Differences between revisions 20 and 26 (spanning 6 versions)
Revision 20 as of 2018-10-11 07:50:16
Size: 9784
Editor: maegger
Comment:
Revision 26 as of 2019-06-04 16:10:46
Size: 10524
Editor: davidsch
Comment:
Deletions are marked like this. Additions are marked like this.
Line 31: Line 31:
|| ||||ICMP|||| SSH ||||HTTP/[S]|||| RDP |||| VNC ||||SMB/CIFS|||| NFS *1) ||||IMAP/SMTP||
|| internet -> itet-isg |||| (./) |||| (./)  |||| (./) |||| {X} |||| {X} |||| {X} |||| {X} |||| ( (./) ) *2) ||		 || ||||ICMP|||| SSH ||||HTTP/ HTTPS]|||| RDP |||| VNC ||||SMB/ CIFS|||| NFS *1) ||||IMAP/ SMTP||
|| internet -> itet-isg |||| (./) |||| {X} |||| {X} |||| {X} |||| {X} |||| {X} |||| {X} |||| ( (./) ) *2) ||
Line 39: Line 39:
*1) NFS has security problems and can't be enabled to clients where users have root access. <<BR>> *1) NFS access from unmanaged clients is not allowed for security reasons. <<BR>>
Line 47: Line 47:
You can also access your mail with any IMAP/SMTP based mail client software ( Thunderbird, Outlook, Smartphone Mail Programs, Windows 10 Mail, ......) over the internet. IMAP/SMTP access to our mail servers is enabled for the internet. Detailed information is available in this Wiki under https://computing.ee.ethz.ch/Email . You can also access your mail with any IMAP/ SMTP based mail client software ( Thunderbird, Outlook, Smartphone Mail Programs, Windows 10 Mail, ......) over the internet. IMAP/ SMTP access to our mail servers is enabled for the internet. Detailed information is available in this Wiki under https://computing.ee.ethz.ch/Email .
Line 49: Line 50:
In the Unix/Linux world a remote terminal is still widely used. The old telnet terminal is now replaced by the encrypted shell ssh which is secure enough to be enabled for the internet. As you can see in the table above SSH and HTTP/S are the only protocols available for a connection to all ISG managed clients and servers inside the ITET itet-isg network zone without a VPN connection.<<BR>><<BR>>
On a linux client you can simply enter "ssh <account>@<hostname>.ee.ethz.ch" and after a successfull login you get a remote terminal session on the selected target. If you omit <account>@ your current login is used. For a key-based ssh login see https://computing.ee.ethz.ch/FAQ/SSHkeys .<<BR>><<BR>>
On a windows client the software putty ( http://www.chiark.greenend.org.uk/~sgtatham/putty ) is the preferred choice.<<BR>><<BR>>		 In the Unix/ Linux world a remote terminal is still widely used. The old telnet terminal is now replaced by the encrypted shell "ssh" which is secure enough to be enabled for the internet. You will need an '''ssh''' client. Under Linux and Macintosh OSX, the program is itself called {{{ssh}}} and is usually available in the basic installation of the operating system. Unter MS Windows, use a 3rd party manufacturer program like XWin32, PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty) or the Cygwin SSH client (these have to be installed on the operating system separately).

 * On an ETH-internal client you can simply enter {{{ssh <account>@<targethostname>.ee.ethz.ch}}}. After a successful login, a remote terminal session is established on the selected target host. If you omit {{{<account>@}}} in the {{{ssh}}} commandline, your shell's current login username is used.
 * To connect to an ssh service from an ETH-external client, one must either install and activate the VPN client software on that computer and then proceed in a way as if the client were an ETH-internal computer (see above). Alternatively, one may establish a "direct" connection (without VPN client) to the target host via our login server {{{login.ee.ethz.ch}}}. For the latter, use the following commandline (example for the Linux built-in ''ssh'' application): {{{ssh -o ProxyJump=<account>@login.ee.ethz.ch <account>@<targethostname>.ee.ethz.ch}}}
 * For a key-based ssh login see https://computing.ee.ethz.ch/FAQ/SSHkeys .<<BR>><<BR>>

=== SSH details ===
Line 54: Line 60:
 * secure file transfer  * encrypted file transfer remote shell sessions
Line 56: Line 62:

Contents

  1. Introduction
  2. Mailbox Access
    1. Web Access (Roundcube)
    2. IMAP/SMTP Access
  3. SSH Remote Terminal Session
    1. SSH details
  4. Remote Desktop Session
    1. Windows RDP
    2. VNC
  5. File Transfer
    1. Http download
    2. Linux scp
    3. Windows WinSCP/Filezilla
    4. ID polybox - Own Cloud Storage
    5. Cifex
  6. Network File System Access
    1. NFS access
    2. SMB/CIFS access

