User Tools

Site Tools


institute_lorentz:institutelorentz_remoteaccess

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
institute_lorentz:institutelorentz_remoteaccess [2021/01/27 08:10] – [Example 1] lenocilinstitute_lorentz:institutelorentz_remoteaccess [2022/11/29 12:27] (current) – [SSH access/tunnelling behind firewalls] lenocil
Line 3: Line 3:
  
 Following are some examples that demonstrate the concept of SSH tunnelling. For  alternative methods of connection, please see the relevant documentation. Following are some examples that demonstrate the concept of SSH tunnelling. For  alternative methods of connection, please see the relevant documentation.
 +SSH access to our servers requires you to set up [[institute_lorentz:2fa|two-factor authentication]] (2FA) on your account for security reasons.
 +
 +:!: The examples below have been tested with OpenSSH v7.3+.
  
 ===== SSH tunneling ===== ===== SSH tunneling =====
Line 30: Line 33:
  
 ==== Example 2 ==== ==== Example 2 ====
-As in //Example 1// using your client ssh configuration file usually located at ''$HOME/.ssh/config'' on GNU/Linux systems+As in //Example 1// but this time using your client ssh configuration file usually located at ''$HOME/.ssh/config'' on GNU/Linux systems
  
 <code> <code>
Line 43: Line 46:
 ==== Example 3 ==== ==== Example 3 ====
  
-:!: Users are encouraged to use [[https://xmaris.lorentz.leidenuniv.nl:4433/|maris OoD interface]] to launch jupyter notebook.+Establish a web browser connection to a jupyter notebook on ''workstation.lorentz.leidenuniv.nl'' port ''YYYY''
  
-You sit in your office at the IL and have started a jupyter notebook on marisXX port YYYY. To connect to your notebook using the browser on your workstation you must tunnel through `xmaris'. Edit your local .ssh/config +Configure your local ''$HOME/.ssh/config'' as below 
-<code> + 
-Host maris +<code bash
-   HostName xmaris.lorentz.leidenuniv.nl+Host styx 
 +   HostName styx.lorentz.leidenuniv.nl
    LocalForward YYYY localhost:YYYY    LocalForward YYYY localhost:YYYY
  
-Host marisXX +Host workstation 
-   HostName marisXX +   HostName workstation.lorentz.leidenuniv.nl 
-   ProxyJump maris+   ProxyJump styx
    LocalForward YYYY localhost:YYYY    LocalForward YYYY localhost:YYYY
- 
 </code> </code>
  
-You are now ready to tunnel your connections through ''xmaris'' and visualize your notebook at ''http://localhost:YYYY''.+Browse to ''http://localhost:YYYY''.
  
-**NOTE**: For this to work your workstation must have OpenSSH v7.3+. 
  
 ==== Example 4 ==== ==== Example 4 ====
-:!: Users are encouraged to use [[https://xmaris.lorentz.leidenuniv.nl:4433/|maris OoD interface]] to launch jupyter notebook. +Establish a web browser connection to a Jupyter Notebook session running on node marisXX when outside the IL intranet ((This method will only work if you have a slurm-controlled running jupyter session on marisXX. See [[institute_lorentz:xmaris|xmaris]]. \\ You are strongly encouraged to use [[institute_lorentz:xmaris#web_access|xmaris OOD]] facilities nonetheless))
- +
- +
-Same situation as in Example 3 but this time you sit behind your laptop at home.+
  
 <code> <code>
 Host lorentz Host lorentz
      HostName ssh.lorentz.leidenuniv.nl      HostName ssh.lorentz.leidenuniv.nl
-     User <your-IL-username+     User username
-     IdentityFile ~/.ssh/id_rsa+
  
 Host maris Host maris
      HostName xmaris.lorentz.leidenuniv.nl      HostName xmaris.lorentz.leidenuniv.nl
      ProxyJump lorentz      ProxyJump lorentz
-     IdentityFile ~/.ssh/id_rsa +     User username
-     User <your-IL-username>+
  
 Host marisXX Host marisXX
      HostName marisXX.lorentz.leidenuniv.nl      HostName marisXX.lorentz.leidenuniv.nl
      ProxyJump maris      ProxyJump maris
-     IdentityFile ~/.ssh/id_rsa +     User username
-     User <your-IL-username>+
      LocalForward YYYY localhost:YYYY      LocalForward YYYY localhost:YYYY
 </code> </code>
  
-==== Example 5Using Putty ====+Browse to ''http://localhost:YYYY''.
  
