Access to NIKHEF services from outside
Content.
General info.
SSH login, file transfer and port forwarding from Unix clients.
SSH login, file transfer and port forwarding from Windows clients.
SSH login and file transfer Macintosh clients.
Relevant links.
General info
Before you want to access the NIKHEF network from outside, you have to take notice from the following information.
The access to the computer and network services in the nikhef.nl domain is restricted to applications that communicate via the secure protocol SSL. This protocol ensures data to be encrypted before it is transported over the network and to be decrypted when it is delivered at the other side. This encryption is extremely important in case sensitive information like passwords are transported via a network.
Be aware that your home computer which is connected via your Internet Service Provider is considered to be outside the NIKHEF network, just like a computer at CERN or a computer in an internet cafe.
Direct access from outside to the login and file transfer services in the nikhef.nl domain is restricted to:
-
SSH for login to the Linux server login.nikhef.nl.
-
SFTP for file transfer from/to the Linux server login.nikhef.nl and the Windows file server beuk.nikhef.nl.
Other services that are available in the nikhef.nl domain can be accessed directly or indirectly using the port forwarding mechanism in SSH which basically 'tunnels' a connection through a secure SSH connection to the login server.
An example of a direct accessible service is the IMAPS service on the imap server imap.nikhef.nl.
Examples of the indirect accessibles services are SMTP port forwarding to the NIKHEF mail server and SFTP port forwarding and X-tunneling to desktop systems that are not directly accessible from outside. Configuration examples are presented for Unix and for Windows SSH clients.
SSH login, file transfer and port forwarding from Unix clients.
Use the command
-
ssh to start a remote login session.
-
sftp to start a remote file transfer session.
-
scp to start a single file transfer session.
(click on one of the commands above for detailed information from the manual pages).
You have to set up port forwarding or tunneling if you want access from outside to other machines than 'login.nikhef.nl' and 'beuk.nikhef.nl' or other services in the 'nikhef.nl' domain. The following steps are required to realize this:
-
Start a login session to 'login.nikhef.nl' with the proper arguments to set up a tunnel for port forwarding.
-
Start an application (another SSH client or a mail client, etc) that is able to use the tunnel configured in step 1.
Example 1: File transfer with the local disk of your Linux desktop.
If you want to copy files from/to the local disk of your Linux desktop in the 'nikhef.nl' domain, you have to set up a tunnel in the login session to 'login.nikhef.nl' (step 1):
$ ssh -N -f -L1234:mydesktop.nikhef.nl:22 user@login.nikhef.nl
After entering your password the process will open the tunnel and run in the background until you kill the process. Notice that the port number (in this example '1234') can be an arbitrary number above 1024.
Now you can copy a file from the disk of your NIKHEF desktop to your current directory (step 2):
$ scp -P1234 user@localhost:/localstore/sam/myfile.gz .
The -P option forces to use port number '1234' instead of the default port number '22'. In case your 'user' account at your NIKHEF desktop is the same as the 'user' account in step 1, you can ommit 'user' here.
If you want to set up more tunnels at the same time, you should assign different port numbers to each channel.
Example 2: mirroring directories.
You can 'mirror' your disk or parts of your disk with the 'rsync' command. This command compares the file attributes on the local disk and the remote disk and only changed files will be copied. The following command mirrors a remote directory to your local directory (requires step 1 from the previous example to set up the tunnel):
$ rsync -av -e "ssh -p 1234" localhost:/localstore/sam .
Example 3: X11 applications on your desktop.
Execute the 'ssh -X' command in case you want to run X11 applications on a remote computer and use your local system as an X11 server. A tunnel will be created for secure transport of the X11 protocol. Two steps are required in case you want to run X11 applications on your desktop at NIKHEF (which is blocked for external access):
[local] $ ssh -X login.nikhef.nl
[eomer] $ ssh -X mydesktop ('eomer' is the host name of 'login.nikhef.nl')
Check the X11 tunneling follows:
$ echo $DISPLAY
localhost:10.0
$ xclock ( the xclock graphics application should appear).
Using rdesktop with SSH tunneling.
'rdesktop' is the client side of the remote desktop application of MS Windows. It enables the login into a Windows terminal server and the access to Windows applications. Version 1.3.x (or higher) must be installed on your Linux system. The Windows terminal server at nikhef 'windows.nikhef.nl' is not directly accessible from outside, you have to set up a secure SSH tunnel via a login into login.nikhef.nl (step 1):
$ ssh -N -f -L3389:windows.nikhef.nl:3389 user@login.nikhef.nl
The port number '3389' is not an arbitrary number in this case but the default port number for the rdesktop service. The 'user' in this command line is your NIKHEF user account.
Next you can start the client application 'rdesktop' (step 2):
$ rdesktop localhost
As result a window should pop up with the login screen to 'windows.nikhef.nl'.
