second one uses it. For the sake of clarity let us call the first session `Tunnel' | + | |
- | === Session 1: Tunnel === | + | |
- | Open putty and create a session called Tunnel, then set it according to the snapshots below | + | |
- | {{ :institute_lorentz:tunnel1.png |}} | + | <code bash> |
+ | $ ssh ssh.lorentz.firewall | ||
+ | depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority | ||
+ | verify return:1 | ||
+ | depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 | ||
+ | verify return:1 | ||
+ | depth=0 C = NL, ST = Zuid-Holland, | ||
+ | verify return:1 | ||
- | {{ : | + | -------------------------------------------------- |
+ | Welcome to the Lorentz Institute workstations | ||
+ | Access is allowed for authorized users only. | ||
+ | Any abuse will be tracked. | ||
+ | Helpdesk | ||
+ | https:// | ||
+ | support@lorentz.leidenuniv.nl | ||
+ | -------------------------------------------------- | ||
+ | READ THIS CAREFULLY BEFORE PROCEEDING: | ||
+ | ------------------------------------- | ||
+ | https:// | ||
- | Please note the settings in the port forwarding panel. We use an arbitrary port (2222), but you can choose any numbers above 1024 provided they are not currently in use. By pushing `Open', | + | Last login: Tue May 17 09:36:49 2022 from XX.XX.XX.XX |
- | with the creation of session `Tunnel_use' | + | ***** |
- | {{ : | + | $ |
+ | </ | ||
+ | |||
+ | When the connection is initiated you will be able to double-check the SSL certificate details, especially the '' | ||
+ | |||
+ | Similarly it is possible to initiate an SSL-wrapped SSH SOCKS proxy connection useful to protect your browser sessions from eavesdroppers | ||
+ | |||
+ | <code bash> | ||
+ | ssh -ND 8888 ssh.lorentz.firewall | ||
+ | </ | ||
- | Now push `Open' and a terminal will appear asking your authentication credentials | + | then modify your browser settings to instruct it to redirect all connections to a SOCKS proxy listening |
- | ===== VNC: GNU/Linux ===== | + | |
- | For detailed instructions on how to set up a vnc session you are encouraged to follow [[: | + | |
- | ===== VNC: Windows Users ===== | + | |
- | Please read [[linux: | + | |