ssh -C -X MATHSNAME@enna
, not to
maths.usyd.edu.au; see also the
network setup needed for internal laptops.
Choose between Web-OTP, TOTP or skeys.
With your browser, go to
NOTE: you need to get the Web-OTP code before starting the ssh
(or putty) command.
Our Web-OTP implementation is true one-time: a second login is
possible only with a new code from the web page.
Install your favourite TOTP authenticator app (on your phone, on
your computer, or as add-on in your browser).
Maybe use command totp-test to check codes.
Skeys
are once-only passwords generated by iterated one-way encryption.
Ask
Paul,
in person, to give you a paper sheet of
skeys.
Each time you will need to type all the words from the line as
prompted (not the line number); each sheet has hundreds of lines.
Lines on your skey sheet decrement each time: cross out the last line
just used, making it easy to find the next one when needed. Or, to
avoid carrying the skey sheet, take a photo with your phone and use
that image, also allowing you to enlarge to make it easier to read.
Close this terminal window, those profile settings take
effect in subsequent ones.
Leave that enna login session running: use it, say for
For file access, with your enna login session running (and then
without any pesky 2FA or password prompts):
To easily find the "teaching directories" etc, in the window logged
in to enna, (once only) use commands, replacing MATHSNAME by
the Maths login name (in the last line):
Some (Mac?) machines do not know about localhost, then use 127.0.0.1
instead of the name localhost.
In the window logged in to enna, type commands:
For file transfer, with your enna login session running, use
SFTP Drive:
To easily find the "teaching directories" etc, in the window logged
in to enna, (once only) use commands, replacing MATHSNAME by
the Maths login name (in the last line):
For printing setup, follow the instructions in the
printing page.
Some (Win11?) machines do not know about localhost, then use 127.0.0.1
instead of the name localhost.
The ssh client is probably present already.
Up-to-date Windows10 (or later) has "native" ssh, and you can use it typing
commands as detailed for Linux above, in a command prompt window
(Start > Programs > Accessories > CommandPrompt)
or (Start > Run > cmd). The "standard" ssh client for Windows is putty, use latest
(current) version from
You will have full X-windows access, so could
Tempting to try some GUI clients ... but mostly they do not
understand the 2FA prompt (expecting to send just a plain password) so
they fail; they work fine once you save 2FA prompts ... see below under
made easy.
Save typing your password
To use the script:
Using setx we append to PATH, not prepend as we manage for Linux
or Mac, so we need to use the new name ssh2, thus use
For scp or sftp from the command line, do also:
Please let Paul know if you
find anything that is any less than magical and perfect.
There may be some use for "local" Maths email services. You may want to
(and ssh-with-2fa will) use the port forwarding options
Set up 2FA for your account
2FA two-factor authentication
provides a cheap, effective, additional layer of security, similar to
popular online services such as Google accounts, or banks.
You can use Web-OTP anytime, without any prior setup;
while TOTP or skeys need to be set up while in the School.
Note that our software prompts for the code first, and the password
after that.
To decide whether to use Web-OTP, TOTP or skeys:
www.maths.usyd.edu.au/s/otp
(you will need to log in with Okta MFA).
See a five-character code: valid for 5 minutes, and for single use.
At next ssh login, you will be prompted for this code.
Getting a Web-OTP code takes precedence over TOTP or skeys (during its
5-minute validity or until used).
Okta,
the Uni ICT "standard" for MFA, does not directly support ssh; our
Web-OTP relies on Okta, in ways that does not decrease security.
Our Web-OTP service has rate limits, see below.
On enna (in a terminal window, made large enough) use command
google-authenticator
and scan the QR code (or enter the secret key) into the authenticator app.
At next login, you will be prompted for the TOTP authenticator
code.
Ensure the time on your device is correct, use "network time": set for
Android
or
iPhone.
Our TOTP implementation is true one-time, non-replayable, with a
no-reuse control: a second login is possible only after the code
changes during the next time slice.
Running google-authenticator again, invalidates any previous setting
and would need the app to be updated.
Setting up TOTP takes precedence over skeys; there is no need to have
had skeys to use TOTP.
You can set up TOTP remotely during a Web-OTP or skey login session.
To remove TOTP e.g. to go (back?) to skeys, on enna use command
rm ~/.google_authenticator
When approaching the end of the sheet, see Paul again to obtain a
replacement.
You can choose between 2-word, 3-word or 6-word skey sheets
(previously all were 6 words for better security, see below).
Our software prompts for the second-factor code first, only then for the
fixed password. This is more secure against password guessers: let them
have a go at the ephemeral (so useless?) code, before even getting a
look at the password. Most other implementations do it wrongly, the
other way around.
Whether you use it or not, Web-OTP is available to the attacker;
its mere existence (availability) already lowered the security.
Recommendations in a nutshell
Follow these recommendations to use 2FA words or codes, and password,
just once per day.
For details, rationale, other ways or other things you can do, see
later in this document.
