Access to cs.umb.edu hosts from elsewhere, for CS437 and CS637

We will be using pe07.cs.umb.edu for its web server and mysql database, and as a place to run programs. You can login to users.cs.umb.edu and then ssh to pe07. However you will be asked for your UNIX password a second time in this case.

To avoid the second password entry for ssh when using ssh from one cs.umb.edu system to another, you can follow the instructions just below. To avoid the first password entry (when you first login to cs.umb.edu), follow the instructions later in this file depending on your development system's OS.

Logging into cs.umb.edu hosts from other cs.umb.edu hosts with ssh, without needing to enter a password (Optional procedure)
  1. Run "ssh-keygen" on users.cs.umb.edu and answer its questions with carriage-returns, or enter a passphrase for better security. This should create a well-protected .ssh directory in your login directory with files id_rsa and id_rsa.pub, holding the private and public keys, and file known_hosts.Be sure to leave the .ssh directory fully protected (don't use chmod on it).
  2. "cd .ssh", then "cp id_rsa.pub authorized_keys2". If you already have an authorized_keys2 file, use the command "cat id_rsa.pub >> authorized_keys2" instead, to append the new key.
  3. Test your setup by trying "ssh users" from pe07, or "ssh pe07" from users. No password should be needed.
  4. scp (network copy command) will also work without passwords, but we don't need it between cs.umb.edu UNIX/Linux machines, because the filesystems are shared across the systems, allowing us to use the ordinary UNIX/Linux cp command.

Access to cs.umb.edu hosts from offsite Linux or Mac systems: All Linux/Mac systems come with scp and ssh, available once you get a shell window working. For Mac, run the Terminal application. You can just use the same Linux/UNIX commands as on users.cs.umb.edu. For example, from your shell window on your development Linux/Mac system:

  1. ssh mycsusername@users.cs.umb.edu
  2. ssh pe07

File transfer from a Linux/Mac system:

    scp myfile mycsusername@users.cs.umb.edu:targetpath (where targetpath is relative to your login directory at cs.umb.edu)

For example, for user joe to put local file answer.txt in his cs630 directory on users

    scp answer.txt joe@user.cs.umb.edu:cs630

To rename it to hw1.txt on the way: scp answer.txt joe@user.cs.umb.edu:cs630/hw1.txt

To avoid the first password entry when you ssh or scp to cs.umb.edu, first follow the above instructions to avoid the second password entry, and then use scp to copy the resulting .ssh directory on users.cs.umb.edu to your Linux/Mac home directory. First use "cd" to get to your home directory on your system and then:

    scp -r mycsusername@users.cs.umb.edu:.ssh .    (that's a dot at the end, for the current directory)

Access to cs.umb.edu hosts from offsite Windows 10 systems using ssh and scp as optional Windows 10 features.

You can use the regular windows command prompt to ssh to your cs account. Log in as admin on your system (so you can enable optional Windows features) and watch the beginning of this tutorial https://youtu.be/JbMgOKlj5fE. This will install scp as well as ssh, so you can follow the instructions above for Mac/Linux file transfers as well as remote terminal service.

Access to cs.umb.edu hosts from offsite Windows systems using the free Windows tools putty and pscp.

Of course pscp, a command-line program, is not the only way to do file transfers. There are GUI clients that allow drag and drop file transfers after one overall login. Download SSHSecureClient-3.2.9 for an installer for such a GUI client for Windows.

Download the Windows installer at putty home and install it, agreeing to all options. Then add the download directory c:\Program Files\PuTTY to your Path. You can use the path command to see all the directories on your path. Once this is set up, you will have a desktop icon for putty and you can use a new CMD window (to be sure to get the new Path setting) to do a file transfer as follows:

    pscp myfile myusername@users.cs.umb.edu:targetpath

For example, for user joe to put local file answer.txt in his cs630 directory on users

    pscp answer.txt joe@user.cs.umb.edu:cs630

To rename it to hw1.txt on the way: pscp answer.txt joe@user.cs.umb.edu:cs630/hw1.txt

Needed tunnel from home to pe07.cs.umb.edu for web server access

To access pe07, inside the firewall, from a system outside the firewall, we need a “tunnel” that uses the SSH protocol’s ability to provide a secure connection to a port that is not directly accessible for security reasons. In particular, we want to access port 80 on pe07 to talk to its web server, but this port is blocked by the firewall.  So, instead we connect to port 22 (SSH’s port, which is not blocked by the firewall for users.cs.umb.edu (for example) and arrange that SSH make a connection for us inside the firewall to port 80 on pe07, and then move the data back and forth.  For more info, see IBM article on tunneling.