SSH login, file transfer and port forwarding from Windows clients.
A client SSH application has to be installed on your Windows system before you can start SSH and SFTP sessions.
-
Click here for the installation and configuration of the SSH Secure Shell client from SSH Communications Security.
-
PuTTY is a free available alternative to the SSH client mentioned above.
General configuration of the SSH Secure Shell client.
You can configure all parameters for the SSH sessions using the 'profile editor' from the 'Profiles' menu. We recommend to save your profiles with the configuration settings for later use.
You have to set up port forwarding or tunneling if you want access from outside to other machines than 'login.nikhef.nl' and 'beuk.nikhef.nl' or other services in the 'nikhef.nl' domain. The following steps are required to realize this:
-
Configure the secure channels for the port forwarding in the profile of a login session to login.nikhef.nl.
-
Start this login session.
-
Start an application (another SSH client or a mail client, etc) that is able to use the tunnel configured in step 1.
Examples how to configure tunnels in your login session and how to configure the client application are presented below.Example 1: File transfer with the local disk of your Linux desktop.
If you want to copy files from/to the local disk of your Linux desktop in the 'nikhef.nl' domain, you have to set up a tunnel in the login session to 'login.nikhef.nl' (this is step 1, needed only once if you do a save profile):
-
Start the SSH client, select 'Add Profile' from the 'Profile' menu and give it a proper name, e.g. 'nikhef'.
-
Select 'Edit Profile' from the 'Profile' menu and select 'nikhef'.
-
In the 'Connection' tab, enter 'login.nikhef.nl' as 'Host name', your nikhef account name as 'User name' and '22' as 'Port number'.
-
In the 'Tunneling' tab click 'Add...'.
-
In the 'Add New Outgoing Tunnel' dialogue box enter a meaningfull 'Display Name' for the tunnel (e.g. 'sftp'), select 'TCP' as 'Type', enter a 'Listen Port' number, this can be an arbitrary number above 1024 (e.g. 1234), enter the name of your desktop at NIKHEF (e.g. 'mydesktop.nikhef.nl') and enter '22' as 'Destination Port'. and click 'OK'.
-
This willl result in set up like the one presented in the figure below. Click 'OK' to finish.
Start a login session with the configured profile, 'nikhef' in our example (step 2).
You are now ready for step 3: configure and start the client application with the file transfer session to your dekstop. In this example you can simply start a new SSH session using the 'Quick Connect' button in the login session you started in the previous steps. In the 'Connect to remote host' dialogue box enter 'localhost' as 'Host Name' and enter your NIKHEF account name as 'User Name'. Now you have to remember the arbitrary port number you have choosen for the tunnel (in our example '1234') and enter this number as 'Port Number'. To finish click connect and enter your password. If both SSH sessions are proper configured, you will now have a login session to your own desktop and after starting a 'New File Transfer' from the 'Windows' menu, you will have access to the files at the disk of your desktop. Of course you can save the profile of this session for future use. With the 'Save Layout' command from the 'File' menu, you can save the layout of the session (login and file transfer window) as well.
Hint: select 'Show root directory' in the global settings for file transfers, this enables access to all files of the remote disk.
Example 2: File transfer from/to a Windows client.
'login' is the only server available for file exchange with an external client. Perform the following steps to set up a file transfer session to 'login':
-
Start the SSH client, open a 'New File Transfer' window.
-
Use 'Quick Connect' with 'login.nikhef.nl, your account name and port number '22'.
-
Ignore the error message 'Failed to open a secure terminal session'.
-
Save your profile for future use.
-
Close the terminal window and do a 'Save Layout' form the 'File" menu. Next time you start the profile, only the file transfer window will pop up and no error message 'Failed to open a secure terminal session' will be produced.
Example 3: X11 applications on your desktop.
If you want to run X11 applications on your desktop at NIKHEF and use your external system as an X11 server, simply select the 'Tunnel X11 connections' option in the profile of the SSH session to login.nikhef.nl from the previous example and in the profile of the session to 'mydesktop.nikhef.nl'. Refer to the picture above to locate the 'Tunnel X11 connections' option.
Example 4: Send e-mail via the NIKHEF mail server.
If you are outside NIKHEF and you want to make use of the NIKHEF SMTP mail server to send e-mails. you can configure a secure tunnel to forward the SMTP port (number 25) to 'login.nikhef.nl'. Refer to the first example (step 1 and step 2) how to do this. Refer to the figure in this example for the parameters of the 'smtp' tunnel. In step 3 you have to configure your mail client in such a way that it knows about the tunnel: enter 'localhost' in the 'SMTP server' field. How to do this depends on which mail client you use and is not explained here.
SSH login and file transfer Macintosh clients.
