This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
institute_lorentz:institutelorentz_remoteaccess [2021/01/27 07:47] – [Remote Access to your Workstation] lenocil | institute_lorentz:institutelorentz_remoteaccess [2022/11/29 12:27] (current) – [SSH access/tunnelling behind firewalls] lenocil | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Remote Access to your Workstation ====== | ====== Remote Access to your Workstation ====== | ||
- | For security reasons, access to your Lorentz workstation is only possible within the Lorentz Institute intranet. Remote access can occur either securing your connection via an intermediate step called //SSH tunneling// (AKA //port forwarding// | + | For security reasons, access to your Lorentz workstation is only possible within the Lorentz Institute intranet. Remote access can occur either securing your connection via an intermediate step called //SSH tunneling// (AKA //port forwarding// |
+ | |||
+ | Following are some examples that demonstrate the concept of SSH tunnelling. For alternative methods of connection, please see the relevant documentation. | ||
+ | SSH access to our servers requires you to set up [[institute_lorentz: | ||
+ | |||
+ | :!: The examples below have been tested with OpenSSH v7.3+. | ||
===== SSH tunneling ===== | ===== SSH tunneling ===== | ||
Line 15: | Line 20: | ||
For remote ssh connections to your IL workstation, | For remote ssh connections to your IL workstation, | ||
- | Here follows a few examples to help you get started. | + | |
==== Example 1 ==== | ==== Example 1 ==== | ||
- | Demand that all SSH connections | + | Establish an SSH connection |
<code bash> | <code bash> | ||
- | ssh -f < | + | ssh -o ProxyCommand=" |
- | </ | + | |
- | To initiate an SSH session to your workstation now you can type | + | |
- | < | + | |
- | ssh -p 2222 localhost | + | |
</ | </ | ||
- | :!: For connections that will use the DISPLAY environment variable (think of any application with a GUI), add the option '' | + | :!: For connections that will use the DISPLAY environment variable (think of any application with a GUI), add the option '' |
==== Example 2 ==== | ==== Example 2 ==== | ||
- | Case scenario: you are at home and you would like to connect to your workstation named `asselijn' | + | As in //Example 1// but this time using your client ssh configuration |
- | Locally (e.g. on your laptop), create a file '' | + | |
< | < | ||
- | Host asselijn.lorentz.leidenuniv.nl | + | # cat $HOME/ |
- | | + | Host workstation.lorentz.leidenuniv.nl |
+ | | ||
+ | User username | ||
</ | </ | ||
- | And if you have a different username locally and on the institute desktops, that can be added like this: | ||
- | < | ||
- | Host asselijn.lorentz.leidenuniv.nl asselijn | ||
- | | ||
- | User username | ||
- | </ | ||
- | If you need access to multiple hosts, just copy and edit the example above. | ||
- | Once this configuration is in place, a simple '' | + | Once this configuration is in place, a simple '' |
==== Example 3 ==== | ==== Example 3 ==== | ||
- | :!: Users are encouraged | + | Establish a web browser connection |
- | You sit in your office at the IL and have started a jupyter notebook on marisXX port YYYY. To connect to your notebook using the browser on your workstation you must tunnel through `xmaris'. Edit your local .ssh/config | + | Configure |
- | < | + | |
- | Host maris | + | |
- | | + | |
- | | + | |
- | Host marisXX | + | <code bash> |
- | | + | Host styx |
- | | + | |
| | ||
+ | Host workstation | ||
+ | | ||
+ | | ||
+ | | ||
</ | </ | ||
- | You are now ready to tunnel your connections through '' | + | Browse |
- | **NOTE**: For this to work your workstation must have OpenSSH v7.3+. | ||
==== Example 4 ==== | ==== Example 4 ==== | ||