Do the following to set things up on your laptop or home machine.
and then reboot.
allowing security settings for MacFUSE
www.maths.usyd.edu.au/u/psz/ssh-with-2fa.txt
to the Downloads directory on your laptop.
Right-click the link above, choose SaveAs; or
click and view, then press Ctrl-S to save.
Your browser may stash the file somewhere other than
Downloads, if so then select that place in the "cp" line below.
Cut-and-paste each line, no need to re-type.
mkdir -p ~/bin
cp ~/Downloads/ssh-with-2fa.txt ~/bin/ssh-with-2fa
chmod 755 ~/bin/ssh-with-2fa
ln -sf ssh-with-2fa ~/bin/ssh
ln -sf ssh-with-2fa ~/bin/scp
ln -sf ssh-with-2fa ~/bin/sftp
ln -sf ssh-with-2fa ~/bin/xsess
echo 'export PATH=~/bin:$PATH' >> ~/.bash_profile
echo 'export PATH=~/bin:$PATH' >> ~/.zshrc
echo 'alias scp="noglob scp"' >> ~/.zshrc
Mac users should also do, replacing MATHSNAME by the Maths
login name (in the first line):
x=MATHSNAME
mkdir ~/Documents/M-home
echo "alias mdrives='sshfs -o follow_symlinks -o uid=$(id -u) -o gid=$(id -g) -p 12022 $x@127.0.0.1:. ~/Documents/M-home'" >> ~/.bash_profile
echo "alias udrives='umount ~/Documents/M-home'" >> ~/.bash_profile
echo "alias mdrives='sshfs -o follow_symlinks -o uid=$(id -u) -o gid=$(id -g) -p 12022 $x@127.0.0.1:. ~/Documents/M-home'" >> ~/.zshrc
echo "alias udrives='umount ~/Documents/M-home'" >> ~/.zshrc
We do .bash_profile for Linux and older Macs, .zshrc for
Mac from 10.15 Catalina.
ssh MATHSNAME@enna
where MATHSNAME is your login name on the Maths servers, and
log in to enna with 2FA and password.
The very first time you use ssh to a server, you will be prompted
about the as-yet unknown authenticity fingerprint: say yes.
You may also receive a warning ".../.Xauthority does not exist"
that you should ignore, as the file gets created then.
Then in that same window, logged in to enna, type commands:
ssh-keygen (press ENTER twice: to accept filename, and to use empty passphrase)
ln -s id_rsa.pub ~/.ssh/authorized_keys
(or just command xfrom enna that will do same).
Leave that enna login session running.
scp MATHSNAME@enna:~/.ssh/id_rsa ~/.ssh/
chmod 600 ~/.ssh/id_rsa
Log in to enna with 2FA and password, in a terminal window
on your laptop
(Applications > Accessories > Terminal)
typing command:
ssh MATHSNAME@enna
so you can mix "native" and enna windows e.g. for copy-paste; or if
you wanted a "Linux desktop" (though will be slower) then use
xsess MATHSNAME@enna
(each time your laptop re-connects to the network).
At the initial login with 2FA you also get a password prompt (any
public keys are ignored), as configured for security.
nedit
or tuteroll
or
xfrom savona
.
You may minimize the window of your enna login session, but keep
it running, do not allow your computer to disconnect from the
network e.g. to go to sleep/hibernate, as most laptops do with the
lid closed.
With your enna login session running, in other terminal windows
on your laptop you can easily use further ssh or scp (or sftp)
commands, e.g. any of:
ssh MATHSNAME@enna
scp file1 MATHSNAME@enna:
scp MATHSNAME@enna:file2 .
just "happen", without any pesky 2FA or password prompts.
sftp://MATHSNAME@localhost:12022
mdrives
then use the files in M-home (under your Documents) as normal.
When done (and before disconnecting from enna) use command
udrives
to disconnect.
ln -s /users/misc/teaching drive-T-teaching
ln -s /users/misc/tutsols drive-S-tutsols
ln -s /users/misc/shared drive-Y-shared
ln -s /usr/sms drive-L-local
ln -s /nb/MATHSNAME drive-N-nobackup
For printing setup, follow the instructions in the
printing page.
See also the section on xpra.
Do the following to set things up on your laptop or home machine.
On some older Windows10 it may need to be enabled:
Settings > Apps > Optional Features > OpenSSH Client > Install
see
here
or
here
for instructions. (Or, you could install putty as below.)
putty
www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
put a shortcut to it on your desktop: find it under
Programs, right-click and choose shortcut.
www.maths.usyd.edu.au/u/psz/ssh-with-2fa.txt
to your Downloads directory.
Right-click the link above, choose SaveAs; or
click and view, then press Ctrl-S to save.