Refer to http://www.macssh.com for Macintosh OS 9 client software.
Macintosh OS X clients are already included in the operating system; use the terminal application.
A GUI sftp client, fugu, is available from the Universitiy of Michigan.
Relevant links
SSH at CERN (useful info on SSH/SFTP usage and configuration)
Remote login to DESY (starts SSH session via browser)
Before you want to access the NIKHEF network from outside, you have to take notice from the following information.
The access to the computer and network services in the nikhef.nl domain is restricted to applications that communicate via the secure protocol SSL. This protocol ensures data to be encrypted before it is transported over the network and to be decrypted when it is delivered at the other side. This encryption is extremely important in case sensitive information like passwords are transported via a network.
Be aware that your home computer which is connected via your Internet Service Provider is considered to be outside the NIKHEF network, just like a computer at CERN or a computer in an internet cafe.
Direct access from outside to the login and file transfer services in the nikhef.nl domain is restricted to:
- SSH for login to the Linux server login.nikhef.nl.
- SFTP for file transfer from/to the Linux server login.nikhef.nl and the Windows file server beuk.nikhef.nl.
Other services that are available in the nikhef.nl domain can be accessed directly or indirectly using the port forwarding mechanism in SSH which basically 'tunnels' a connection through a secure SSH connection to the login server.
An example of a direct accessible service is the IMAPS service on the imap server imap.nikhef.nl.
Examples of the indirect accessibles services are SMTP port forwarding to the NIKHEF mail server and SFTP port forwarding and X-tunneling to desktop systems that are not directly accessible from outside. Configuration examples are presented for Unix and for Windows SSH clients.
Use the command
- ssh to start a remote login session.
- sftp to start a remote file transfer session.
- scp to start a single file transfer session.
(click on one of the commands above for detailed information from the manual pages).
You have to set up port forwarding or tunneling if you want access from outside to other machines than 'login.nikhef.nl' and 'beuk.nikhef.nl' or other services in the 'nikhef.nl' domain. The following steps are required to realize this:
- Start a login session to 'login.nikhef.nl' with the proper arguments to set up a tunnel for port forwarding.
- Start an application (another SSH client or a mail client, etc) that is able to use the tunnel configured in step 1.
Example 1: File transfer with the local disk of your Linux desktop.
If you want to copy files from/to the local disk of your Linux desktop in the 'nikhef.nl' domain, you have to set up a tunnel in the login session to 'login.nikhef.nl' (step 1):
$ ssh -N -f -L1234:mydesktop.nikhef.nl:22 user@login.nikhef.nl
After entering your password the process will open the tunnel and run in the background until you kill the process. Notice that the port number (in this example '1234') can be an arbitrary number above 1024.
Now you can copy a file from the disk of your NIKHEF desktop to your current directory (step 2):
$ scp -P1234 user@localhost:/localstore/sam/myfile.gz .
The -P option forces to use port number '1234' instead of the default port number '22'. In case your 'user' account at your NIKHEF desktop is the same as the 'user' account in step 1, you can ommit 'user' here.
If you want to set up more tunnels at the same time, you should assign different port numbers to each channel.
Example 2: mirroring directories.
You can 'mirror' your disk or parts of your disk with the 'rsync' command. This command compares the file attributes on the local disk and the remote disk and only changed files will be copied. The following command mirrors a remote directory to your local directory (requires step 1 from the previous example to set up the tunnel):
$ rsync -av -e "ssh -p 1234" localhost:/localstore/sam .
Example 3: X11 applications on your desktop.
Execute the 'ssh -X' command in case you want to run X11 applications on a remote computer and use your local system as an X11 server. A tunnel will be created for secure transport of the X11 protocol. Two steps are required in case you want to run X11 applications on your desktop at NIKHEF (which is blocked for external access):
[local] $ ssh -X login.nikhef.nl
[eomer] $ ssh -X mydesktop('eomer' is the host name of 'login.nikhef.nl')
Check the X11 tunneling follows:
$ echo $DISPLAY
localhost:10.0
$ xclock ( the xclock graphics application should appear).
Using rdesktop with SSH tunneling.
'rdesktop' is the client side of the remote desktop application of MS Windows. It enables the login into a Windows terminal server and the access to Windows applications. Version 1.3.x (or higher) must be installed on your Linux system. The Windows terminal server at nikhef 'windows.nikhef.nl' is not directly accessible from outside, you have to set up a secure SSH tunnel via a login into login.nikhef.nl (step 1):
$ ssh -N -f -L3389:windows.nikhef.nl:3389 user@login.nikhef.nl
The port number '3389' is not an arbitrary number in this case but the default port number for the rdesktop service. The 'user' in this command line is your NIKHEF user account.
Next you can start the client application 'rdesktop' (step 2):
$ rdesktop localhost
As result a window should pop up with the login screen to 'windows.nikhef.nl'.
