User Tools

Site Tools


institute_lorentz:institutelorentz_remoteaccess

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
institute_lorentz:institutelorentz_remoteaccess [2020/03/10 14:05]
jansen [Example 2]
institute_lorentz:institutelorentz_remoteaccess [2021/01/27 14:24] (current)
lenocil [Remote Access to your Workstation]
Line 1: Line 1:
-:!: Note that as January 2020 novamaris is no longer supported. Access to maris should go through marishead. Please read [[institute_lorentz:xmaris|xmaris]] 
- 
 ====== Remote Access to your Workstation ====== ====== Remote Access to your Workstation ======
-For security reasons, access to your Lorentz workstation is only possible within the Lorentz network.+For security reasons, access to your Lorentz workstation is only possible within the Lorentz Institute intranetRemote access can occur either securing your connection via an intermediate step called //SSH tunneling// (AKA //port forwarding//), through the [[:vpn|Lorentz Institute VPN service]] or via the [[institute_lorentz:remote_workspace|Lorentz Institute Remote Workspace]]. 
 + 
 +Following are some examples that demonstrate the concept of SSH tunnelling. For  alternative methods of connection, please see the relevant documentation. 
 + 
 +Starting January 2021 you can enable [[institute_lorentz:2fa|two-factor authentication]] (2FA) on your account to further protect access to our SSH server. 
 + 
 +:!: The examples below have been tested with OpenSSH v7.3+. 
 + 
 +===== SSH tunneling ===== 
 +By means of an SSH tunnel you can transport any arbitrary data over an encrypted SSH connection. Members of the Lorentz Institute can use   
 +this technique to gain remote shell access to their workstation across our firewall which would prevent access otherwise. 
 + 
 +==== How does it work? ==== 
 + 
 +|You must have an ssh client installed on your personal device -- e.g. laptop, PC -- in order to establish a //tunnelled// connection.| 
 +|The Lorentz Institute has a dedicated server (SSH server) ready to listen to any (authenticated) client connections.| 
 +|Once a client-server connection is established, a given application contacts the SSH client on a chosen port on which the client is listening.| 
 +|The SSH client in turns forwards all encrypted application data to the server which finally communicates with the actual application server.| 
 + 
 +For remote ssh connections to your IL workstation, the steps above can be summarised into the following. Establish an ssh client-server to our SSH server and instruct your SSH client to forward any new SSH-connection data that will be sent to an arbitrary port number to go via our SSH server. The server will then relay this information to the SSH server running on your workstation. 
  
 ==== Example 1 ==== ==== Example 1 ====
  
-Should you want to open an ssh session to your workstation and you are located outside the Lorentz network you can tunnel your request through ''ssh.lorentz.leidenuniv.nl''For example+Establish an SSH connection to ''workstation.lorentz.leidenuniv.nl'' via our SSH server ''styx.lorentz.leidenuniv.nl'' 
 <code bash> <code bash>
-ssh -f <your_username>@ssh.lorentz.leidenuniv.nl -L 2222:<your_workstation>.lorentz.leidenuniv.nl:22 -N +ssh -o ProxyCommand="ssh -W %h:%p username@styx.lorentz.leidenuniv.nl" username@workstation.lorentz.leidenuniv.nl
-</code> +
-instructs your machine to `tunnel' requests to local port 2222 through ''ssh.lorentz.leidenuniv.nl'' to finally reach port 22 (sshd) on your workstation. Use ''ps'' to see if the command above executed successfully  +
-<code bash> +
-ps  aux | grep ss[h+
-your_username   6217  0.0  0.0  89612  2948 ?        Ss   13:19   0:00 ssh -f your_username@ssh.lorentz.leidenuniv.nl -L 2222:your_workstation.lorentz.leidenuniv.nl:22 -N +
-</code> +
-At this point you are ready to initiate an ssh session to your workstation +
-<code> +
-ssh -p 2222 localhost+
 </code> </code>
  
-NOTEShould you want ssh to set the DISPLAY environment variable, you can use option ''-X'' when you run ssh. You can invoke the ssh manual pages by typing ''man ssh''.+:!: For connections that will use the DISPLAY environment variable (think of any application with a GUI)add the option ''-X'' to your SSH commands.
  
  
 ==== Example 2 ==== ==== Example 2 ====
-Case scenario: you are at home and you would like to connect to your workstation named `asselijn'+As in //Example 1// but this time using your client ssh configuration file usually located at ''$HOME/.ssh/config'' on GNU/Linux systems 
-Locally (e.g. on your laptop), create a file ''.ssh/config'' with a section for the machine to which you want to log in, containing the ProxyCommand ssh option to do the tunnelling: +
-<code> +
-Host asselijn.lorentz.leidenuniv.nl asselijn +
-     ProxyCommand /usr/bin/ssh -W %h:%p ssh.lorentz.leidenuniv.nl +
-</code> +
-And if you have a different username locally and on the institute desktops, that can be added like this:+
 <code> <code>
-Host asselijn.lorentz.leidenuniv.nl asselijn +# cat $HOME/.ssh/config 
-     ProxyCommand /usr/bin/ssh -W %h:%p username@ssh.lorentz.leidenuniv.nl +Host workstation.lorentz.leidenuniv.nl workstation 
-    User username+     ProxyCommand /usr/bin/ssh -W %h:%p styx.lorentz.leidenuniv.nl 
 +     User username
 </code> </code>
-If you need access to multiple hosts, just copy and edit the example above. 
  
