Remote Access to CAISR Computing Facilities
In an effort to improve security, all remote access to CAISR machines has been disabled. This includes telnet, ftp, rlogin, and rsh. The only method of remote access will be via ssh. This documents provides instructions for using ssh and accessing CAISR machines.

Site Selections:

The following is the list of machines in the CAISR lab which are running the ssh server and are available for remote logins: You may confirm the reported key fingerprints when you login with those listed below if you are unsure if you are really talking to one of our machines.

If your looking to get an SSH solution running on your primary computer (not a CAISR machine), you should probably download and install one of the complete packages. They are listed (including links to the original web sources) in the SSH programs we use section.

ssh was compiled and installed on the lab machines by Greg Causey. Stop by the CAISR lab if you have any questions. I also have the O'Reilly book: SSH: The Secure Shell, The Definitive Guide  if you want to borrow it. I have a printed copy of the manual for MindTerm as well. The manual for puTTY is an ASCII text page or HTML.

Page last updated: May 20, 2002 by gcc
Quick and Easy
The easiest way to access a CAISR computer is using the MindTerm Java SSH client. Simply click the following link and the client will be started as an applet in a new window.

Start the MindTerm SSH Client.

Note the following caveats:

(back to top)
Access from Windows
There are several methods of logging into a CAISR machine from a Windows machine. You can run a local program which implements the ssh protocal. We use puTTY. You can download the MindTerm Java ssh client and run it from the command line, or you can run the ssh client in a browser window.

Run puTTY locally
puTTY is a really nice terminal program that implements the ssh protocal. It is written and maintained by Simon Tatham. You can download it from this web page or from the official web site. The program is straight forward to use and works very well.

Do be aware that the program creates an entry in the registry of the machine on which it is run. It contains the public keys of the servers which have been contracted and the server names. If you want to clean up after yourself, run the program with the -cleanup option ("putty -cleanup") on the command line. This will cause the program to remove all related registry entries and exit.

Run the java ssh client from the command line
You need to download the MindTerm Java ssh client and run it from the command line. You can download it from this web page or you from the original web site. We're currently using version 2.1 (non-commercial). The client is from AppGate. They have a non-commercial license, so be aware of that if your downloading this for some other purpose than non-profit, personal, or educational.

You can run the applet using Sun's Java VM or Microsoft's VM, the only difference is the command line. Microsoft's virtual machine is installed with internet explorer. The following command line will start the client.

jview /cp mindterm.jar com.mindbright.application.MindTerm

Note the proper capitalization. This should run the client. There are other options on the command line that may be used (to specify a configuration file, for example). See the MindTerm documentation for more information.

If you use Sun's JVM, the command line is a bit different. It should be:

java -jar mindterm.jar

See the documentation for a complete listing of command line options.

Run the java client from within a browser
Simply click on the following link, it should open a new browser window with the client in it. Refer to the Quick and Easy section above for more details.

Start the MindTerm SSH Client.

FTP
To download or upload files, there are several options:

You can use a program called pscp (from the author of putty). You can get it from this web page or download it from the official web page. It is a command line program that is very straight-forward to use. Typing "pscp" at the command line will show the program options.

If you are using the MindTerm Java ssh client, it has a built in scp function. Its under the menu item "file->SCP file transfer". It brings up a small window from which you can transfer files. Note, you have to had OK'ed the permission to write file to the local harddrive for this to work.

CYGWIN
The last method to access machines from Windows is using the cygwin tools.  Cygwin is accessible from their homepage. This gives you a very Unix like command line environment under Windows and also provides OpenSSH support. Simply follow the OpenSSH instructions in the Access from Unix section after installing cygwin (besure to install SSH when installing cygwin).

(back to top)
Access from Unix
There are several method of logging into a CAISR machine from a unix machine.


Run OpenSSH locally
There are about as many ways to install and run ssh on your local Unix machine as there are versions of Unix out there. You can check for pre-compiled versions or compile your own. The two major items you need are the OpenSSL libraries and a version of SSH. We use OpenSSH. OpenSSL and OpenSSH are available from their respective web sites.

Sources: OpenSSH   OpenSSL

Many current installations of Unix already have ssh installed by default. If your in the CAISR lab, all our workstations (Linux PC's, Sparc's, and UltraSparc's) are ready to go. Simply type "ssh machine_name" and you should be on your way. If you want to forward X over the secure connection make sure to use the "-X" option. See the ssh man page for further details.

One important detail regarding the forwarding of X window programs. If you simply set your DISPLAY environment on the machine into which you have logged to point back to the machine at which are are currently setting, the X traffic will NOT be encrypted. You have to redirect the X packets over the secure link. This should happen automatically if you use the "-X" option. To make sure this is the case, your DISPLAY environment setting on the machine onto which you have just logged should be pointed to that machine_name:10+. E.g. that machine name and a display number greater than 10. See Greg or Mark if you have further questions.

Run the java ssh client from the command line
You need to download the MindTerm Java ssh client and run it from the command line. You can download it from this web page or from the original web site. We're currently using version 2.1 (non-commercial). The client is from AppGate. They have a non-commercial license, so be aware of that if your downloading this for some other purpose that non-profit, personal, or educational.