Your browser may stash the file somewhere other than
Downloads, if so then select that place in the "copy" line below.
set x=MATHSNAME
mkdir bin
copy Downloads\ssh-with-2fa.txt bin\ssh-with-2fa
echo perl "%USERPROFILE%\bin\ssh-with-2fa" %x%@enna > bin\ssh2.bat
echo $x=$0; $x=~s,[a-z-]*$,ssh-with-2fa,; $y=`type "$x"`; eval $y > bin\xsess-helper
echo perl "%USERPROFILE%\bin\xsess-helper" %x%@enna > bin\xsess.bat
setx path "%USERPROFILE%\bin"
Maybe ctrl-C, ctrl-V will work for cut-and-paste into the command
prompt window; or just re-type if not.
Using setx we append to PATH, not prepend as we manage for
Linux or Mac, so we need to use the new name ssh2.
Close this command prompt window (as setx is for any
future ones).
right-click anywhere in the desktop background,
choose New Shortcut, browse to C:\Users\username\bin\ssh2 (or ...\xsess) and OK.
Click the ssh2 icon on your desktop, and log in to enna with 2FA
and password.
The very first time you use VcXsrv, Windows Firewall may prompt you:
click allow.
The very first time you use ssh to a server, you will be prompted
about the as-yet unknown authenticity fingerprint: say yes.
You may also receive a warning ".../.Xauthority does not exist"
that you should ignore, as the file gets created then.
ssh-keygen (press ENTER twice: to accept filename, and to use empty passphrase)
ln -s id_rsa.pub ~/.ssh/authorized_keys
(or just command xfrom enna that will do same).
Leave that enna login session running.
In a new command prompt window on your laptop (NOT the enna
window),
use command, replacing MATHSNAME by the Maths login name:
scp -P 12022 MATHSNAME@127.0.0.1:~/.ssh/id_rsa .ssh
Drive Name: drive-M-home Drive Letter: M:
Remote host: 127.0.0.1
Remote port: 12022
Authentication: Public Key
Username: MATHSNAME
Private Key: (Browse to) C:\Users\username\.ssh\id_rsa (then Open, Open, OK)
Remote Folder: User's home folder
(then click OK).
Log in to enna with 2FA and password, by clicking the ssh2 icon on
your Desktop, to get a terminal so can mix "native" and enna windows
e.g. for copy-paste; or if you wanted a "Linux desktop" (though will
be slower) then click xsess
(each time your laptop re-connects to the network).
Leave that enna login session running: use it, say for
nedit
or tuteroll
or
xfrom savona
(any such new Linux "windows" will appear within the VcXsrv window).
You may minimize the window of your enna login session, but keep
it running, do not allow your computer to disconnect from the
network e.g. to go to sleep/hibernate, as most laptops do with the
lid closed.
click its icon on the desktop, click Start.
See your files in the M drive, use them as "normal".
ln -s /users/misc/teaching drive-T-teaching
ln -s /users/misc/tutsols drive-S-tutsols
ln -s /users/misc/shared drive-Y-shared
ln -s /usr/sms drive-L-local
ln -s /nb/MATHSNAME drive-N-nobackup
When done for the day, close everything in the "right" order:
See also the section on xpra.
Essentials
You will need an ssh client (the ssh command or program); you
should also have an X server.
After running your ssh command, just follow the prompts: type the words
from your skey sheet for the line number shown, or the authenticator code,
then your normal enna password. You will be logged in to enna.
Both the ssh client and the X server are probably present
already. All you need to do is to run ssh something like
(in a terminal window on your laptop,
Applications > Accessories > Terminal):
ssh -C -X MATHSNAME@maths.usyd.edu.au
with MATHSNAME being your login name on the Maths servers.
For an X server, download and install XQuartz from
www.xquartz.org
(then reboot your Mac after installing).
Beware of the MacOSX "feature" of ForwardX11Timeout set to 20 minutes,
and the wrong setting of XauthLocation in MacOSX since 10.12.
You should run ssh something like
(in a terminal window on your laptop,
Applications > Accessories > Terminal):
ssh -C -X -oForwardX11Timeout=596h -oXauthLocation=/opt/X11/bin/xauth MATHSNAME@maths.usyd.edu.au
with MATHSNAME being your login name on the Maths servers.
There are several X servers for Windows. One of the easiest to set up
and use is VcXsrv, get it from
github.com/marchaesen/vcxsrv/releases.
Each time after a reboot, before running putty/ssh, start VcXsrv.
(You may iconize the running VcXsrv, look there when you expect a new
Linux "window" to be displayed.)
Windows10 native ssh may need to be enabled:
Settings > Apps > Optional Features > OpenSSH Client > Install
see
here
or
here
for instructions. It also has some
oddities:
you need to (once) use commands
mkdir \dev & echo x > \dev\tty
and for VcXsrv you need to (each time) use command
set DISPLAY=localhost:0
and use ssh option -Y instead of -X.
Or anyway (and as it seems easier) you may install and use putty.
www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
To use putty, with WindowsExplorer (e.g. MyComputer) find
putty.exe, double-click.
