#rev 2020-09-10 bonaccos <> == Introduction == The article ''Remote Access'' will show you possible solutions to remotely access a managed client or your data inside the D-ITET networks from the selfmanaged client network or from devices outside the ETH network. It will cover the following topics: * mailbox access * remote terminal session * remote desktop session * file transfer * network file system access === Remote access and network restrictions === Remote access possibilities depend on firewall restrictions between the remote client and the target network. The networks are segmented into virtual private zones (VPZ). Each of these zones corresponds to a certain network security level profile and contains one or more subnets being protected by the appropriate zone firewall. Traffic between subnets belonging to the same VPZ does not pass the zone firewall and thus there are no traffic flow restrictions (no subnets or service ports blocked). The relevant VPZ's for D-ITET are: * '''itet-isg''' (ISG D-ITET managed servers and clients) * '''itet-staff''' (Selfmanaged clients; most often these are selfmanaged laptops) * '''itet-iot''' (Internet of things; small unmanaged devices, often lacking a possibility to configure them in a secure way) * '''VPN zones''' (Public VPN zones like "guest", "student-net", "staff-net"; you will be assigned to this zone by default when you connect to the ETH network using the VPN client. An exception would be if a realm to enter a specific private VPZ zone is configured in the VPN client. The latter is only enabled in exceptional cases; contact ISG D-ITET for details.) * '''Internet''' (this is not a real VPZ, but it describes all networks outside of the ETHZ intranet) === Enabled remote access protocols === The following table shows protocols which are relevant for remote access: || '''protocol ''' |||| '''protocol long''' |||| '''usage''' || || ICMP |||| Internet Control Message Protocol |||| protocol used by ping connection test || || SSH |||| Secure Shell |||| encrypted remote terminal session || || HTTP/ HTTPS |||| [Secure] Hypertext Transfer Protocol |||| web server access protocol || || RDP |||| Remote Desktop Protocol |||| remote desktop sessions on windows targets || || VNC |||| Virtual Network Computing |||| remote desktop sessions on linux targets || || SMB/ CIFS |||| Server Message Block/ Common Internet Filesystem |||| Microsoft network file sharing protocol || || NFS |||| Network File System |||| Linux network file sharing protocol || || IMAP |||| Internet Message Access Protocol |||| access to mailboxes on server || || SMTP |||| Simple Message Transfer Protocol |||| sending messages to server || === Remote access map of allowed traffic === The following table shows the allowed traffic flows for remote access related services: || Client source network -> Remote destination network |||| ICMP |||| SSH |||| HTTP/ HTTPS |||| RDP |||| VNC |||| SMB/ CIFS |||| NFS¹ |||| IMAP/ SMTP || || internet -> itet-isg |||| (./) |||| {X} |||| {X} |||| {X} |||| {X} |||| {X} |||| {X} |||| ( (./) )² || || internet -> itet-staff |||| (./) |||| {X} |||| {X} |||| {X} |||| {X} |||| {X} |||| {X} |||| {X} || || vpn network -> itet-isg |||| (./) |||| (./) |||| (./) |||| (./) |||| (./) |||| (./) |||| {X} |||| (./) || || vpn network -> itet-staff |||| (./) |||| (./) |||| (./) |||| (./) |||| (./) |||| (./) |||| {X} |||| (./) || || itet-staff -> itet-isg |||| (./) |||| (./) |||| (./) |||| (./) |||| (./) |||| (./) |||| {X} |||| (./) || || itet-isg -> itet-staff |||| (./) |||| (./) |||| (./) |||| (./) |||| (./) |||| (./) |||| {X} |||| (./) || * ¹ NFS access from unmanaged clients is not allowed for security reasons. * ² These protocols are only enabled for the servers involved in the D-ITET mail system. From the zones itet-isg and itet-staff to the internet the ip transport protocols TCP/ UDP are generally enabled. Every machine inside can initiate a connection to an arbitrary server port in the internet. == Mailbox Access == === Web Access (Roundcube) === You can access your inbox and your mail folders with a web browser on any client with internet connectivity. Our web server with the Roundcube software can be reached under https://email.ee.ethz.ch. === IMAP/ SMTP Access === You can also access your mail with any IMAP/ SMTP based mail client software ( Thunderbird, Outlook, Smartphone Mail Programs, Windows 10 Mail, ......) over the internet. IMAP/ SMTP access to our mail servers is enabled for the internet. Detailed information is available in [[Email|the Email overview page]]. == SSH - remote terminal session == In the