-Once this configuration is in place, a simple ''ssh asselijn'' will get you to the machine you have configured.+Once this configuration is in place, a simple ''ssh workstation'' will get you to your workstation.
  
 ==== Example 3 ==== ==== Example 3 ====
  
-:!: Users are encouraged to use [[https://marishead.lorentz.leidenuniv.nl:4433/|maris OoD interface]] to launch jupyter notebook.+Establish a web browser connection to a jupyter notebook on ''workstation.lorentz.leidenuniv.nl'' port ''YYYY''
  
-You sit in your office at the IL and have started a jupyter notebook on marisXX port YYYY. To connect to your notebook using the browser on your workstation you must tunnel through `marishead'. Edit your local .ssh/config +Configure your local ''$HOME/.ssh/config'' as below 
-<code> + 
-Host maris +<code bash
-   HostName marishead.lorentz.leidenuniv.nl+Host styx 
 +   HostName styx.lorentz.leidenuniv.nl
    LocalForward YYYY localhost:YYYY    LocalForward YYYY localhost:YYYY
  
-Host marisXX +Host workstation 
-   HostName marisXX +   HostName workstation.lorentz.leidenuniv.nl 
-   ProxyJump maris+   ProxyJump styx
    LocalForward YYYY localhost:YYYY    LocalForward YYYY localhost:YYYY
- 
 </code> </code>
  
-You are now ready to tunnel your connections through marishead and visualize your notebook at ''http://localhost:YYYY''.+Browse to ''http://localhost:YYYY''.
  
-**NOTE**: For this to work your workstation must have OpenSSH v7.3+. 
  
 ==== Example 4 ==== ==== Example 4 ====
-:!: Users are encouraged to use [[https://marishead.lorentz.leidenuniv.nl:4433/|maris OoD interface]] to launch jupyter notebook. +Establish a web browser connection to a Jupyter Notebook session running on node marisXX when outside the IL intranet ((This method will only work if you have a slurm-controlled running jupyter session on marisXX. See [[institute_lorentz:xmaris|xmaris]]. \\ You are strongly encouraged to use [[institute_lorentz:xmaris#web_access|xmaris OOD]] facilities nonetheless))
- +
- +
-Same situation as in Example 3 but this time you sit behind your laptop at home.+
  
 <code> <code>
 Host lorentz Host lorentz
      HostName ssh.lorentz.leidenuniv.nl      HostName ssh.lorentz.leidenuniv.nl
-     User <your-IL-username+     User username
-     IdentityFile ~/.ssh/id_rsa+
  
 Host maris Host maris
-     HostName marishead.lorentz.leidenuniv.nl+     HostName xmaris.lorentz.leidenuniv.nl
      ProxyJump lorentz      ProxyJump lorentz
-     IdentityFile ~/.ssh/id_rsa +     User username
-     User <your-IL-username>+
  
 Host marisXX Host marisXX
      HostName marisXX.lorentz.leidenuniv.nl      HostName marisXX.lorentz.leidenuniv.nl
      ProxyJump maris      ProxyJump maris
-     IdentityFile ~/.ssh/id_rsa +     User username
-     User <your-IL-username>+
      LocalForward YYYY localhost:YYYY      LocalForward YYYY localhost:YYYY
 </code> </code>
  
-==== Example 5: Using Putty ==== +Browse to ''http://localhost:YYYY''.
- +
-:!: In the snapshots that follow, please replace all occurrences of ''novamaris'' with ''marishead''+
- +
-You will need to open two putty sessions. The first one opens a tunnel, the second one uses it. For the sake of clarity let us call the first session `Tunneland the second one `Tunnel_use'. In this example we will establish a connection to the Maris headnode ''novamaris'' through an ssh tunnel on ''ssh.lorentz.leidenuniv.nl''.  +
-=== Session 1Tunnel === +
-Open putty and create a session called Tunnel, then set it according to the snapshots below +
- +
-{{ :institute_lorentz:tunnel1.png |}} +
- +
-{{ :institute_lorentz:tunnel2.png |}} +
- +
- +
- +
-Please note the settings in the port forwarding panel. We use an arbitrary port (2222), but you can choose any numbers above 1024 provided they are not currently in use. By pushing `Open', a terminal will appear so that you can authenticate using your Lorentz institute credentials. Leave this terminal open and proceed +
-with the creation of session `Tunnel_use' +
- +
-{{ :institute_lorentz:tunnel3.png |}} +
- +
-Now push `Open' and a terminal will appear asking your authentication credentials on ''novamaris''. Any other putty connection to ''localhost:2222'' will ssh directly to ''novamaris''+
-===== VNC: GNU/Linux ===== +
-For detailed instructions on how to set up a vnc session you are encouraged to follow [[:vnc|these]]  +
-instructions. +
- +
-Finally, take a look at [[linux:x2go|x2go]] should you be interested. +
-===== VNC: Windows Users ===== +
-Please read [[linux:putty|here]].+
  
-===== Proxy Browsing ===== 
-Read [[:china|here]] 
institute_lorentz/institutelorentz_remoteaccess.1583849145.txt.gz · Last modified: 2020/03/10 14:05 by jansen