The very first time you use ssh, you will be prompted about the as-yet
unknown authenticity fingerprint: say yes.
xfrom
to
other machines, or use other X-windows software like nedit
or tuteroll
, or licenced software like matlab
,
mathematica
or maple
, or even
firefox
or thunderbird
(with full access to
scnews and other internal pages or mail files, though these may be too
slow over the network); or for a slow but authentic login experience,
use xnest
or nxagent
and in there run
/usr/sms/share/ldm/Xsession
.
File transfer with scp
As well as ssh, you can use scp (or sftp or sshfs) to copy files between
enna and your machine.
Some GUI clients for SFTP:
It may be best to use a tool integrated with the native "file manager":
I wonder whether the issue
seclists.org/fulldisclosure/2006/Jun/340
is solved since...
The nautilus file manager has a connect-to-server function that
handles sftp just fine. Unfortunately it does not understand the 2FA
prompt and fails... but see below under
made easy.
Finder Go Connect-to-Server cannot do (can do ftps but not sftp).
Could use macFUSE and SSHFS from
osxfuse.github.io.
Unfortunately they do not understand the 2FA
prompt and fail... but see below under
made easy.
Install and use SFTP Drive:
www.callback.com/sftpdrive
(free version works for one drive) and it works just fine with 2FA
... but see also
below under
made easy.
File transfer made easy
Save 2FA prompts
... (and the "complexity" of using them), use tunneling or
port forwarding so you can connect direct to enna (in effect from
enna itself, so no 2FA is needed).
Start your enna login session with port forwarding:
With your enna login session running, use sftp (or scp or ssh) or rsync
or your favourite GUI client for SFTP, to connect
to localhost on port 12022.
Use command
ssh -C -L 12022:localhost:22 -X MATHSNAME@maths.usyd.edu.au
Use command
ssh -C -L 12022:localhost:22 -X -oForwardX11Timeout=596h -oXauthLocation=/opt/X11/bin/xauth MATHSNAME@maths.usyd.edu.au
In putty settings, in the left pane select Connection SSH Tunnels and
set Local source port 12022 to destination localhost:22 and click Add.
See commands to use below, under easy access.
Some (Mac?) machines do not know about localhost, then use 127.0.0.1
instead of the name localhost.
Your initial ssh session needs 2FA, it is subsequent connections that may avoid it.
... use public keys.
Generate some keys and copy things around so you end up having the
private key on the laptop and the public key as authorized on
enna.
At the initial login with 2FA you still get a password prompt,
as configured for security.
Easy for Linux or Mac, not so easy to do on Windows.
You may also use this to ssh/scp between enna and the research servers.
Do not inadvertently
publish your private key,
e.g. when uploading to web or Git servers.
Easy access
On enna run commands
ssh-keygen (press ENTER twice: to accept filename, and to use empty passphrase)
ln -s id_rsa.pub ~/.ssh/authorized_keys
then in another terminal window on your laptop, copy the
"private key" file from enna to your laptop:
scp MATHSNAME@enna:~/.ssh/id_rsa ~/.ssh/
chmod 600 ~/.ssh/id_rsa
Seems too much trouble, for little benefit.
Does not help with the initial login with 2FA. Windows users are
unlikely to use command-line scp and more likely to use some GUI
client that stays for the whole session, so there is little to be
gained from avoiding the one password prompt.
With Windows10 "native" ssh, and/or with SFTP Drive, one could
follow the Linux instructions above or more precisely the instructions
for
Cynthia and friends.
... to your files on enna, while your enna login session is
running, with port forwarding in place:
You could use command-line scp:
scp -P 12022 MATHSNAME@localhost:file-on-enna place-on-local-machine
scp -P 12022 file-on-local-machine MATHSNAME@localhost:place-on-enna
but there are better ways.
"Look Ma, no hands": no pesky 2FA or password prompts!
Use the connect-to-server function of the nautilus file manager:
in top or left menu connect to server
sftp://MATHSNAME@localhost:12022
Install both macFUSE and SSHFS from
osxfuse.github.io
allowing security settings for MacFUSE, then restart your laptop.
With the enna session running, in a terminal window, use commands
mkdir ~/Documents/M-home
sshfs -o follow_symlinks -p 12022 MATHSNAME@localhost:. ~/Documents/M-home
and use the files in M-home (under your Documents) as normal.
(The mkdir
command is needed once only.) When done (and
before disconnecting from enna) use command
umount ~/Documents/M-home
to disconnect.
Use SFTP Drive
www.callback.com/sftpdrive
(free version works for one drive)
connecting to localhost port 12022.
Using the ssh-with-2fa script
Using the ssh-with-2fa script
www.maths.usyd.edu.au/u/psz/ssh-with-2fa.txt
is not required, but using it may make things a little
easier, as it chooses the "right" options for ssh or scp or sftp.
