Access from the Internet

From Molecular Modeling Wiki

(Difference between revisions)
Jump to: navigation, search
(New page: <blockquote> Dear users, I have finished installing a new access server which can be used as one of the channels through which it is possible to access our network from outside. Please ...)
Line 1: Line 1:
-
<blockquote>
+
== General ==
-
Dear users,
+
-
I have finished installing a new access server which can be used as one
+
Due to the security reason, the remote access to the local network (to the clusters) from the external networks (Internet) is limited. There are two methods how to connect to a machine in the internal network; both are limited to the use of ''ssh''/''scp'' client/protocol.
-
of the channels through which it is possible to access our network from  
+
 
-
outside. Please read carefully the following instructions and notes.
+
== SSH gate method ==
 +
 
 +
For this method, a user does not need any special software and/or configuration except a regular ssh client; the disadvantage is that only terminal access is available (the file transfer with scp/sftp protocols is not possible).
Instructions:
Instructions:
-
To login to any computer in our network (includes Canon building and  
+
To login to any computer in the internal network (includes Canon building and clusters) from outside (anything else, including IOCB network), follow these steps:
-
clusters) from outside (anything else, including UOCHB network), follow  
+
-
these steps:
+
-
* Use your ssh client to connect to "teogate.uochb.cas.cz" and log in  
+
* Use your ssh client to connect to '''teogate.uochb.cas.cz''' and log in using '''sshgate''' as username and '''sshgate''' as password.
-
using "sshgate" as username and "sshgate" as password.
+
-
* Wait for system to ask you to enter the name of the machine you want  
+
* Wait for system to ask you to enter the name of the machine you want to connect to and your login name on this machine.
-
to connect to and your login name on this machine.
+
-
* Wait for connection to the target machine; once the connection is  
+
* Wait for connection to the target machine; once the connection is established, you will be prompted for your password.
-
established, you will be prompted for your password.
+
Notes:
Notes:
-
* This method allows anyone to connect from anywhere without a need to  
+
* This method allows anyone to connect from anywhere without a need to know any special secrets or number sequences.
-
know any special secrets or number sequences.
+
-
 
+
-
* On the other hand, there are limits - you cannot use direct "scp" or
+
-
"sftp" or establish port-forwardind tunnels (except X11 tunnel - see
+
-
below) when connecting from outside. As for copying files, it is, of
+
-
course, acceptable to use ssh to log in to a machine and use scp or sftp
+
-
there to initiate the file transfer from the other end of the
+
-
connection; your end must be running an ssh daemon and you must not be
+
-
behind a firewall which would block the transfer. If this method is not
+
-
acceptable or if you need to establish encrypted port-forwarding
+
-
tunnels, wait until another access channel is configured (see below).
+
-
 
+
-
* The connection through teogate should automatically honor X11
+
-
forwarding, so when you connect to the target machine, you should be
+
-
able to run X11 applications that open windows on you side of the
+
-
connection.
+
-
 
+
-
* To access a machine using teogate gateway, the machine name and ssh
+
-
public key must be explicitly listed on the teogate server. At the
+
-
moment, only clusters and servers are allowed to be accessed, so if you
+
-
want me to add your machine to the list, please send me a mail.
+
-
 
+
-
* This access method will be complemented by another method based on
+
-
formerly used port knocking, which will allow less limited access to the
+
-
network, but will need to have the client and configuration file handy
+
-
before opening connection. I will let you know when this channel is
+
-
configured. Anyway, the lately used "knock" access through the marge
+
-
server will not be re-opened.
+
-
Please let me know if you have any questions.
+
* On the other hand, there are limits - you cannot use direct "scp" or "sftp" or establish port-forwardind tunnels (except X11 tunnel - see below) when connecting from outside. As for copying files, it is, of course, acceptable to use ssh to log in to a machine and use scp or sftp
 +
there to initiate the file transfer from the other end of the connection; your end must be running an ssh daemon and you must not be behind a firewall which would block the transfer. If this method is not acceptable or if you need to establish encrypted port-forwarding tunnels, use the [[#port knocking method|port knocking]] method.
-
Jiri Polach
+
* The connection through teogate should automatically honor X11 forwarding, so when you connect to the target machine, you should be able to run X11 applications that open windows on you side of the connection.
-
_______________________________________________
+
* To access a machine using teogate gateway, the target machine name and ssh public key must be explicitly listed on the teogate server. At the moment, only clusters and servers are allowed to be accessed, so if you want to add your machine to the list, [[contact]] us.
-
cluster-info mailing list
+
-
cluster-info@marge.uochb.cas.cz
+
-
http://marge.uochb.cas.cz/mailman/listinfo/cluster-info
+
-
</blockquote>
+
== Port knocking method ==

Revision as of 14:30, 17 March 2009

General

Due to the security reason, the remote access to the local network (to the clusters) from the external networks (Internet) is limited. There are two methods how to connect to a machine in the internal network; both are limited to the use of ssh/scp client/protocol.

SSH gate method

For this method, a user does not need any special software and/or configuration except a regular ssh client; the disadvantage is that only terminal access is available (the file transfer with scp/sftp protocols is not possible).

Instructions:

To login to any computer in the internal network (includes Canon building and clusters) from outside (anything else, including IOCB network), follow these steps:

  • Use your ssh client to connect to teogate.uochb.cas.cz and log in using sshgate as username and sshgate as password.
  • Wait for system to ask you to enter the name of the machine you want to connect to and your login name on this machine.
  • Wait for connection to the target machine; once the connection is established, you will be prompted for your password.

Notes:

  • This method allows anyone to connect from anywhere without a need to know any special secrets or number sequences.
  • On the other hand, there are limits - you cannot use direct "scp" or "sftp" or establish port-forwardind tunnels (except X11 tunnel - see below) when connecting from outside. As for copying files, it is, of course, acceptable to use ssh to log in to a machine and use scp or sftp

there to initiate the file transfer from the other end of the connection; your end must be running an ssh daemon and you must not be behind a firewall which would block the transfer. If this method is not acceptable or if you need to establish encrypted port-forwarding tunnels, use the port knocking method.

  • The connection through teogate should automatically honor X11 forwarding, so when you connect to the target machine, you should be able to run X11 applications that open windows on you side of the connection.
  • To access a machine using teogate gateway, the target machine name and ssh public key must be explicitly listed on the teogate server. At the moment, only clusters and servers are allowed to be accessed, so if you want to add your machine to the list, contact us.

Port knocking method

Retrieved from "http://centrum.uochb.cas.cz/mediawiki/index.php/Access_from_the_Internet"
Personal tools