-:!: In the snapshots that follow, please replace all occurrences of ''novamaris'' with ''xmaris''.+===== SSH access/tunnelling behind firewalls =====
  
-You will need to open two putty sessions. The first one opens a tunnel, the second one uses itFor the sake of clarity let us call the first session `Tunnel' and the second one `Tunnel_use'In this example we will establish connection to the Maris headnode ''novamaris'' through an ssh tunnel on ''ssh.lorentz.leidenuniv.nl''.  +There are situations in which SSH could be forbidden by firewall settings of the internet service providerThink of countries which limit freedom of speech for exampleLuckily Lorentz Institute provides its members with special access server to overcome these restrictions.
-=== Session 1: Tunnel === +
-Open putty and create a session called Tunnel, then set it according to the snapshots below+
  
-{{ :institute_lorentz:tunnel1.png |}}+In a nutshell, IL offers SSL-wrapped SSH access, that is it conceals SSH connections using the SSL protocol which is the protocol used by the world wide web to serve ''https'' connections. In other words, to the eavesdropper your SSH connection will just look like a normal web connection.
  
-{{ :institute_lorentz:tunnel2.png |}}+The set up on your side is rather simple and requires only editing a file on the SSH client you wish to use, e.g. laptop, workstation, etc..
  
 +Add the following stanza to your SSH client config file((The same result is obtained by executing directly ''ssh -o ProxyCommand="openssl s_client -quiet -connect access.lorentz.leidenuniv.nl:443" ssh.lorentz.firewall'' on the command line.)) (''~/.ssh/config'' on most GNU/Linux distros)
  
 +<code bash>
 +Host ssh.lorentz.firewall
 +  ProxyCommand openssl s_client -connect access.lorentz.leidenuniv.nl:443 -servername lorentz -quiet
 +  User <Your IL username>
 +</code>
  
-Please note the settings in the port forwarding panel. We use an arbitrary port (2222), but you can choose any numbers above 1024 provided they are not currently in use. By pushing `Open', terminal will appear so that you can authenticate using your Lorentz institute credentials. Leave this terminal open and proceed +Then to initiate SSL-wrapped SSH connection open a terminal and type
-with the creation of session `Tunnel_use'+
  
-{{ :institute_lorentz:tunnel3.png |}}+<code bash> 
 +$ ssh ssh.lorentz.firewall 
 +depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority 
 +verify return:
 +depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 
 +verify return:
 +depth=0 C = NL, ST = Zuid-Holland, O = Universiteit Leiden, CN = access.lorentz.leidenuniv.nl 
 +verify return:1
  
-Now push `Open' and a terminal will appear asking your authentication credentials on ''novamaris''. Any other putty connection to ''localhost:2222'' will ssh directly to ''novamaris''+-------------------------------------------------- 
-===== VNC: GNU/Linux ===== +    Welcome to the Lorentz Institute workstations 
-For detailed instructions on how to set up a vnc session you are encouraged to follow [[:vnc|these]]  +    Access is allowed for authorized users only 
-instructions.+    Any abuse will be tracked. 
 + 
 +    Helpdesk     Room HL40[7-9]   Tel 8484   
 +    https://helpdesk.lorentz.leidenuniv.nl 
 +    support@lorentz.leidenuniv.nl 
 +-------------------------------------------------- 
 + 
 +READ THIS CAREFULLY BEFORE PROCEEDING: 
 +------------------------------------- 
 +https://ilorentz.org/wiki/doku.php?id=institute_lorentz 
 + 
 +Last login: Tue May 17 09:36:49 2022 from XX.XX.XX.XX 
 +***** 
 + 
 +
 +</code> 
 + 
 +When the connection is initiated you will be able to double-check the SSL certificate details, especially the ''CN'' entry (see above) which must correspond to our server ''access.lorentz.leidenuniv.nl''. Then upon a successful authentication, you will be let in and be able to use the command line as usual
 + 
 +Similarly it is possible to initiate an SSL-wrapped SSH SOCKS proxy connection useful to protect your browser sessions from eavesdroppers  as in the example below. Provided you set up your SSH client config as described above, type 
 + 
 +<code bash> 
 +ssh -ND 8888 ssh.lorentz.firewall 
 +</code>
  
-Finally, take look at [[linux:x2go|x2go]] should you be interested. +then modify your browser settings to instruct it to redirect all connections to SOCKS proxy listening on ''localhost'' post ''8888''.
-===== VNC: Windows Users ===== +
-Please read [[linux:putty|here]].+
  
-===== Proxy Browsing ===== 
-Read [[:china|here]] 
institute_lorentz/institutelorentz_remoteaccess.1611735014.txt.gz · Last modified: 2021/01/27 08:10 by lenocil