Access to cs.umb.edu hosts from elsewhere, for CS636, Spring 2021

We will be using dbs3.cs.umb.edu for its Oracle database and pe07.cs.umb.edu for its mysql database, and as a place to run programs.

For security reasons, you cannot login to dbs3. You can login to pe07, but only by ssh from (say) users.cs.umb.edu, which takes logins from everywhere, as does users1.cs.umb.edu.  Thus you will need to ssh to users.cs.umb.edu from offsite, then ssh to pe07 and then use sqlplus on pe07 to access Oracle on dbs3. See DatabaseSetup.html for more information. Everything you need for this course is available on host pe07 at cs.umb.edu. You should login to users.cs.umb.edu first and then "ssh pe07" to get to pe07. You will see the same login directory (and almost all other directories) when logged into users as when logged into pe07, because of the department's distributed filesystem setup.

To avoid the second password entry for ssh when using ssh from one cs.umb.edu system to another, you can follow the instructions just below. To avoid the first password entry (when you first login to cs.umb.edu), follow the instructions later in this file depending on your development system's OS.

1. Run "ssh-keygen" on, say, users.cs.umb.edu and answer its questions with carriage-returns, or enter a passphrase for better security. This should create a well-protected .ssh directory in your login directory with files id_rsa and id_rsa.pub, holding the private and public keys, and file known_hosts.Be sure to leave the .ssh directory fully protected (don't use chmod on it).
2. "cd .ssh", then "cp id_rsa.pub authorized_keys2". If you already have an authorized_keys2 file, use the command "cat id_rsa.pub >> authorized_keys2" instead, to append the new key.
3. Test your setup by trying "ssh users" from pe07 or vice versa. No password should be needed.
4. Once logged in on a Linux machine, you can similarly ssh back to pe07.
5. scp (network copy command) will also work without passwords, but we don't need it between cs.umb.edu UNIX/Linux machines, because the filesystems are shared across the systems, allowing us to use the ordinary UNIX/Linux cp command.

Access to cs.umb.edu hosts from offsite Linux or Mac systems: All Linux/Mac systems come with scp and ssh, available once you get a shell window working. For Mac, run the Terminal application. You can just use the same Linux/UNIX commands as on users.cs.umb.edu. For example, from your shell window on your development Linux/Mac system:

1. ssh mycsusername@users.cs.umb.edu
2. ssh pe07

File transfer from a Linux/Mac system:

    scp myfile mycsusername@users.cs.umb.edu:targetpath (where targetpath is relative to your login directory at cs.umb.edu)

For example, for user joe to put local file answer.txt in his cs636 directory on users

    scp answer.txt joe@users.cs.umb.edu:cs636

To rename it to hw1.txt on the way: scp answer.txt joe@users.cs.umb.edu:cs636/hw1.txt

To transfer a whole project with top-level directory called proj1, use the recursive flag -r:

     scp -r proj1 joe@users.cs.umb.edu:cs636

Access to cs.umb.edu hosts from offsite Windows 10 systems using ssh and scp as optional Windows 10 features.

Log in as admin on your system (so you can enable optional Windows features) and watch the beginning of this tutorial https://youtu.be/JbMgOKlj5fE. This will install scp as well as ssh, so you can follow the instructions above for Mac/Linux file transfers as well as remote terminal service.

Access to cs.umb.edu hosts from offsite older Windows systems using the free Windows tools putty and pscp.

If your Windows system is too old to support the ssh feature, you can use these free and reliable tools. Download the Windows installer at putty home and install it, agreeing to all options. Then add the download directory c:\Program Files\PuTTY to your Path. You can use the path command to see all the directories on your path. Once this is set up, you will have a desktop icon for putty and you can use a new CMD window (to be sure to get the new Path setting) to do a file transfer as follows:

    pscp myfile myusername@users.cs.umb.edu:targetpath

For example, for user joe to put local file answer.txt in his cs630 directory on users

    pscp answer.txt joe@user.cs.umb.edu:cs630

To rename it to hw1.txt on the way: pscp answer.txt joe@user.cs.umb.edu:cs630/hw1.txt

Visual file transfer tools. There are GUI clients that allow drag and drop file transfers after one overall login. For example, download SSHSecureClient-3.2.9 (or at wm.edu) for an installer for such a GUI client for Windows.

Avoiding Password Entry on Login or file transfer using ssh/scp to users.cs.umb.edu from your Mac, Linux, or Windows 10 system (Optional, but easy)

To avoid the first password entry when you ssh or scp to cs.umb.edu, first follow the above instructions to avoid the second password entry, and then use scp to copy the resulting .ssh directory on users.cs.umb.edu to your Linux/Mac/Windows 10 home directory. First use "cd" to get to your home directory on your system and then:

    scp -r mycsusername@users.cs.umb.edu:.ssh .    (that's a dot at the end, for the current directory)

Here a "Windows 10" system means a system with the optional Windows 10 ssh feature enabled as described above. Your home directory on Windows 10 is usually C:\Users\username, where username shows up in the start menu next to the person icon. so cd there and do the above command.

Using putty and pscp for access to cs.umb.edu systems from your (older) Windows PC without entering passwords each time (Optional procedure)
The putty tools work immediately on download, but expect you to enter a password for every use. With a little work, you can set up your environment to avoid the need to enter passwords so often. Note that the install of putty tools above has given you putty, pscp, puttygen, and pageant, used below. This procedure assumes you have already done the above procedure to eliminate second password entries, so you have a .ssh subdirectory of your home directory on the cs.umb.edu network. It also assumes you have all the putty tools on your Path, so you can run them from the command line.

1. Transfer the file .ssh/id_rsa (the private key at cs.umb.edu) to your PC.
2. Run puttygen and navigate to "File->Load Private Key", then browse for your key file "id_rsa" and load it.
3. You should see "Successfully imported foreign key"
4. Click on "Save private key"
5. This will generate a .ppk file, which is what pageant wants (next step).
6. Run pageant and see a little icon on your system tray. Double click the icon to run pageant.
7. Load the .PPK file into pageant by right-clicking it, etc.
8. Now the putty tools on your system have easy access to the needed keys.
9. Now you should be able to login with ssh from your Windows PC without using a password. But if the format is a little wrong, you won't be able to log in at all. So make sure you keep your older login alive when you try another test login with putty to see if your setup works.
10. Test pscp to see you can transfer files without a password entry.

Notes: client and server roles in ssh, other use cases (all optional)

ssh, scp, putty and pscp are client-server applications, with servers running on all the departmental systems, and also any other normally-deployed Mac. A Linux system may or may not have a ssh server installed: on Ubuntu Linux distributions, use "sudo apt-get install ssh openssh-server" to add it. Windows10 has it in theory as a separate installation from the client install described above, but it's not easy or well documented.

The system on which putty or pscp is run is the client end, and it connects to the server program on the server end, which must be running all the time to listen for new incoming client connections. Only the client end needs the private key, so high security server systems (banks, etc.), should not have private key stored there, only the corresponding public key. And a passphrase should be used in this case. Note that by this logic, we should only need to bring the public key back from cs.umb.edu to a Windows client for putty/pscp to use, but this software seems only able to do the server-end protocol, which utilizes the private key. The Linux/Mac ssh/scp can do both ends.

One private key can be used for many client-server interactions with that server. So if you have two systems, say a Mac and a PC, you can use the same private key for transfers from each machine to and from cs.umb.edu.