A client SSH application has to be installed on your Windows system before you can start SSH and SFTP sessions.
- Click here for the installation and configuration of the SSH Secure Shell client from SSH Communications Security.
- PuTTY is a free available alternative to the SSH client mentioned above.
General configuration of the SSH Secure Shell client.
You can configure all parameters for the SSH sessions using the 'profile editor' from the 'Profiles' menu. We recommend to save your profiles with the configuration settings for later use.
You have to set up port forwarding or tunneling if you want access from outside to other machines than 'login.nikhef.nl' and 'beuk.nikhef.nl' or other services in the 'nikhef.nl' domain. The following steps are required to realize this:
- Configure the secure channels for the port forwarding in the profile of a login session to login.nikhef.nl.
- Start this login session.
- Start an application (another SSH client or a mail client, etc) that is able to use the tunnel configured in step 1.
Example 1: File transfer with the local disk of your Linux desktop.
If you want to copy files from/to the local disk of your Linux desktop in the 'nikhef.nl' domain, you have to set up a tunnel in the login session to 'login.nikhef.nl' (this is step 1, needed only once if you do a save profile):- Start the SSH client, select 'Add Profile' from the 'Profile' menu and give it a proper name, e.g. 'nikhef'.
- Select 'Edit Profile' from the 'Profile' menu and select 'nikhef'.
- In the 'Connection' tab, enter 'login.nikhef.nl' as 'Host name', your nikhef account name as 'User name' and '22' as 'Port number'.
- In the 'Tunneling' tab click 'Add...'.
- In the 'Add New Outgoing Tunnel' dialogue box enter a meaningfull 'Display Name' for the tunnel (e.g. 'sftp'), select 'TCP' as 'Type', enter a 'Listen Port' number, this can be an arbitrary number above 1024 (e.g. 1234), enter the name of your desktop at NIKHEF (e.g. 'mydesktop.nikhef.nl') and enter '22' as 'Destination Port'. and click 'OK'.
- This willl result in set up like the one presented in the figure below. Click 'OK' to finish.
Start a login session with the configured profile, 'nikhef' in our example (step 2).
You are now ready for step 3: configure and start the client application with the file transfer session to your dekstop. In this example you can simply start a new SSH session using the 'Quick Connect' button in the login session you started in the previous steps. In the 'Connect to remote host' dialogue box enter 'localhost' as 'Host Name' and enter your NIKHEF account name as 'User Name'. Now you have to remember the arbitrary port number you have choosen for the tunnel (in our example '1234') and enter this number as 'Port Number'. To finish click connect and enter your password. If both SSH sessions are proper configured, you will now have a login session to your own desktop and after starting a 'New File Transfer' from the 'Windows' menu, you will have access to the files at the disk of your desktop. Of course you can save the profile of this session for future use. With the 'Save Layout' command from the 'File' menu, you can save the layout of the session (login and file transfer window) as well.
Hint: select 'Show root directory' in the global settings for file transfers, this enables access to all files of the remote disk.
Example 2: File transfer from/to a Windows client.
'login' is the only server available for file exchange with an external client. Perform the following steps to set up a file transfer session to 'login':- Start the SSH client, open a 'New File Transfer' window.
- Use 'Quick Connect' with 'login.nikhef.nl, your account name and port number '22'.
- Ignore the error message 'Failed to open a secure terminal session'.
- Save your profile for future use.
- Close the terminal window and do a 'Save Layout' form the 'File" menu. Next time you start the profile, only the file transfer window will pop up and no error message 'Failed to open a secure terminal session' will be produced.
Example 3: X11 applications on your desktop.
If you want to run X11 applications on your desktop at NIKHEF and use your external system as an X11 server, simply select the 'Tunnel X11 connections' option in the profile of the SSH session to login.nikhef.nl from the previous example and in the profile of the session to 'mydesktop.nikhef.nl'. Refer to the picture above to locate the 'Tunnel X11 connections' option.
Example 4: Send e-mail via the NIKHEF mail server.
If you are outside NIKHEF and you want to make use of the NIKHEF SMTP mail server to send e-mails. you can configure a secure tunnel to forward the SMTP port (number 25) to 'login.nikhef.nl'. Refer to the first example (step 1 and step 2) how to do this. Refer to the figure in this example for the parameters of the 'smtp' tunnel. In step 3 you have to configure your mail client in such a way that it knows about the tunnel: enter 'localhost' in the 'SMTP server' field. How to do this depends on which mail client you use and is not explained here.
Refer to http://www.macssh.com for Macintosh OS 9 client software.
Macintosh OS X clients are already included in the operating system; use the terminal application.
A GUI sftp client, fugu, is available from the Universitiy of Michigan.
Remote login to DESY (starts SSH session via browser)