An important aim of the Informatics computing infrastructure is that you should be able to easily and securely use your data, and make use of computing resources, from outside of the School's internal network. To do this, you need to have certain software packages installed on your home computer. Although there are pages on this site telling you how to install this software, they don't necessarily explain what each piece of software does, why you might need them, and how they interact. This page tries to fill that gap.

We describe five main software packages: ssh, Kerberos, OpenAFS, OpenVPN and RDP. For the most part, everything here will apply to all three operating systems which we support - namely Linux, MacOS, and Windows.

Security is important to us. A lot of that is built in to the design, but you have an important part to play as well - so please start by reviewing our guidance on data security, and then come back here to read on.

ssh

What is it?

ssh (which stands for secure shell) allows you to connect to a DICE machine from a remote location and run commands on that machine as if you were sitting in front of it. In technical terms, ssh allows you to start up a remote shell on the DICE machine. It's called a secure shell because the data sent across the network between your home machine and the DICE machine is encrypted - so any third party who manages to eavesdrop on your connection won't be able to get any useful information. ssh is command-line orientated, but it can be configured to allow the DICE machine to display X windows on your home machine if you are running an X server. For more details, see our External login (ssh) servers page.

How do I get it?

Nowadays, ssh clients come pre-installed on all standard distributions of Linux, macOS, and Windows, so you shouldn't need to install any additional software - though you might still need to configure the ssh client appropriately.

Anything else I should know

Unless you're using OpenVPN (see below), you will not be able to connect directly to your desktop machine using ssh from outside the Informatics network. Instead, you will have to connect to one of the gateway machines staff.ssh.inf.ed.ac.uk or student.ssh.inf.ed.ac.uk, and then connect from that machine to the DICE machine you are interested in. The gateway machines are for accepting ssh connections only - please don't try to use them for actual work.

It is possible that when you try to connect to your desktop machine from one of the ssh servers, you will find that it has gone to sleep. See Remote wake-up for sleeping computers for information on how to wake it up.

If your ssh connection from home seems to time out and disconnect quickly, there's a possible solution at ssh timeouts from home.

How secure is it?

The traffic between your home machine and the DICE machine is encrypted and is therefore pretty secure. However, when you connect to the DICE machine, you will be prompted for your DICE username and password, and there is a small but real chance that, if the machine at either end of the connection has been compromised, then your login details could be captured. Only you can make sure your home machine is secure, and we would encourage you to install all security updates as soon as they become available. The gateway machines are obvious targets for compromise and, although we make great efforts to ensure that this does not happen, we cannot guarantee that these machines will never be compromised. It would be far better if there was some way of avoiding the need to send your DICE password over the network to the DICE machine at all. This leads us to:

Kerberos

What is it?

Kerberos is an authentication mechanism - a way of identifying yourself to a computer. Of course, you can do that simply by typing in your username and password at a login prompt, but one of the advantages of Kerberos is that it removes the requirement to send your password over the network to the remote machine to which you are trying to connect. As we saw above, doing so can pose a small but significant security risk.

Kerberos can do a lot more than just simplify the login process. Kerberos can also be used to give access to services, including our authenticated file service AFS (below). If you're interested in finding out more about how Kerberos works, the Wikipedia page 'Kerberos (protocol)' is a good place to start, as is the classic reference Designing an Authentication System: a Dialogue in Four Scenes.

How do I get it?

See the instructions for installing kerberos on Ubuntu Linux, MacOS, and Windows.

Anything else I should know?

Kerberos works by issuing tickets for services. The first ticket Kerberos issues is known as the 'ticket granting ticket' (TGT) which has a limited lifetime - typically, 18 hours. Tickets for other services  - for example the AFS file service  - are issued using the TGT, and also have limited lifetimes. This can cause problems if you are trying to run jobs for longer than 18 hours since, once your ticket has expired, your job will no longer have access to the file system, or to any other kerberised service it is trying to use. There are ways around this limitation  - see our AFS top ten tips page for details.

For kerberos to work correctly, the clock on your home machine must be keeping the correct date and time. If you find that the clock on your machine is not correct, you should investigate the installation and use of an NTP client.

For more information on Kerberos, see our What is Kerberos? page.

AFS

What is it?

AFS is the filesystem used to store most of the School's data. Among other things, it is a strongly authenticated file system, and the security this offers means that it is possible to allow access to the file system for authenticated users from outside of the School's network. The authentication is based on Kerberos, so you must have a correctly configured Kerberos client installed on your home machine for the AFS client to work. Once you have set up AFS, you will have direct read and write access to your School home directory, as well as to any other AFS filestore to which you have been given appropriate permissions.

How do I get it?

Instructions for installing the AFS client on Linux, MacOS and Windows are available. You can even access the AFS file system from your iOS device.

How secure is it?

AFS uses Kerberos (see above) for authentication and authorisation, which makes it very unlikely that anybody other than you will be able to access your data. However, data sent between the AFS server and client is either very weakly encrypted (when using the Windows client) or not encrypted at all (when using any other OS client), so there is the possibility that someone snooping on the connection between the client and server might be able to extract some useful data from the passing traffic. For this reason, whenever you access the AFS filesystem from outside the School's network, we recommend that you use an OpenVPN connection (see below). This will ensure that all traffic is strongly encrypted.

Virtual Private Network (VPN)

What is it?

According to Wikipedia: 'a virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.' In our case, the private network is either the University network, or the School of Informatics network.

There are two VPNs you can use:

The Informatics OpenVPN service

What is it?

OpenVPN is a means of making it appear that your home machine is actually located within the Informatics network. Why might you want to do this? The main reason is that some Informatics services, and in particular some web pages with sensitive information, can only be accessed by computers with IP addresses within the School's network. Note that your computer won't need the other services mentioned above to make use of OpenVPN. However, you will have to install an OpenVPN client.

How do I get it?

See our Virtual private networks page for more details.

The University's VPN service

What is it?

The University's VPN service is a means of making it appear that your home machine is actually located within the University network, but outside of the Informatics network. Why might you want to do this? The main reason is that some University resources (for example, some of those associated with the University Library) can only be accessed by computers with IP addresses within the University network. While it's true that Informatics IP addresses are bona fide University IP addresses (and that, therefore, the use of the Informatics OpenVPN service will also achieve the aim of making it appear that your home machine is actually located within the University network) we have found that people can sometimes have difficulties with successfully configuring and using the Informatics OpenVPN service. In such cases, we recommend that people try using the University's VPN service instead, provided that it suits their particular access requirements.

How do I get it?

See our Virtual private networks page for details.

RDP

What is it?

RDP displays remote desktop environments on your home machine. The end effect is a complete remote DICE desktop running within a window on your machine.

How do I get it?

To find out more, including how to install the necessary client on your machine, see Remote Desktop Service.