What's New: Changes to SSH Remote Access
 

In order to bring the CfA network into compliance with both NIST and Smithsonian polices, a formal Remote Access Zone has been implemented, into which users must authenticate prior to connecting to internal (CF and HEA production) computers.

The first step in this process has been implemented as of April 18, 2011, so that incoming SSH connections can be made to only a few designated CfA and HEA remote access hosts. Staff wishing to SSH connect into computer systems in the CfA network will first have to connect to one of these designated hosts, and then SSH connect into the desired system.

The exception to this requirement is when connecting from a CF managed host; in that case SSH conections may still be made directly. This means that connections from other CfA subnets (e.g., CE, self-managed, etc.) must first connect through the login server. Note that a connection to a HEA-internal host must pass through the HEA login server, and a connection to a CF-internal host must pass though the CF login server.

The CF has designated login.cfa.harvard.edu (131.142.20.100) as the remote access SSH login host for incoming SSH. Users who have SSHed into login.cfa may then SSH into computers in CF, CE, SMA, and self managed internal networks. Additional SSH servers managed by the CF will be announced in the future.

The HEAD Systems Group has posted information on accessing systems within the HEAD network at:
http://hea-www.harvard.edu/HEAD-info/syshelp/web/ssh-faq.html.

Alternatively, users may authenticate by VPN and then establish an SSH connection to any host within the CfA LAN.

Frequently Asked Questions

1. How do I ssh into my self-managed workstation?

Two options:

a. First VPN authenticate, then ssh directly to your workstation.
b. ssh into the border host, then ssh to your workstation.

2. What about VNC?

Effective April 18, 2011 all incoming remote VNC connections must be tunneled through ssh. Alternatively, users may first VPN authenticate, then establish a VNC connection. The use of direct incoming VNC, effectively bypassing password authentication, has been prohibited by Smithsonian policy.

3. Will POP or IMAP email be affected?

No.

4. Is rsh open from the ssh login server to internal systems?

No.

5. What about VNC over multiple ssh hops?

For VNC, you'll need two tunnels to go through the login host:

First, log into your CF machine and start a vncserver if you haven't already\ :


CFmachine> vncserver :X

(starts a VNC server process on "display" number X; we support displays 1-10)

New 'CFmachine:X (username)' desktop is CFmachine:X

Then back on your remote machine:

ssh -L 5700:localhost:5701 username@login.cfa.harvard.edu

(login using login password)

login> ssh -L 5701:localhost:5902 CFmachine.cfa.harvard.edu (login using CF password)

Note the final port number, 5902 above, is 5900 plus the display number of your vncserver.

Then, back on your remote machine you can start the viewer with:

vncviewer localhost::5700 (note the double colon)

6. What about X tunnelling over multiple hops? How will that work?

X11 and TCP port forwarding is enabled on the login machine, so to forward X connections:

ssh -X username@login.cfa.harvard.edu (using your login password)

then from there:

ssh -Y finaldestination (using your CF password)

Xwindows will display on your remote machine (assuming you have an X server running there).

7. Will I be able to use my CF Unix password on login.cfa (131.142.20.100)?

Users will be given a distinct password for login.cfa.harvard.edu. We expect users to maintain a different password on this computer from their CF Unix password. The Smithsonian's 90-day password expiration policy will be enforced on the SSH login host.

8. Will I be able to use login.cfa.harvard.edu to access files on internal computers, run code, run a web browser, etc.

No. Login.cfa.harvard.edu will be set up to provide an ssh hop into internal computers. Users will be given only minimal space on login.cfa to create .cshrc, .login, or other environment files.

Access from login.cfa to internal CfA computers will be limited to ssh. No other access will be possible (e.g. access to user mail files or access to the CF POP or IMAP servers). User cron jobs will not be enabled on the SSH server.

Users will not be able to run code on login.cfa. Compilers will not be available nor be allowed to be installed on the computer. User filesystems will not be mounted from internal production computers on login.cfa, this includes CF Unix homes and data directories.

SSH tunnels into internal computers will be allowed in cases where they are currently allowed.

9. How do I copy files using SCP/SFTP?

To set up a tunnel to sftp/scp from your remote machine to an internal CF machine:

From your machine:

ssh -N -f -L 2200:finaldestination:22 username@login.cfa.harvard.edu (login with login username/password)

This sets up a tunnel from your local machine's port 2200 to the ssh (and scp/sftp) port on the internal machine "finaldestination." The "-N -f" options fork this to the backround on "login" and returns you to your local machine.

Then you can run "sftp -o Port=2200 username@localhost", or any sftp client using "localhost" as the hostname and 2200 as the port number, and log in using your CF password and then go ahead and transfer files.

 
 

Section Photo