In particular, you could start your enna login session just by typing
ssh MATHSNAME@enna
or use
scp file1 MATHSNAME@enna:
scp MATHSNAME@enna:file2 .
and the "right" things would happen: connect to the right host and port
(maybe with 2FA, or 2FA-less via the port forwarding while your enna
login session is running), with the "correct" options (all those
mentioned above and below), whether your laptop is "outside" or
connected to the School's internal network; it will also do the right
thing for any other uses, connecting to any other places, not just for
"School related".
Then software that uses ssh (e.g. unison or rsync) will also work just
fine (without 2FA or even passwords).
Create a ~/bin directory:
mkdir ~/bin
and place the script file there (in your browser right-click the link
above, choose SaveAs; or click and view, then press Ctrl-S to save),
then set permissions and create a few symlinks:
cp ~/Downloads/ssh-with-2fa.txt ~/bin/ssh-with-2fa
chmod 755 ~/bin/ssh-with-2fa
ln -sf ssh-with-2fa ~/bin/ssh
ln -sf ssh-with-2fa ~/bin/scp
ln -sf ssh-with-2fa ~/bin/sftp
so it all looks like:
$ ls -l ~/bin/*
lrwxrwxrwx ... .../bin/scp -> ssh-with-2fa
lrwxrwxrwx ... .../bin/sftp -> ssh-with-2fa
lrwxrwxrwx ... .../bin/ssh -> ssh-with-2fa
-rwxr-xr-x ... .../bin/ssh-with-2fa
Make use of this by using
export PATH=~/bin:$PATH
and adding that line to your ~/.bash_profile
or
~/.zshrc
file or similar (for future invocations).
Install perl from
https://strawberryperl.com
Download the ssh-with-2fa script
www.maths.usyd.edu.au/u/psz/ssh-with-2fa.txt
to your Downloads directory (in your browser right-click the link
above, choose SaveAs; or click and view, then press Ctrl-S to save).
(Note: ssh-with-2fa is "UNIX formatted", use wordpad to view or edit.)
In a command prompt window on your laptop
(Start > Programs > Accessories > CommandPrompt)
or (Start > Run > cmd),
type commands:
mkdir bin
copy Downloads\ssh-with-2fa.txt bin\ssh-with-2fa
echo perl "%USERPROFILE%\bin\ssh-with-2fa" %* > bin\ssh2.bat
setx path "%USERPROFILE%\bin"
and then close this command prompt window, as setx is for any
future ones.
ssh2 MATHSNAME@enna
in the example above.
copy bin\ssh-with-2fa bin\scp-with-2fa
echo perl "%USERPROFILE%\bin\scp-with-2fa" %* > bin\scp2.bat
copy bin\ssh-with-2fa bin\sftp-with-2fa
echo perl "%USERPROFILE%\bin\sftp-with-2fa" %* > bin\sftp2.bat
and use
scp2 file1 MATHSNAME@enna:
scp2 MATHSNAME@enna:file2 .
or similar.
Beware unison: version numbers, maybe also OCaml versions, must
match for it to work.
If you have any problems with ssh-with-2fa then run it as
ssh --debug MATHSNAME@enna
to see more verbose messages.
Port forwardings: IMAP SMTP
Most people now have @sydney email addresses, stored on Office365: see
www.maths.usyd.edu.au/u/psz/davmail.html
for settings and instructions on how to use.
-L 12143:enna:143 -L 12025:rome:25
to make our internal IMAP server (enna) and SMTP server (rome)
accessible, while the enna login session is running. Set your mail
client (e.g. mutt, alpine, thunderbird) to use:
proto | server | port | |||
---|---|---|---|---|---|
IMAP | localhost | 12143 | |||
SMTP | localhost | 12025 |
mkdir -p ~/Mail/.imap
for IMAP login to succeed.
You may also want to (and ssh-with-2fa will) set the same port forwardings for "internal" laptop clients connecting ssh to enna, so the mail client configuration does not need to change between internal and external uses.
No POP to rome anymore: was unused anyway.
Port forwardings: CUPS and no LPD
For printing, you may want to (and ssh-with-2fa will) use the port forwarding
option
-L 12631:siv:631
to make our internal CUPS server (siv) accessible, while the enna login
session is running. To use, set up CUPS printing as described in the
printing page.
Printing from outside, when not around to pick up printout, is not much
use.
You may also want to (and ssh-with-2fa will) set the same port forwarding for "internal" laptop clients connecting ssh to enna, so the printing client configuration does not need to change between internal and external uses.
Seems tempting to use -L 515:siv:515 for LPD printing. But we cannot use low ports on Linux: maybe not on the laptop for listening, and certainly not on enna for connecting to the LPD server. Setting up local LPD printing would not be trivial; copying the file to be printed with scp and then printing directly from enna may be simpler. Use CUPS printing instead, as above.
The ssh-with-2fa script will not (by itself) use the above forwarding,
but you would need to get things started with a command like
Generally users have passwords set on enna only, not on other servers
like savona. If you use public keys as suggested above, that is shared
by savona so will work there also; otherwise, if needed, a password
could be set on savona.
