Access from the Internet

From Molecular Modeling Wiki

Revision as of 14:38, 17 March 2009

General

Due to the security reason, the remote access to the local network (to the clusters) from the external networks (Internet) is limited. There are two methods how to connect to a machine in the internal network; both are limited to the use of ssh/scp client/protocol.

SSH gate method

For this method, a user does not need any special software and/or configuration except a regular ssh client; the disadvantage is that only terminal access is available (the file transfer with scp/sftp protocols is not possible).

Instructions

To login to any computer in the internal network (includes Canon building and clusters) from outside (anything else, including IOCB network), follow these steps:

• Use your ssh client to connect to teogate.uochb.cas.cz and log in using sshgate as username and sshgate as password.
• Wait for system to ask you to enter the name of the machine you want to connect to and your login name on this machine.
• Wait for connection to the target machine; once the connection is established, you will be prompted for your password.

Notes

• This method allows anyone to connect from anywhere without a need to know any special secrets or number sequences.

• On the other hand, there are limits - you cannot use direct "scp" or "sftp" or establish port-forwardind tunnels (except X11 tunnel - see below) when connecting from outside. As for copying files, it is, of course, acceptable to use ssh to log in to a machine and use scp or sftp there to initiate the file transfer from the other end of the connection; your end must be running an ssh daemon and you must not be behind a firewall which would block the transfer. If this method is not acceptable or if you need to establish encrypted port-forwarding tunnels, use the port knocking method.

• The connection through teogate should automatically honor X11 forwarding, so when you connect to the target machine, you should be able to run X11 applications that open windows on you side of the connection.

• To access a machine using teogate gateway, the target machine name and ssh public key must be explicitly listed on the teogate server. At the moment, only clusters and servers are allowed to be accessed, so if you want to add your machine to the list, contact us.

• The password you enter is not captured nor stored anywhere in the sshgate system; when entering a password you are already connected to the target machine, so that the passord cannot be captured on the gateway.

Port knocking method

This access method is a complement to the currently used access through the teogate gateway. Both methods will remain open; while the "knock" method will allow full access to all computers in the network, but requires some setup effort, the easy-to-use "gateway" method can serve for simple and quick access without a need to install and/or configure any software.

Before going on with the explanation there is one important warning: The following description and details of access methods are secret and may not be published or revealed to anyone who has no legal reason to access our local network. Namely they cannot be made publicly available and accessible to anonymous or unauthenticated persons (published on a web page etc.).

If you used port knocking before and did not delete the files, you can start using the new setup immediately after you change the address of the knocked machine in the script. Please note the following two important differences between the previous setup and the current setup. First, the server we used to knock on was server marge, while now we knock on the firewall. Second, the previous setup allowed access to server marge only; now it will allow access to any machine in the internal network. To (re)configure knocking for the current situation, edit knock.bat (in Windows) or knock.sh (in Linux) and replace "marge.uochb.cas.cz" with "147.231.18.170". Then, when you run the script (batch file), the firewall will open and you will have 30 seconds to log in with ssh or start the scp/sftp transfer. After this period, the firewall will close again and you will not be able to start a new session until you open it with another knock. However, connected sessions will remain open.

If you are new to port knocking, please read on. The port knocking is a method that allows to open a communication channel to the internal network only for those, who know something not commonly known. (Those interested may read details about port-knocking on the Internet - see for example links below.) Currently, port-knocking in our network is configured such way that anyone who knows the principle and the proper sequence of random numbers can open a ssh/scp/sftp channel to access any machine in the local net from any place in the world. The idea is that remote attackers have very limited chance to discover the sequence of numbers, or even the fact that port-knocking is used.

To setup port-knocking client on on Linux, install knockd package. The package can be found on the knockd web page (see below) or on clara server in /common/ADMIN/INSTALL/KNOCK directory, or may even be included in your distribution (recent versions of Debian have it). Note that you only need the knock program, but installing the whole package (which also contains knockd daemon and other files) is the easiest way. Then get the knock.sh script from /common/ADMIN/INSTALL/KNOCK/SCRIPTS/LINUX on clara and copy it to your machine. When you want to open the access channel, run knock.sh; from this moment you have 30 seconds to log in to a target computer using ssh/scp/sftp. When this time period expires, the access is denied again (the channel is closed), but the sessions opened so far remain active.

To setup port knocking on Windows, get files from \\CLARA\COMMON\ADMIN\INSTALL\KNOCK\SCRIPTS\WIN. On your home computer (or any computer used to access our network from outside) create "C:\Program Files\Knock" directory and copy the files (knock.bat and knock.exe) to it. Optionally create shortcut on your desktop that points to knock.bat file. When you want to log in to the internal network, run knock.bat (or the shortcut) first; from this moment you have 30 seconds to log in to using ssh/scp/sftp. When this time period expires, the access is denied again (the channel is closed), but the sessions opened so far remain active.

Please note that the clara server (where the needed files are stored) is not accessible from outside the local network. While this is necessary to keep the setup secret (or at least not public), it may be a problem for those who never can access the local network internally. In such case, please send me an e-mail and specify your operating system - I will respond with necessary files attached.