- | :!: Users are encouraged to use [[https://xmaris.lorentz.leidenuniv.nl: | + | Establish a web browser connection to a Jupyter Notebook session running on node marisXX when outside the IL intranet ((This method will only work if you have a slurm-controlled running jupyter session on marisXX. See [[institute_lorentz:xmaris|xmaris]]. \\ You are strongly |
- | + | ||
- | + | ||
- | Same situation as in Example 3 but this time you sit behind your laptop at home. | + | |
< | < | ||
Host lorentz | Host lorentz | ||
| | ||
- | | + | User username |
- | | + | |
Host maris | Host maris | ||
| | ||
| | ||
- | IdentityFile ~/ | + | User username |
- | User < | + | |
Host marisXX | Host marisXX | ||
| | ||
| | ||
- | IdentityFile ~/ | + | User username |
- | User < | + | |
| | ||
</ | </ | ||
- | ==== Example 5: Using Putty ==== | + | Browse to '' |
- | :!: In the snapshots that follow, please replace all occurrences of '' | + | ===== SSH access/ |
- | You will need to open two putty sessions. The first one opens a tunnel, | + | There are situations in which SSH could be forbidden by firewall settings of the internet service provider. Think of countries which limit freedom of speech for example. Luckily Lorentz Institute provides its members with a special access server |
- | === Session 1: Tunnel === | + | |
- | Open putty and create a session called Tunnel, then set it according to the snapshots below | + | |
- | {{ : | + | In a nutshell, IL offers SSL-wrapped SSH access, that is it conceals SSH connections using the SSL protocol which is the protocol used by the world wide web to serve '' |
- | {{ : | + | The set up on your side is rather simple and requires only editing a file on the SSH client you wish to use, e.g. laptop, workstation, |
+ | Add the following stanza to your SSH client config file((The same result is obtained by executing directly '' | ||
+ | <code bash> | ||
+ | Host ssh.lorentz.firewall | ||
+ | ProxyCommand openssl s_client -connect access.lorentz.leidenuniv.nl: | ||
+ | User <Your IL username> | ||
+ | </ | ||
- | Please note the settings in the port forwarding panel. We use an arbitrary port (2222), but you can choose any numbers above 1024 provided they are not currently in use. By pushing `Open', | + | Then to initiate |
- | with the creation of session `Tunnel_use' | + | |
- | {{ :institute_lorentz:tunnel3.png |}} | + | <code bash> |
+ | $ ssh ssh.lorentz.firewall | ||
+ | depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority | ||
+ | verify return:1 | ||
+ | depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 | ||
+ | verify return:1 | ||
+ | depth=0 C = NL, ST = Zuid-Holland, | ||
+ | verify return:1 | ||
- | Now push `Open' and a terminal will appear asking your authentication credentials on '' | + | -------------------------------------------------- |
- | ===== VNC: GNU/Linux ===== | + | Welcome to the Lorentz Institute workstations |
- | For detailed instructions on how to set up a vnc session you are encouraged to follow [[: | + | Access is allowed for authorized users only. |
- | instructions. | + | |
+ | |||
+ | Helpdesk | ||
+ | https:// | ||
+ | support@lorentz.leidenuniv.nl | ||
+ | -------------------------------------------------- | ||
+ | |||
+ | READ THIS CAREFULLY BEFORE PROCEEDING: | ||
+ | ------------------------------------- | ||
+ | https:// | ||
+ | |||
+ | Last login: Tue May 17 09:36:49 2022 from XX.XX.XX.XX | ||
+ | ***** | ||
+ | |||
+ | $ | ||
+ | </ | ||
+ | |||
+ | When the connection | ||
+ | |||
+ | Similarly it is possible | ||
+ | |||
+ | <code bash> | ||
+ | ssh -ND 8888 ssh.lorentz.firewall | ||
+ | </ | ||
- | Finally, take a look at [[linux: | + | then modify your browser settings to instruct it to redirect all connections to a SOCKS proxy listening on '' |
- | ===== VNC: Windows Users ===== | + | |
- | Please read [[linux: | + | |
- | ===== Proxy Browsing ===== | ||
- | Read [[: |