Linux world remote terminals are widely used. The secure shell `ssh` allows secure (i.e. encrypted connection) remote terminal sessions. To establish such sessions, you will need an SSH client application. Under Linux and Mac OSX, the program is called `ssh` and is usually provided by the basic installation of the operating system. Under MS Windows, a 3rd party manufacturer application like PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty), X-Win32, or the Cygwin SSH client must be installed separately. === Establishing a remote terminal session === ==== From ETH internal ==== * On an ETH-internal client you can simply enter {{{#!highlight bash numbers=disable ssh @.ee.ethz.ch }}} After a successful login, a remote terminal session is established on the selected target host. If you omit `@` in the ssh commandline, your shell's current session login username is used. ==== From ETH external ==== There are two possibilities: * To connect to an ssh service from an ETH-external client, one must install and activate the [[Workstations/Network/VPN|VPN]] client software on that computer and then proceed in a way as if the client were an ETH-internal computer (see above). Using ''fully qualified hostnames'' (e.g. `ssh hostname.ee.ethz.ch` instead of just `ssh hostname`) allows you to access the target ETH server from anywhere (using the VPN client or the method described in the next paragraph), especially from selfmanaged/ private computers that are not in the ''ee.ethz.ch'' subdomain. * Alternatively<>, for ETH-external clients, one may establish a "direct" connection (without VPN client) to the target host via our login server `login.ee.ethz.ch`. For the latter, use the following commandline (example for the Linux built-in ''ssh'' application): {{{#!highlight bash numbers=disable ssh -o ProxyJump=@login.ee.ethz.ch @.ee.ethz.ch }}} For a transparent access you can configure your client SSH configuration with something similar as {{{ Host login.ee.ethz.ch User PreferredAuthentications publickey Host *.ee.ethz.ch !login.ee.ethz.ch User ProxyJump login.ee.ethz.ch PreferredAuthentications publickey }}} * If you want to establish a "direct" connection (without VPN client) to the target host via our login server `login.ee.ethz.ch` '''from an ETH-external Windows client''' using '''PuTTY''', read [[WindowsDirectSSHAccess|this]] article. * For a key-based ssh login see https://computing.ee.ethz.ch/FAQ/SSHkeys . === SSH details === The ssh protocol has some integrated features like * X11 forwarding (run a Linux GUI application remotely and display it's window on the local computer) * encrypted file transfer, encrypted remote shell sessions * ssh tunnelling (purpose is most often to bypass firewall restrictions) With these features ssh also offers solutions to additional tasks which are covered in the following chapters. The host `login.ee.ethz.ch` might be used to log in to the D-ITET network from anywhere (all D-ITET users are allowed to log in there). Use this host only as a starting point (i.e. to establish further connections to other D-ITET-internal computers from there), but '''do not execute processes that will consume a lot of CPU resources''' (e.g. do not run Matlab/ compute jobs on this machine!). For advanced users: If you want to make sure a ''managed ISG D-ITET Linux computer'' you intend to access with `ssh` is in fact the machine you are expecting (and not a modified/ hacked one; e.g. with man-in-the-middle-attack), you can verify its hostkey. How that works is described on this website: https://computing.ee.ethz.ch/SshFingerprints == Remote Desktop Session == === Windows Remote Desktop === To access your Windows computer remotely, please read [[RDS|Windows Remote Desktop Services]]. === X11VNC === `x11vnc` can be used to connect to a desktop session running on the physical display of a host. Please see the [[https://computing.ee.ethz.ch/FAQ/x11vnc|X11VNC HOWTO]] for further details. In case you have no running session on the physical display and need to login graphically, please contact [[mailto:support@ee.ethz.ch|support]] and provide the name of the host you need to access. === VNC === VNC is the preferred solution for remote desktop sessions on Linux machines. Please read the [[RemoteAccess/VNC|VNC article]] for more details. == File Transfer == === HTTP download === The HTTP download is a simple solution to transfer a data file to an external user. On the client side no additional software is needed, a web browser is sufficient. Here are the sample commands to provide a data file for download with a required authorization