Access from the Internet
From Molecular Modeling Wiki
(New page: <blockquote> Dear users, I have finished installing a new access server which can be used as one of the channels through which it is possible to access our network from outside. Please ...) |
|||
| (43 intermediate revisions not shown) | |||
| Line 1: | Line 1: | ||
| - | + | == General == | |
| - | + | ||
| - | + | Due to the security reasons, the remote access to the local network (to the clusters) from external networks (Internet) is limited. There are two methods how to connect to a machine in the internal network and both are limited to the use of '''ssh'''/'''scp''' client/protocol. | |
| - | + | ||
| - | + | ||
| - | + | == SSH gate method == | |
| - | + | For this method, a user does not need any special software and/or configuration except a regular ssh client; the disadvantage is that only terminal access is available (the file transfer with scp/sftp protocols is not possible). | |
| - | + | ||
| - | + | ||
| - | + | === Instructions === | |
| - | + | ||
| - | + | To login to any computer in the internal network (includes Canon building and clusters) from outside (anything else, including IOCB network), follow these steps: | |
| - | + | ||
| - | * Wait for connection to the target machine; once the connection is | + | * Use your ssh client to connect to '''teogate.uochb.cas.cz''' and log in using '''sshgate''' as username and '''sshgate''' as password. |
| - | established, you will be prompted for your password. | + | * Wait for system to ask you to enter the name of the machine you want to connect to and your login name on this machine. |
| + | * Wait for connection to the target machine; once the connection is established, you will be prompted for your password. | ||
| - | Notes | + | === Notes === |
| - | * This method allows anyone to connect from anywhere without a need to | + | * This method allows anyone to connect from anywhere without a need to know any special secrets or number sequences. |
| - | know any special secrets or number sequences. | + | |
| - | * On the other hand, there are limits - you cannot use direct | + | * On the other hand, there are limits - you cannot use direct scp or sftp or establish port-forwardind tunnels (except X11 tunnel - see below) when connecting from outside. As for copying files, it is, of course, acceptable to use ssh to log in to a machine and use scp or sftp there to initiate the file transfer from the other end of the connection; your end must be running an ssh daemon and you must not be behind a firewall which would block the transfer. If this method is not acceptable or if you need to establish encrypted port-forwarding tunnels, use the [[#Port knocking method|port knocking]] method. |
| - | + | ||
| - | below) when connecting from outside. As for copying files, it is, of | + | |
| - | course, acceptable to use ssh to log in to a machine and use scp or sftp | + | |
| - | there to initiate the file transfer from the other end of the | + | |
| - | connection; your end must be running an ssh daemon and you must not be | + | |
| - | behind a firewall which would block the transfer. If this method is not | + | |
| - | acceptable or if you need to establish encrypted port-forwarding | + | |
| - | tunnels, | + | |
| - | * The connection through teogate should automatically honor X11 | + | * The connection through teogate should automatically honor X11 forwarding, so when you connect to the target machine, you should be able to run X11 applications that open windows on you side of the connection. |
| - | forwarding, so when you connect to the target machine, you should be | + | |
| - | able to run X11 applications that open windows on you side of the | + | |
| - | connection. | + | |
| - | * To access a machine using teogate gateway, the machine name and ssh | + | * To access a machine using teogate gateway, the target machine name and ssh public key must be explicitly listed on the teogate server. At the moment, only clusters and servers are allowed to be accessed, so if you want to add your machine to the list, [[contact]] us. |
| - | public key must be explicitly listed on the teogate server. At the | + | |
| - | moment, only clusters and servers are allowed to be accessed, so if you | + | |
| - | want | + | |
| - | * | + | * The password you enter is not captured nor stored anywhere in the sshgate system; when entering a password you are already connected to the target machine, so that the passord cannot be captured on the gateway. |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | == Port knocking method == | |
| - | + | This access method is a complement to the access through the teogate gateway. While the '''knock''' method will allow full access to all computers in the network, but requires some setup effort, the easy-to-use '''gateway''' method can serve for simple and quick access without a need to install and/or configure any software. | |
| - | + | The port knocking is a method that allows to open a communication channel to the internal network only for those, who know something not commonly known. (Those interested may read details about port-knocking on the Internet - see for example [http://www.portknocking.org/ general info about port-knocking] and/or [http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki knockd package home page].) Currently, port-knocking in our network is configured such way that anyone who knows the principle and the proper sequence of random numbers can open a ssh/scp/sftp channel to access any machine in the local net from any place in the world. The idea is that remote attackers have very limited chance to discover the sequence of numbers, or even the fact that port-knocking is used. | |
| - | + | ||
| - | + | ||
| - | http:// | + | |
| - | + | === Linux setup === | |
| + | |||
| + | To setup port-knocking client on Linux, install knockd package. The package can be found on the [http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki knockd web page] or on '''clara''' server in | ||
| + | /common/ADMIN/INSTALL/KNOCK | ||
| + | directory, or may even be included in your distribution (see, for example, recent versions of [http://www.debian.org/ Debian], [http://www.ubuntu.com/ Ubuntu], [http://www.opensuse.com/ OpenSuSE]). Note that you only need the '''knock''' program, but installing the whole package (which also contains '''knockd''' daemon and other files) is the easiest way. Then get the knock.sh script from | ||
| + | /common/ADMIN/INSTALL/KNOCK/SCRIPTS/LINUX | ||
| + | on '''clara''' and copy it to your machine. When you want to open the access | ||
| + | channel, run '''knock.sh'''; from this moment you have 30 seconds to log in to a target computer using ssh/scp/sftp. When this time period expires, the access is denied again (the channel is closed), but the sessions opened so far remain active. | ||
| + | |||
| + | === Windows setup === | ||
| + | |||
| + | To setup port knocking on Windows, get files from | ||
| + | \\CLARA\COMMON\ADMIN\INSTALL\KNOCK\SCRIPTS\WIN | ||
| + | On your home computer (or any computer used to access our network from outside) create | ||
| + | C:\Program Files\Knock | ||
| + | directory and copy the files ('''knock.bat''' and '''knock.exe''') to it. Optionally create shortcut on your desktop that points to the '''knock.bat''' file. When you want to log in to the internal network, run '''knock.bat''' (or the shortcut) first; from this moment you have 30 seconds to log in to using ssh/scp/sftp. When this time period expires, the access is denied again (the channel is closed), but the sessions opened so far remain active. | ||
| + | |||
| + | |||
| + | {{Note|Please note that the '''clara''' server (where the needed files are stored) is not accessible from outside the local network. While this is necessary to keep the setup secret (or at least not public), it may be a problem for those who never can access the local network internally ([http://en.wikipedia.org/wiki/Catch-22 Catch 22] situation). In such case, please send us an [[Contacts|e-mail]] and specify your operating system - we will respond with necessary files attached.}} | ||
| + | |||
| + | [[Category:Clusters]] | ||
| + | [[Category:LAN]] | ||
Latest revision as of 15:41, 17 March 2009
Contents |
General
Due to the security reasons, the remote access to the local network (to the clusters) from external networks (Internet) is limited. There are two methods how to connect to a machine in the internal network and both are limited to the use of ssh/scp client/protocol.