Introduction

The chapter "Remote Access" will show you possible solutions to remotely access a managed client or your data inside the D-ITET networks from the selfmanaged client network or from devices outside the ETH network. It will cover the following topics:

  • mailbox access
  • remote terminal session
  • remote desktop session
  • file transfer
  • network file system access

"Remote Access" solutions depend on the available (firewall enabled) protocols between the remote access client and the target network. With a view on the firewall the network consists of 5 logical zones:

  • itet-isg ( ISG managed servers and clients )
  • itet-staff ( selfmanaged clients )
  • itet-iot ( internet of things devices )
  • vpn network ( access through the ID VPN service )
  • internet ( all networks outside ETH intranet )

An ITET zone consists of multiple IP networks. Inside an ITET zone there is full connectivity between the IP networks, no protocols are blocked.

Here is a table with the relevant protocols for remote access:

protocol

protocol long

usage

ICMP

Internet Control Message Protocol

protocol used by ping connection test

SSH

Secure Shell

encrypted remote terminal session

HTTP/[S]

[Secure] Hypertext Transfer Protocol

web server access protocol

RDP

Remote Desktop Protocol

remote desktop sessions on windows targets

VNC

Virtual Network Computing

remote desktop sessions on linux targets

SMB/CIFS

Server Message Block / Common Internet Filesystem

Microsoft network file sharing protocol

NFS

Network File System

Unix/Linux network file sharing protocol

IMAP

Internet Message Access Protocol

access to mailboxes on server

SMTP

Simple Message Transfer Protocol

sending messages to server


The following table shows the available protocols depending on the source and target network:

ICMP

SSH

HTTP/ HTTPS]

RDP

VNC

SMB/ CIFS

NFS *1)

IMAP/ SMTP

internet -> itet-isg

(./)

{X}

{X}

{X}

{X}

{X}

{X}

( (./) ) *2)

internet -> itet-staff

(./)

{X}

{X}

{X}

{X}

{X}

{X}

{X}

vpn network -> itet-isg

(./)

(./)

(./)

(./)

(./)

(./)

{X}

(./)

vpn network -> itet-staff

(./)

(./)

(./)

(./)

(./)

(./)

{X}

(./)

itet-staff -> itet-isg

(./)

(./)

(./)

(./)

(./)

(./)

{X}

(./)

itet-isg -> itet-staff

(./)

(./)

(./)

(./)

(./)

(./)

{X}

(./)

*1) NFS access from unmanaged clients is not allowed for security reasons.
*2) These protocols are only enabled for the servers involved in the D-ITET mail system.

From the zones itet-isg and itet-staff to the internet the ip transport protocols udp/tcp are generally enabled. Every machine inside can initiate a connection to an arbitrary server port in the internet.

Mailbox Access

Web Access (Roundcube)

You can access your inbox and your mail folders with a web browser on any client with internet connectivity. Our web server with the Roundcube software can be reached under https://email.ee.ethz.ch .

IMAP/SMTP Access

You can also access your mail with any IMAP/ SMTP based mail client software ( Thunderbird, Outlook, Smartphone Mail Programs, Windows 10 Mail, ......) over the internet. IMAP/ SMTP access to our mail servers is enabled for the internet. Detailed information is available in this Wiki under https://computing.ee.ethz.ch/Email .

SSH Remote Terminal Session

In the Unix/ Linux world a remote terminal is still widely used. The old telnet terminal is now replaced by the encrypted shell "ssh" which is secure enough to be enabled for the internet. You will need an ssh client. Under Linux and Macintosh OSX, the program is itself called ssh and is usually available in the basic installation of the operating system. Unter MS Windows, use a 3rd party manufacturer program like XWin32, PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty) or the Cygwin SSH client (these have to be installed on the operating system separately).

  • On an ETH-internal client you can simply enter ssh <account>@<targethostname>.ee.ethz.ch. After a successful login, a remote terminal session is established on the selected target host. If you omit <account>@ in the ssh commandline, your shell's current login username is used.

  • To connect to an ssh service from an ETH-external client, one must either install and activate the VPN client software on that computer and then proceed in a way as if the client were an ETH-internal computer (see above). Alternatively, one may establish a "direct" connection (without VPN client) to the target host via our login server login.ee.ethz.ch. For the latter, use the following commandline (example for the Linux built-in ssh application): ssh -o ProxyJump=<account>@login.ee.ethz.ch <account>@<targethostname>.ee.ethz.ch

  • For a key-based ssh login see https://computing.ee.ethz.ch/FAQ/SSHkeys .