in your personal web page: {{{#!highlight bash numbers=disable mkdir /home//public_html/transfer cp /scratch//datafile /home//public_html/transfer/ htpasswd -s -c /home//public_html/.htpasswd download }}} Create a file .htaccess in the download folder /home//public_html/transfer with content: {{{ AuthUserFile "/home//public_html/.htpasswd" AuthName "Downloads" AuthType Basic Require user download }}} Under the address `http://people.ee.ethz.ch/~/transfer` the file can now be downloaded with user download and the password set with the htpasswd command. === Linux scp === Between two Linux machines you can transfer a file with the ssh-integrated secure file copy (scp). The command is: {{{#!highlight bash numbers=disable @home> scp @: }}} With the command {{{#!highlight bash numbers=disable @home> scp document.pdf @login.ee.ethz.ch:/home//Documents/ }}} the file document.pdf on your linux machine is copied in the Documents subdirectory in your home at D-ITET. === Windows WinSCP/ FileZilla === Windows has no SSH integrated, so you must use an additional software. The popular programs WinSCP (https://winscp.net) and FileZilla (https://filezilla-project.org) are the preferred choice. FileZilla is also available for the linux platform and is already installed on our managed linux clients. === ID polybox - Own Cloud Storage === ID provides 50 GB storage to every ETH member [[https://www.ethz.ch/services/en/it-services/catalogue/storage/polybox.html]]. The polybox client software is available for different plattforms and synchronizes a local storage on the client with the owncloud server storage. If the client software is installed on two machines you can therefore transfer data between the two machines with the polybox/ownclound client. === SWITCHfilesender === SWITCH offers a service for the exchange of big sized data which can not be send by mail called Filesender (https://www.switch.ch/services/filesender). It's a good solution for sporadic transfers of big sized data (up to 300GB) to a site where no ETH account can be used. The uploaded data will be cleaned automatically after a pre-defined time. == Network File System Access == === NFS access === Because NFS is not enabled between the internal networks nor to the internet it has no significance in remote access solutions. NFS is only used by ISG D-ITET managed linux clients to access user and project homes on servers and dedicated storage systems of ID and ITET by Linux automount tables. === SMB/ CIFS access === This Microsoft network file sharing protocol has a user based authentication and therefore has a great significance for accessing data resources not only on windows file servers. Linux servers are also providing SMB/ CIFS access with use of the '''samba''' software suite, an emulation of the windows file sharing protocol for Linux file servers. More information how to access your data you find under: * [[Workstations/FindYourData]] * [[Services/FileAccess]] === SSHFS === SSHFS is a FUSE-based filesystem client for mounting remote directories over a Secure Shell connection. FUSE (Filesystem in Userspace) is a simple interface for userspace programs to export a virtual filesystem to the Linux kernel. FUSE provides a secure method for non privileged users to create and mount their own filesystems. It is a solution to access storage locations on the remote side which are not accessible over SMB/CIFS. ==== Usage on Linux ==== Mounting a remote directory: {{{#!highlight bash numbers=disable mkdir scratch sshfs -o follow_symlinks @.ee.ethz.ch:/scratch scratch ls scratch fusermount -u scratch }}} ==== Usage on Windows ==== Please install the Windows WSL 2 subsystem on your Windows 10/11 machine according to https://docs.microsoft.com/en-us/windows/wsl/install. <
><
> Install the sshfs software package: {{{#!highlight bash numbers=disable sudo apt-get install sshfs }}} You must now edit the file /etc/fuse.conf to uncomment the default entry #user_allow_other: {{{ ... # Allow non-root users to specify the allow_other or allow_root mount options. user_allow_other # .... }}} Now you should be able to perform a sshfs mount to your linux machine in the ETH network: {{{#!highlight bash numbers=disable mkdir scratch # create a mountpoint in your WSL 2 home directory sshfs -o allow_other,follow_symlinks @.ee.ethz.ch:/scratch scratch # sshfs fuse mount cd scratch explorer.exe . # starts a windows explorer in /scratch of the target machine }}} To umount the remote directory terminate the windows explorer and enter the command: {{{#!highlight bash numbers=disable cd .. fusermount -u scratch }}}