The BioInformatics people have a page about
using RStudio Server
though with restricted access.
Using the ssh ProxyJump option, via ~/.ssh/config (on your laptop)
containing:
Port forwarding: other machines (e.g. savona)
Sometimes it is desired to connect to another server e.g. savona. Use a
forwarding option something like
-L 14022:savona:22
and then (while the enna login session is running) separately connect to
localhost, port 14022 (with ssh, scp, FileZilla, WinSCP etc).
ssh -L 14022:savona:22 MATHSNAME@enna
(or on Windows similar command but with ssh2).ProxyJump for other machines (e.g. savona)
Sometimes all you want is to log in to another server e.g. savona, and
would like to do in a single command. (The
supported
way is ssh to enna and then "xfrom savona"; or you can ssh to enna with
port forwarding set and then separately ssh to savona, as suggested
above.)
Host savona
HostName savona
User MATHSNAME
ProxyJump enna
Host enna
HostName maths.usyd.edu.au
User MATHSNAME
(or some complicated command line) might work. The current Windows putty
has a similar
Proxy panel
feature.
Port forwarding seems more generally useful (e.g. for other servers or for file transfer).
Dynamic forwarding
From outside, you may want to (and ssh-with-2fa will) use the dynamic forwarding option
-D 13080
so on your laptop (in a terminal, not the ssh-ed one running on
enna) you can use e.g. proxychains to access any
"internal" services.
See
en.wikipedia.org/wiki/Comparison_of_proxifiers
about other similar utilities e.g. for Windows.
To use proxychains (Linux, Mac): on the laptop, edit ~/.proxychains/proxychains.conf (or /etc/proxychains.conf) to contain the lines
quiet_mode [ProxyList] socks5 127.0.0.1 13080(do not use proxy_dns, and with just one line in ProxyList).
On your laptop (in a terminal, not the ssh-ed one running on enna) use commands like
proxychains command args...Examples:
proxychains xvncviewer myoffice.pc.maths.usyd.edu.au proxychains xfreerdp /u:unikey /v:myoffice.pc.maths.usyd.edu.au proxychains ssh me@myoffice.pc.maths.usyd.edu.auwhen outside (or directly without proxychains when inside).
-L 5902:myoffice.pc:5900 -L 3390:myoffice.pc:3389 -L 14022:myoffice.pc:22and connect to localhost (on port 5902, 3390 or 14022 respectively, probably by using name localhost:5902 etc).
proxychains mutt proxychains alpine proxychains thunderbirdwhen outside (or directly without proxychains when inside).
proxychains firefoxwith network via Maths to access scnews and /loc/ pages. File access e.g. download location would be on your laptop.
Very tempting to use -L 139:enna:139 then use connect-to-server
smb://localhost to access the
Samba
server on enna (for file access), but that might not work:
on Linux/Mac it requires root access e.g. sudo on the laptop;
on Windows, port 139 may be "in use" already.
Known issues:
See also the section on xpra.
There are timeouts set in several network "appliances":
If affected still, you may want to add the
For incoming connections, ssh or putty talks to the firewall, and only
the firewall knows which internal machine the connection is sent to:
currently enna.
For outgoing connections we have transparent proxy on the firewall,
see
When using Cygwin (its ssh and its X server), or maybe from MacOSX,
you need the (unsafe) -Y option instead of -X: I guess needed whenever
xdpyinfo does not show the SECURITY extension.
Dire warnings (words of Jim Richardson):
Note for Maths (129.78.68.*, e.g. Magma) users:
Our 2FA software is available in directory
/usr/sms/etc/2fa (on enna).
This "SSH HowTo" page is referenced from (or referred to in):
When that happens, try again in a little while. Long story below.
That is our protection against password guessing attacks, in action:
we have rate limiting on ssh connections. When that happens, try again
in a little while; or maybe wait until the next wall-clock hour, then
try; maybe use "ssh -v ..." (or "putty -v ...")
to see the "error" message; try soon after the restriction is lifted,
before the "bad guys" use up all permitted tries.
For some background, see:
Our Web-OTP service also has limits: 2 per minute for each connecting
machine, and a limit of 2 per second or 20 per minute for all
connections.
We are pretty safe against any breakins with 2FA; in fact I have never
noticed them trying 2FA at all, they just try single passwords. Many
try root only as the login name (and root does not have 2FA).
We limit connections to protect against attackers wasting resources,
hoping to make the attacker "go away" and try another victim. Our
protections have stopped many ssh password guessing runs/attacks,
significantly lowering the CPU load on our machines.
Any limits (in xinetd, sshind or sskd) will affect legitimate users also:
hopefully our rates and back-off times are not too annoying.
Instructions:
In a terminal window on your laptop
(Applications > Accessories > Terminal), type
commands:
Use xpraterm if you want a terminal, so you can mix "native" and enna
windows e.g. for copy-paste; use xprasess if you want a "desktop"
session (though it may be slower than xpraterm).
