TechFak - Services

Remote shell access

Introduction

For remote shell access users may connect to the machine shell.techfak.de using their TechFak username. The machine is intended as a gateway for interactively logging into the TechFak network and hopping to another host for working. From shell.techfak.de you have access to all resources within the TechFak network, like compute.techfak.de, your workstation (if any) or your lab-computers (if any).

shell.techfak.de is not intended for doing on it any kind of permanent work, like programming, computing or word processing. It is just a gateway machine, between the internet and the TechFak resources. Please use the corresponding target hosts as mentioned above if you want to run any longterm or background jobs.

Temporary home-directory

On each login a clean temporary home dir will be created for you. Since the machine is not intended for permanent work there is no way for users to store files permanently on that host.

Your data on shell.techfak.de will not be preserved after logout!

Limited process execution

Processes running on shell.techfak.de are bound to your current session. It is not possible to run long term background jobs. For that purpose please connect to compute.techfak.de as described below.

Access per SSH Keypair

Access to the machine is handled by SSH public key authentication (with the command ssh shell.techfak.de). This mechanism enables you to access a host without supplying your login password, but a keypair. Using an Agent you may even connect without entering a password at all.

Usual password authentication to the machine is not possible. Thus an attacker cannot just bruteforce a weak password of carelessly maintained accounts; bruteforcing a SSH key is way more complicated and usually too expensive.

In other words, the crucial element of the login is the private key, not the password.

Setup your account

To prepare your account for remote shell access, you need to install one or more public keys. To do so you may use our webservice or tf-ssh-auth-keys from the commandline on any Netboot machine. In case you do not already have a key pair, please refer to the key generation section in the example receipes.

The webservice is only available from within the TechFak network, so you need to setup your account when you are here at the University buildings!

Example for the webservice (including key-generation)

Example (for the command line)

Pick the public-key you want to upload, it should look e.g. like this:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFIr/5teON7CkIr7R3bGprrVWwJgqrVPKA3s/46TAgq juser@example

Commit the public-key as authorized_keys

$ tf-ssh-auth-keys < .ssh/id_ed25519.pub
HINT: As 'host-password' please supply your TechFak service-password 
to change the contents of your "authorized_keys" on shell.techfak.de.
Enter host password for user 'juser':
Your new "authorized_keys" on shell.techfak.de is now active.

Verify that the key is installed

$ tf-ssh-auth-keys --show
HINT: As 'host-password' please supply your TechFak service-password
to show the contents of your "authorized_keys" for shell.techfak.de.
Enter host password for user 'juser':
---Begin authorized_keys---
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFIr/5teON7CkIr7R3bGprrVWwJgqrVPKA3s/46TAgq juser@example
---End authorized_keys---
The content has been last changed on Sat, 05 Mar 2016 02:30:03 GMT

Example for Putty

'PuTTY' (on the left side) as well as 'PuTTY Key Generator' (on the right side), which is also called puttygen, can be obtained from here.

Example receipes

As an example here are several use cases which are typical for shell.techfak.de:

Key generation

To generate a SSH private/public keypair you need to call ssh-keygen from the commandline. This tool is available on any Netboot workstation within the TechFak, CoR-Lab or CIT-EC.

Generate an ED25519-keypair

For the example user juser or tstgzi; your output will refer to your user name. A video example can be found here. 

$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/juser/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/juser/.ssh/id_ed25519.
Your public key has been saved in /home/juser/.ssh/id_ed25519.pub.
The key fingerprint is:
d0:e7:f0:3c:78:5c:34:d6:57:c8:d5:26:18:b8:49:f0 juser@example
The key's randomart image is:
+--[ED25519 256]--+
|        .. .== o=|
|       . .oo..= +|
|      . o.Eo.  + |
|       . Oo.     |
|        S B      |
|         . .     |
|                 |
|                 |
|                 |
+-----------------+

If you want to connect from multiple machines we recommend using one keypair per client.

Put your key into an agent

Entering the ssh key passphrase at each login can be bothersome. Using ssh-agent you only have to supply the passphrase to your ssh key once. When you start your session on your local host (the machine from which you are going to connect to shell.techfak.de), you just need to add the key using ssh-add: 

$ ssh-add 
Enter passphrase for /home/juser/.ssh/id_ed25519:
Identity added: /home/juser/.ssh/id_ed25519 (/home/juser/.ssh/id_ed25519)

From now on you may connect using this key from your local machine without supplying a password again. See also below.

Connect to compute

Remember that you can not do any real and persistent work on shell.techfak.de. Therefore you need to hop further to some other TechFak machine right after logging in to shell.techfak.de, e.g. to the general compute host compute.techfak.de. This means carrying out the following two steps:

Login to shell

$ ssh juser@shell.techfak.de

######################################################################
#### WELCOME TO THE FACULTY OF TECHNOLOGY AT BIELEFELD UNIVERSITY ####
######################################################################


 ▞▀▖▀▛▘▀▛▘▛▀▘▙ ▌▀▛▘▜▘▞▀▖▙ ▌ This is an intermediate machine. Your home
 ▙▄▌ ▌  ▌ ▙▄ ▌▌▌ ▌ ▐ ▌ ▌▌▌▌ here is temporary and will not be preserved
 ▌ ▌ ▌  ▌ ▌  ▌▝▌ ▌ ▐ ▌ ▌▌▝▌ on logout. Connect to compute or your local
 ▘ ▘ ▘  ▘ ▀▀▘▘ ▘ ▘ ▀▘▝▀ ▘ ▘ workstation to access your permanent home.