For your home Windows machine

See PuttyTunnels.html for instructions on using putty to set up the needed tunnel.

On your home Linux or MacOSX machine (in Terminal):

First get a Terminal window for Mac or a shell window for Linux to do the following commands. Use ssh to set up the needed tunnels to pe07, port 80, with the help of a login on users.  These just hang, logged in to users.

Replace ‘username’ here with your cs.umb.edu Linux username and answer the password prompt with your cs.umb.edu Linux password.  This command will “hang”, so open another shell/Terminal window to continue working.

      ssh -N -L8000:pe07.cs.umb.edu:80 username@users.cs.umb.edu

Testing the tunnels with a browser

Using putty and pscp for access to cs.umb.edu systems from your Windows PC without entering passwords each time (Optional procedure)
These free and reliable tools work immediately on download, but expect you to enter a password for every use. With a little work, you can set up your environment to avoid the need to enter passwords so often. Note that the install of putty tools above has given you putty, pscp, puttygen, and pageant, used below. This procedure assumes you have already done the above procedure to eliminate second password entries, so you have a .ssh subdirectory of your home directory on the cs.umb.edu network. It also assumes you have all the putty tools on your Path, so you can run them from the command line.

  1. Transfer the file .ssh/id_rsa (the private key at cs.umb.edu) to your PC.
  2. Run puttygen and navigate to "File->Load Private Key", then browse for your key file "id_rsa" and load it.
  3. You should see "Successfully imported foreign key"
  4. Click on "Save private key"
  5. This will generate a .ppk file, which is what pageant wants (next step).
  6. Run pageant and see a little icon on your system tray. Double click the icon to run pageant.
  7. Load the .PPK file into pageant by right-clicking it, etc.
  8. Now the putty tools on your system have easy access to the needed keys.
  9. Now you should be able to login with ssh from your Windows PC without using a password. But if the format is a little wrong, you won't be able to log in at all. So make sure you keep your older login alive when you try another test login with putty to see if your setup works.
  10. Test pscp to see you can transfer files without a password entry.

Notes: client and server roles in ssh, other use cases (all optional)

ssh, scp, putty and pscp are client-server applications, with servers running on all the departmental systems, and also any other normally-deployed Mac. A Linux system may or may not have a ssh server installed: on Ubuntu Linux distributions, use "sudo apt-get install ssh openssh-server" to add it.

The system on which putty or pscp is run is the client end, and it connects to the server program on the server end, which must be running all the time to listen for new incoming client connections. Only the client end needs the private key, so high security server systems (banks, etc.), should not have private key stored there, only the corresponding public key. And a passphrase should be used in this case. Note that by this logic, we should only need to bring the public key back from cs.umb.edu to a Windows client for putty/pscp to use, but this software seems only able to do the server-end protocol, which utilizes the private key. The Linux/Mac ssh/scp can do both ends.

One private key can be used for many client-server interactions with that server. So if you have two systems, say a Mac and a PC, you can use the same private key for transfers from each machine to and from cs.umb.edu.

Transfers between your own machines If you have a Mac and a PC, you can use the Mac system at a server end of transfers between your two machines (without having to enter a password if you have set up the .ssh directory on the Mac). In other words, run pscp on the PC, making it the client end, addressing the Mac system by its IP address, obtainable on the Linux/Mac systems with the ifconfig command, for example 192.168.1.114 on a typical home network. Then, on the PC, use for example "pscp file user@192.168.1.114:dev" to transfer the file to the Mac system, into the dev subdirectory of the user's login directory.