SSH details

The ssh protocol has some integrated features like

  • X11 forwarding
  • encrypted file transfer remote shell sessions
  • ssh tunneling

With these features ssh also offers solutions to additional tasks which are covered in the following chapters.

As a default entry point you can use the host login.ee.ethz.ch. /!\ Use this host only as a starting point, but do not execute heavy processes (e.g. do not use matlab on this machine!).

If you are not sure if you connect to the right server you can check it here: https://computing.ee.ethz.ch/SshFingerprints. We created a website where you can check if the PC you are connecting to is the same key as the PC we manage.

Remote Desktop Session

Windows RDP

The Microsoft Remote Desktop Protocol is the remote desktop solution in the windows world. An RDP-server component is integrated in all Microsoft operating systems and the protocol is widely used for terminal server access. An RDP client software (rdesktop, xfreerdp,..) is also available for linux, so it's no problem to get a windows remote desktop on a linux client. Here are the sample commands for rdesktop and xfreerdp: 

> rdesktop -u d\\pmuster -k de-ch -g 1280x1024 vega7.ee.ethz.ch
> xfreerdp [-sec-nla] [/cert-ignore] /size:1920x1100 /u:pmuster /d:d /vega7.ee.ethz.ch

[ ] are optional parameters and their need depends on the configuration settings of the terminal server.

On windows machines you can start the RDP client with mstsc.exe .

VNC

VNC is the preferred solution for remote desktop sessions on linux machines. A detailed description of the usage of VNC is in the FAQ (https://computing.ee.ethz.ch/FAQ/VNCUsage).

File Transfer

Http download

The http download is a simple solution to transfer a data file to an external user. On the client side no additional software is needed, a web browser is sufficient.

Here are the sample commands to provide a data file for download with a required authorization in your personal web page: 

> mkdir /home/pmuster/public_html/transfer
> cp /scratch/pmuster/datafile /home/pmuster/public_html/transfer/
> htpasswd -c /home/pmuster/public_html/.htpasswd download

Create a file .htacces in the download folder /home/pmuster/public_html/transfer with content: 

AuthUserFile "/home/pmuster/public_html/.htpasswd"
AuthName "Downloads"
AuthType Basic
Require user download

Under the address http://people.ee.ethz.ch/~pmuster/transfer the file can now be downloaded with user download and the password set with the htpasswd command.

Linux scp

Between two Unix/Linux machines you can transfer a file with the ssh-integrated secure file copy (SFTP). The command is: 

ubuntu@home> scp <path-to-datafile> <user>@<dns hostname>:<path-to-target directory>

With the command 

ubuntu@home> scp document.pdf pmuster@login.ee.ethz.ch:Documents/

the file document.pdf on your linux machine is copied in the Documents subdirectory in your home at D-ITET.

Windows WinSCP/Filezilla

Windows has no ssh integrated, so you must use an additional software. The popular programs WinSCP (https://winscp.net) and Filezilla (https://filezilla-project.org) are the preferred choice. Filezilla is also available for the linux platform and is already installed on our managed linux clients.

ID polybox - Own Cloud Storage

ID provides 50 GB storage to every ETH member (https://www1.ethz.ch/id/services/list/polybox/index_EN). The polybox client software is available for different plattforms and synchronizes a local storage on the client with the owncloud server storage. If the client software is installed on two machines you can therefore transfer data between the two machines with the polybox client.

Cifex

ID offers also a service for the exchange of big sized files which can not be send by mail named Cifex (https://cifex.ethz.ch/). The mail size limit depends on the provider but normally files greater than 50-100 Mbyte can not be send by mail. It's a good solution for sporadic transfers of big sized data files to a site where no n-ethz account can be used.

Network File System Access

NFS access

Because NFS is not enabled between the internal networks nor to the internet it has no significance in remote access solutions. NFS is only used by ISG managed linux clients to access user and project homes on servers and dedicated storage systems of ID and ITET by automount tables.

SMB/CIFS access

This Microsoft network file sharing protocol has a user based authentication and therefore has a great significance for accessing data resources not only on windows file servers. Linux/Unix servers are also providing SMB/CIFS access with use of the samba software suite, an emulation of the windows file sharing protocol for Linux/Unix file servers.

More information how to access your data you find under:

RemoteAccess (last edited 2023-10-16 11:09:09 by alders)