In order to bring the CfA network into compliance with both NIST and
Smithsonian polices, a formal Remote Access Zone has been implemented,
into which users must authenticate prior to connecting to internal
(CF and HEA production) computers.
The first step in this process has been implemented as of April 18, 2011,
so that incoming SSH connections can be made to only a few designated CfA and HEA remote access hosts.
Staff wishing to SSH connect into computer systems in the CfA network will first have to
connect to one of these designated hosts, and then SSH connect into the desired system.
The exception to this requirement is when connecting from a CF managed host; in that case SSH conections may still be made directly.
This means that connections from other CfA subnets (e.g., CE, self-managed, etc.) must first connect through the login server.
Note that a connection to a HEA-internal host must pass through the HEA login server,
and a connection to a CF-internal host must pass though the CF login server.
The CF has designated login.cfa.harvard.edu (131.142.20.100) as the
remote access SSH login host for incoming SSH. Users who have SSHed into
login.cfa may then SSH into computers in CF, CE, SMA, and self managed
internal networks. Additional SSH servers managed by the CF will be
announced in the future.
The HEAD Systems Group has posted information on accessing systems within the HEAD network at:
http://hea-www.harvard.edu/HEAD-info/syshelp/web/ssh-faq.html.
Alternatively, users may authenticate by VPN and then establish an SSH
connection to any host within the CfA LAN.
Frequently Asked Questions
1. How do I ssh into my self-managed workstation?
Two options:
a. First VPN authenticate, then ssh directly to your workstation.
b. ssh into the border host, then ssh to your workstation.
2. What about VNC?
Effective April 18, 2011 all incoming remote VNC connections must be
tunneled through ssh. Alternatively, users may first VPN authenticate,
then establish a VNC connection. The use of direct incoming VNC,
effectively bypassing password authentication, has been prohibited by
Smithsonian policy.
3. Will POP or IMAP email be affected?
No.
4. Is rsh open from the ssh login server to internal systems?
No.
5. What about VNC over multiple ssh hops?
For VNC, you'll need two tunnels to go through the login host:
First, log into your CF machine and start a vncserver if you haven't already\
:
CFmachine> vncserver :X
(starts a VNC server process on "display"
number X; we support displays 1-10)
New 'CFmachine:X (username)' desktop is CFmachine:X
Then back on your remote machine:
ssh -L 5700:localhost:5701 username@login.cfa.harvard.edu
(login using login password)
login> ssh -L 5701:localhost:5902 CFmachine.cfa.harvard.edu
(login using CF password)
Note the final port number, 5902 above, is 5900 plus the display
number of your vncserver.
Then, back on your remote machine you can start the viewer with:
vncviewer localhost::5700 (note the double colon)
6. What about X tunnelling over multiple hops? How will that work?
X11 and TCP port forwarding is enabled on the login machine, so to
forward X connections:
ssh -X username@login.cfa.harvard.edu
(using your login password)
then from there:
ssh -Y finaldestination
(using your CF password)
Xwindows will display on your remote machine (assuming you have an X
server running there).
7. Will I be able to use my CF Unix password on login.cfa
(131.142.20.100)?
Users will be given a distinct password for login.cfa.harvard.edu.
We expect users to maintain a different password on this computer from
their CF Unix password. The Smithsonian's 90-day password expiration
policy will be enforced on the SSH login host.
8. Will I be able to use login.cfa.harvard.edu to access files on internal
computers, run code, run a web browser, etc.
No. Login.cfa.harvard.edu will be set up to provide an ssh hop into
internal computers. Users will be given only minimal space on login.cfa
to create .cshrc, .login, or other environment files.
Access from login.cfa to internal CfA computers will be limited to ssh.
No other access will be possible (e.g. access to user mail files or access
to the CF POP or IMAP servers). User cron jobs will not be enabled on
the SSH server.
Users will not be able to run code on login.cfa. Compilers will
not be available nor be allowed to be installed on the computer.
User filesystems will not be mounted from internal production computers
on login.cfa, this includes CF Unix homes and data directories.
SSH tunnels into internal computers will be allowed in cases where they
are currently allowed.
9. How do I copy files using SCP/SFTP?
To set up a tunnel to sftp/scp from your remote machine to an internal
CF machine:
From your machine:
ssh -N -f -L 2200:finaldestination:22 username@login.cfa.harvard.edu\
code>
(login with login username/password)
This sets up a tunnel from your local machine's port 2200 to the ssh
(and scp/sftp) port on the internal machine "finaldestination." The
"-N -f" options fork this to the backround on "login" and returns you to
your local machine.
Then you can run "sftp -o Port=2200 username@localhost", or any sftp client
using "localhost" as the hostname and 2200 as the port number, and log in using
your CF password and then go ahead and transfer files.
|