Comments about xpra (and other ways to use), for completeness:
On your laptop, in a new terminal (or command prompt) window, use command:
This (in a little while, password-less if you had set up public keys
as suggested) will show a new xterm window running on enna;
use this new xterm to work in/from.
When "done", in some enna window use command
If you wanted to keep your xpra session "alive", then when "done", do
not close the various windows but press ctrl-C where you started xpra.
This would leave the "session" running on enna. Later you could
re-connect to the xpra session: if outside, log in with skeys and then
(on your laptop, in a new terminal window) use
or if inside, (in a terminal window on your laptop) use
You may have several sessions. To choose, add the number e.g.
Paul Szabo
psz@maths.usyd.edu.au
10 Jan 25
Port forwarding: comments
We use ports above 12000 because low ports are root-access-only on Linux,
and to avoid clashes with locally running services.
I could not get it to work on Windows, not even with the tricks in
support.blue.net.au/support/tunneling-smb-over-ssh-secure-file-sharing/
Performance
The performance (responsiveness etc) of the connection should
depend on the speed of the "home" end of the network: on a fast cable or
ADSL connection, should be similar to the speed of a Y-terminal
within the School.
NOTE: file:/ links (as above) do not work in Firefox.
Copy link location then paste to Firefox URL bar, see
kb.mozillazine.org/Links_to_local_pages_don't_work .
It seems that this is caused by the "latency" of my home network.
Commands
ping maths.usyd.edu.au
traceroute maths.usyd.edu.au
show "round-trip time" delays between 15 to 40 milliseconds, spent
mostly within "home network provider" equipment. Seeing how X11
network message counts are:
maybe all slowness is explained and accounted for. Command write recv tuteroll 1560 3180 nedit 270 280 xterm 290 470
There is no such slowness for accesses from the UniSydney wireless
network; and also not for machines connected to the School internal
"wired" network.
xquartz.macosforge.org/trac/ticket/2074
bugs.freedesktop.org/show_bug.cgi?id=93430
gitlab.freedesktop.org/xorg/xserver/issues/188
noting the possible workaround:
XQuartz > Preferences > Output > Colors: 256 Colors
See also similar or related:
bugs.debian.org/366096
bugs.debian.org/384105 xterm bugs.debian.org/408759 gnome-terminal bugs.debian.org/764276 dxpc bugs.debian.org/766299 nxproxy /usr/sms/bin/OLD/x11proxy script that had been used at Maths
and some comments about performance in our script
/usr/sms/share/ldm/ldm-greeter . lists.mindrot.org/pipermail/openssh-unix-dev/2023-February/040593.html
We use this patched ssh at Maths, you may want to patch yours too!
No VPN
We do not even try incoming VPN, as that would require complex and
intrusive settings on both enna and on the laptop. For references
see:
Idle timeouts
If you allow your computer to disconnect from the network e.g. to go to
sleep/hibernate, as most laptops do with the lid closed, then your ssh
session will be terminated.
The above timeouts may all be non-issues, as we have the lines
TCPKeepAlive yes
ClientAliveInterval 10
ClientAliveCountMax 60
in the Maths
/etc/ssh/sskd_config
file: we are never much idle, and survive network dropouts of 10 minutes.
BEWARE: this consumes data, about half a kB each 10 secs, 200kB per
hour, 4MB per day.
If your computer goes to sleep or hibernate then it
will not communicate, and the above settings will cause the session to
be terminated in 10 minutes. Without the above settings, the ICT
firewall would drop the connection in 5 minutes, instead.
-oServerAliveInterval=10
option to ssh (for Linux or Mac,
putty has keepalive settings but not for command line); or leave
while :; do date; sleep 60; done
(rpt 60 date
) running.
Random ramblings
For internal laptops etc, please see
www.maths.usyd.edu.au/s/scnitm/psz-Laptops-WirelessAndWiredC
about wired and wireless connections, and
www.maths.usyd.edu.au/u/psz/visitors.html
www.maths.usyd.edu.au/u/psz/printing.html
about settings and printing.
www.maths.usyd.edu.au/s/scnitm/psz-TransparentProxy-noProxyS
You may still want to use the ssh-with-2fa script, to choose
sensible options.
Note that skeys are only for use of the person to whom the sheet was
allocated, and no forwardings or tunnels other than the above should
be used without prior arrangement with the School Computing Manager.
You do not need 2FA from such "trusted" hosts.
NOTE: file:/ links (as above) do not work in Firefox.
Copy link location then paste to Firefox URL bar, see
kb.mozillazine.org/Links_to_local_pages_don't_work .
www.maths.usyd.edu.au/local.html (click "Incoming ssh")
www.maths.usyd.edu.au/loc/comp/alpha/net-security.html#incoming
www.maths.usyd.edu.au/u/psz/ssh-howto.html (here).