After you download the jar file, you can run it from the command line. You need to install a java virtual machine for this to work. You can get the current JVM from Sun at http://java.sun.com. There are other options on the command line that may be used (to specify a configuration file, for example). See the MindTerm documentation for more information. To simply run the client, type:

java -jar mindterm.jar

Run the java client from within a browser
Simply click on the following link, it should open a new browser window with the client in it. Refer to the Quick and Easy section above for more details.

Start the MindTerm SSH Client.

FTP
To download or upload files, there are several options:

You can use the ssh version of ftp, called scp. It is installed when you install the ssh client files. It is very similar to rcp. See the man page for details.

You can also use sftp. It should have been installed when you installed OpenSSH. It is very similar to ftp in operation. See the man page for details.

If you are using the MindTerm Java ssh client, it has a built in scp function. Its under the menu item "file->SCP file transfer". It brings up a small window from which you can transfer files. Note, you have to had OK'ed the permission to write file to the local harddrive for this to work.

(back to top)
Access from QNX
Access to and from QNX  for both versions 4.x and 6.x of the OS use OpenSSH. See the previous section about running OpenSSH  from Unix. There are, however, several limitations when using ssh from QNX.
 
(back to top)
POP3 Mail from r2d2
Access to mail on r2d2 is only through the secure pop3 port (port 995). Regular pop3 service (through port 110) has been shutoff. Most mail reader programs support secure pop3 natively. If your mail program doesn't (e.g. Netscape < ver 6.2, Eudora < ver 5.1), then you must either upgrade your mail reader or run a secure tunneling protocol from port 110 on your local machine to port 995 on r2d2. This can be acomlished using stunnel under Unix or Stunnel using FireDaemon under WinNT.

To use Stunnel under Unix, start the stunnel process in the background when the machine starts up. Use FireDaemon under NT or 2K (XP requires v1.5) to run the stunnel program as a service so that it is always running. To use Stunnel under 95, you must manually start the program each time you want to use it.

Most Unix and NT machines in the CAISR lab should already have this running. To use the secure tunnel, simply set your mail preferences to user "localhost" as the mail server. This should access port 110 locally which is transparently forwarded (securely) to port 995 on r2d2.

Sprcific instructions for various POP clients

If your specific client is not listed, you should be able to figure out what is required by examing one of the above.

See gcc or med if you need more help setting this up.

(back to top)
SSH Programs We Use
There are several programs we have installed on the CAISR machines. The complete original program sources are included in the following links for connivance. If you want to install one of the program on your local machine, you need to download it from here (or the official web site). If you just want to log in remotely when your away, you should probably just run one of the programs from a previous section.

Unix:

OpenSSL:
openssl-0.9.5a-3.i386.rpm
openssl-devel-0.9.5a-3.i386.rpm
openssl-misc-0.9.5a-3.i386.rpm
openssl-0.9.6.tar.gz
OpenSSH:
openssh-2.9p2.tar.gz
Other useful programs for Unix installs:
zlib:
zlib-1.1.3.tar
prngd:
prngd-0.9.23.tar.gz
Solaris /dev/random & /dev/urandom:
ANDIrand-0.6-5.6-sparc-1.pkg
PCRE:
pcre-3.5.tar.gz


Installing ssh on some older Unix machines is not trivial (e.g. SunOS 4.1.3). Here are some notes we generated going through the install process ourselves. We also found this to contain a lot of useful information (amidst the clutter!).
 

Windows:

puTTY:
putty-0.51.zip


MindTerm:

mindterm_2.1-bin.zip
Cygwin
QNX: Secure Tunneling Protocols: Here's two screen shots. The first shows the install screen when setting up FireDaemon to run stunnel, the second shows FirDaemon running stunnel in the NT service manager.
(back to top)
Key Fingerprints

The following list the key fingerprints of the machines which are running the ssh server. You may compare the key fingerprints reported during login with the following values if you are unsure if you've actually logged into one of our machines or if you think security has been compromised.

marvin:  rsa1: b8:7e:d1:76:01:01:10:e2:ed:9c:eb:3c:7b:84:f9:92
         rsa:  a3:d2:f0:01:b4:a8:f0:c7:24:91:3c:7a:50:0b:a3:3b
         dsa:  07:fd:15:14:c6:e5:0a:62:3c:42:cc:9e:81:1d:aa:37

dora:    rsa1: 40:61:e2:b8:fd:57:6a:26:9b:50:5f:5a:20:dc:9c:c1
         rsa:  bc:53:b8:98:6a:7c:92:6e:39:3a:96:44:2e:44:66:f7
         dsa:  c4:5a:28:d4:32:b1:e3:cb:eb:71:55:25:5e:46:04:13

herbie:  rsa1: c5:a3:ec:23:2b:1c:b5:d4:f6:b7:33:db:6e:58:7b:72
         rsa:  bc:64:61:29:cd:45:80:6a:d0:7a:ad:2c:d8:de:a9:42
         dsa:  d2:78:1d:13:e1:26:6a:91:a6:22:df:5b:cc:b9:28:9b

wopr:    rsa1: c1:01:37:bc:6e:1d:2d:d1:5b:b7:f8:cf:29:23:ee:c3
         rsa:  93:94:fd:e4:c9:9f:37:15:b4:b9:17:5a:85:d4:79:b2
         dsa:  5f:52:99:a7:6e:c8:bf:09:f8:50:20:a0:e9:f3:e8:49
 
 

(back to top)