SSH gate method
For this method, a user does not need any special software and/or configuration except a regular ssh client; the disadvantage is that only terminal access is available (the file transfer with scp/sftp protocols is not possible).
Instructions
To login to any computer in the internal network (includes Canon building and clusters) from outside (anything else, including IOCB network), follow these steps:
- Use your ssh client to connect to teogate.uochb.cas.cz and log in using sshgate as username and sshgate as password.
- Wait for system to ask you to enter the name of the machine you want to connect to and your login name on this machine.
- Wait for connection to the target machine; once the connection is established, you will be prompted for your password.
Notes
- This method allows anyone to connect from anywhere without a need to know any special secrets or number sequences.
- On the other hand, there are limits - you cannot use direct scp or sftp or establish port-forwardind tunnels (except X11 tunnel - see below) when connecting from outside. As for copying files, it is, of course, acceptable to use ssh to log in to a machine and use scp or sftp there to initiate the file transfer from the other end of the connection; your end must be running an ssh daemon and you must not be behind a firewall which would block the transfer. If this method is not acceptable or if you need to establish encrypted port-forwarding tunnels, use the port knocking method.
- The connection through teogate should automatically honor X11 forwarding, so when you connect to the target machine, you should be able to run X11 applications that open windows on you side of the connection.
- To access a machine using teogate gateway, the target machine name and ssh public key must be explicitly listed on the teogate server. At the moment, only clusters and servers are allowed to be accessed, so if you want to add your machine to the list, contact us.
- The password you enter is not captured nor stored anywhere in the sshgate system; when entering a password you are already connected to the target machine, so that the passord cannot be captured on the gateway.
Port knocking method
This access method is a complement to the access through the teogate gateway. While the knock method will allow full access to all computers in the network, but requires some setup effort, the easy-to-use gateway method can serve for simple and quick access without a need to install and/or configure any software.
The port knocking is a method that allows to open a communication channel to the internal network only for those, who know something not commonly known. (Those interested may read details about port-knocking on the Internet - see for example general info about port-knocking and/or knockd package home page.) Currently, port-knocking in our network is configured such way that anyone who knows the principle and the proper sequence of random numbers can open a ssh/scp/sftp channel to access any machine in the local net from any place in the world. The idea is that remote attackers have very limited chance to discover the sequence of numbers, or even the fact that port-knocking is used.
Linux setup
To setup port-knocking client on Linux, install knockd package. The package can be found on the knockd web page or on clara server in
/common/ADMIN/INSTALL/KNOCK
directory, or may even be included in your distribution (see, for example, recent versions of Debian, Ubuntu, OpenSuSE). Note that you only need the knock program, but installing the whole package (which also contains knockd daemon and other files) is the easiest way. Then get the knock.sh script from
/common/ADMIN/INSTALL/KNOCK/SCRIPTS/LINUX
on clara and copy it to your machine. When you want to open the access channel, run knock.sh; from this moment you have 30 seconds to log in to a target computer using ssh/scp/sftp. When this time period expires, the access is denied again (the channel is closed), but the sessions opened so far remain active.
Windows setup
To setup port knocking on Windows, get files from
\\CLARA\COMMON\ADMIN\INSTALL\KNOCK\SCRIPTS\WIN
On your home computer (or any computer used to access our network from outside) create
C:\Program Files\Knock
directory and copy the files (knock.bat and knock.exe) to it. Optionally create shortcut on your desktop that points to the knock.bat file. When you want to log in to the internal network, run knock.bat (or the shortcut) first; from this moment you have 30 seconds to log in to using ssh/scp/sftp. When this time period expires, the access is denied again (the channel is closed), but the sessions opened so far remain active.
 | Note: | Please note that the clara server (where the needed files are stored) is not accessible from outside the local network. While this is necessary to keep the setup secret (or at least not public), it may be a problem for those who never can access the local network internally (Catch 22 situation). In such case, please send us an e-mail and specify your operating system - we will respond with necessary files attached. |