 Don't use this machine for file transfers. See http://techfak.net/remote  
 for advices on that and general usage tips regarding this service.        

juser@shell:~$

Continue to compute

Please keep in mind that you have to enter your general workstation password for compute. 

juser@shell:~$ ssh compute
juser@compute's password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.18.1-tf1-ll x86_64)

 * Documentation:  https://help.ubuntu.com/

juser@bonnie:~$

Read E-Mail

For reading electronic mail on the Terminal, there is mutt preinstalled. You may have a small glimpse into your inbox or just drop a quick note to somebody, rather than keeping longterm conversations. If you like to do so, please consider running mutt within a screen session on compute or just setup a mail environment on your local machine.

After starting mutt you will be asked for your mail password to read your mail using IMAP. The same applies for sending mail using SMTP.

Instant messaging

For quick instant messaging sessions a terminal based XMPP-Client is available called mcabber. The same as for mail applies here: If you like to have your conversations in a screen session, you have to do this on another machine!

Forwarding resources to your home workstation

If you often connect to another host in the TechFak network, like e.g. compute.techfak.de you may setup a forward configuration within the SSH-setup of your local machine. The forward configuration will serve as a shortcut from your local machine to the respective TechFak resource, without requiring you to explicitly logging into shell.techfak.de.

SSH to another host in the TechFak network

1. Prepare your .ssh/config

Using the ProxyCommand configuration option you can supply a command ssh utilizes to establish a connection. Your .ssh/config should contain an entry e.g. like this one: 

Host techfak-compute
	Hostname compute
	User juser
	ProxyCommand ssh juser@shell.techfak.de socat - TCP:%h:%p
In this case ssh calls itself again logging in to shell.techfak.de and starting socat there which connects to compute and forwards all data to the initial ssh-command issued by you.

2. Connect directly to compute.techfak.de using the above .ssh/config

$ ssh techfak-compute
juser@compute.techfak.de's password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.18.1-tf1-ll x86_64)

 * Documentation:  https://help.ubuntu.com/

juser@clyde:~$

If you enabled an SSH-Agent you only need to supply your workstation password for logging in to compute.

Accessing a webserver in the TechFak network

Some internal webservers may be only accessible from within the TechFak network. The same procedure as used above can be employed to forward access for internal webservers to your local machine, even if your machine is located outside the TechFak network.

1. Prepare your .ssh/config

Put the corresponding hostname into the LocalForward statement: 

Host techfak-forward-wiki
	LocalForward localhost:8080 wiki.techfak.net:80
	HostKeyAlias shell.techfak.de
	Hostname shell.techfak.de
	ExitOnForwardFailure yes
	User juser
ssh now will open a connection to wiki.techfak.net:80 and bind it to the local port on localhost:8080.

2. Connect shell.techfak.de using the above .ssh/config

$ ssh techfak-forward-wiki
[...]
Leave that shell open in the background and while its running you can access our internal wiki on localhost:8080.
3. Now you can connect to wiki.techfak.net using the established connection
$ nc localhost 8080 | head -2
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2016 12:00:34 GMT
$

shell.techfak.de may also be used for forwarding any other kind of resources to your local machine. This might include accessing internal websites or other services which you would like to use at home.

Furthermore that technique may help in emergency cases getting access to the complete set of our resources, if direct access to some specific port (like IMAP, e.g.) is not possible from your network environment. That said, please always keep in mind that technics cannot solve social problems for you. If your current network provider decided to block access for some reason, your should discuss that situation with him/her/* rather than circumventing it.

Current ssh-fingerprints:

 

ED25519@256bit:	0tsVGENxjW1Twqrg7FPQ6xrZ+e6ZcQ3rLU79+3I06Jo	(Hash=SHA256@b64)
		3c:3c:d6:69:c5:1d:20:58:5a:d8:d7:d9:96:7c:41:04	(Hash=MD5@hex)
RSA@4096bit:	mwj9NZ8Ay5kVpT1iMJdg73Acs4BT57wobFXbznPwQos	(Hash=SHA256@b64)
		2b:68:68:2b:ee:b6:4d:72:7d:e5:9b:c3:c2:c7:de:48 (Hash=MD5@hex)

File transfer

shell.techfak.de is not intended for doing file transfers, neither directly nor tunneled. There is a dedicated machine called files.techfak.de for this. Please consult the corresponding section in our documentation in case of questions on this topic.

More software

You may be tempted to ask us for installing more software on shell.techfak.de. It is very unlikely that we will fulfill those requests. Due to the temporary nature of a session on this machine most software packages are useless there. Please use compute for your work, where you have access to all the packages like on a usual Netboot workstation.