Rate limits
On occasions, while trying to log in, you may receive errors like
Connection closed by remote host
server unexpectedly closed network connection
Connection refused
or our Web-OTP service may show "Too Many Requests".
https://isc.sans.edu/diary/Guess+what+SSH+again/6214
https://isc.sans.edu/diary/Dealing+With+Unwanted+SSH+Bruteforcing/7855/
and example log lines from 2011:
Aug 25 22:17:33 bari sskd: Failed for invalid user aaa
Aug 25 22:17:48 bari sskd: Failed for invalid user aaron
Aug 25 22:17:51 bari sskd: Failed for invalid user abacus
Aug 25 22:17:56 bari sskd: Failed for invalid user abby
Our ssh service is handled by:
The limits on connections count both successful and failed logins.
In the file
/etc/xinetd.conf
we use the setting "cps=3 15":
When the port is turned off, a connection attempt gets a "connection
refused", which I observed is better at making attackers go away.
No longer have my
cpm and cph patches
in xinetd, but have rate limiting in the sshind script as below.
This successfully prevents many attacks.
until the start of the next wall-clock period.
This prevents many distributed attacks, going through lists of login
names but each attempt from a wildly different source IP address.
Use xpra
Use
xpra
to
Xpra is independent of (so you would not need) VcXsrv or XQuartz.
Unrecognized OpenGL version
Could not initialize GLX
X server does not support XInput 2
GLX 1.3 or later is required
Using xpra may speed things up on slow networks like access from "outside",
but may instead slow things down on fast networks like internal ones,
and may introduce its own oddities and bugs.
Enjoy the magic of indirection and subterfuge, one on top of another!
On your laptop, install xpra from
www.xpra.org .
Linux distributions may have xpra, e.g. on Ubuntu simply use command
sudo apt install xpra
ln -sf ssh-with-2fa ~/bin/xpraterm
ln -sf ssh-with-2fa ~/bin/xprasess
On your laptop, install xpra from
www.xpra.org .
In a command prompt window on your laptop
(Start > Programs > Accessories > CommandPrompt)
or (Start > Run > cmd), type commands, but
replacing MATHSNAME with your login name on the Maths servers:
echo $x=$0; $x=~s,[a-z-]*$,ssh-with-2fa,; $y=`type "$x"`; eval $y > bin\xpraterm-helper
echo $x=$0; $x=~s,[a-z-]*$,ssh-with-2fa,; $y=`type "$x"`; eval $y > bin\xprasess-helper
echo perl "%USERPROFILE%\bin\xpraterm-helper" MATHSNAME@enna > bin\xpraterm.bat
echo perl "%USERPROFILE%\bin\xprasess-helper" MATHSNAME@enna > bin\xprasess.bat
Put shortcuts on your Desktop, pointing to xpraterm and
xprasess: right-click anywhere in the desktop background,
choose New Shortcut, browse to C:\Users\username\bin\xpraterm (or
...\xprasess) and OK.
to log in to enna with 2FA and password
(each time your laptop re-connects to the network).
xpraterm MATHSNAME@enna
xprasess MATHSNAME@enna
where MATHSNAME is your login name on the
Maths servers.
To log out and terminate xpraterm or xprasess, in some enna window
type command
xpra stop
Some (Mac?) machines do not know about localhost, then use 127.0.0.1
instead of the name localhost.
xpra start ssh/MATHSNAME@localhost:12022 --no-speaker --exit-with-children=yes --start-child=xterm
where MATHSNAME is your login name on the Maths servers.
If doing from inside, then instead you need
xpra start ssh/MATHSNAME@enna --no-speaker --exit-with-children=yes --start-child=xterm
xpra stop
or simply close the various windows, and your xpra session will close
also.
xpra attach ssh/MATHSNAME@localhost:12022 --no-speaker
Some (Mac?) machines do not know about localhost, then use 127.0.0.1
instead of the name localhost.
xpra attach ssh/MATHSNAME@enna --no-speaker
and see all your previous windows, as you had left them.
xpra attach ssh/MATHSNAME@localhost:12022/7 --no-speaker
xpra attach ssh/MATHSNAME@enna/7 --no-speaker
The same syntax could be used with xpra start if you wanted
to choose some as-yet-unused one.
Though, I suggest you have just the one xpra session, to enna (not
savona etc directly):
xpra list
to show all session numbers, and for each use something like
xpra stop 7
Please do this on occasions, not to leave things running forever.
Further reading, random references
en.wikipedia.org/wiki/Comparison_of_SSH_clients
en.wikipedia.org/wiki/Port_forwarding
help.ubuntu.com/community/SSH/OpenSSH/PortForwarding
man.openbsd.org/cgi-ssh
man.openbsd.org/ssh_config
en.wikipedia.org/wiki/X_Window_System
cygwin.com
x.cygwin.com
www.rocketsoftware.com/products/remote-access/exceed
en.wikipedia.org/wiki/Perl
https://www.perl.org/get.html
sourceforge.net/projects/expect/
blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/