You are here

Connecting from outside the University - an overview

Printer-friendly versionPrinter-friendly version

An important aim of the Informatics computing infrastructure is that you should be able easily and securely to access your data and make use of computing resources from outside the School's internal network. To do this however, you need to have certain software packages installed on your computer. Although there are pages on this site telling you how to install these packages, they don't really explain what they do, why you need them and how they interact. This page tries to fill that gap. We will be looking at five main packages: ssh, Kerberos, OpenAFS, OpenVPN and NX. For the most part, everything here will apply to all three supported operating systems, Windows, MacOS and Linux.

A major design goal of our computing infrastructure is the need for security. A lot of that is built in to the design, but you have a part to play as well, so please start by following our guidance on data security; then come back here and read on.

ssh

What is it?

ssh (which stands for secure shell) allows you to connect to a DICE machine from a remote location and run commands on that machine as if you were sitting in front of it. In technical terms, ssh allows you to start up a remote shell on the DICE machine. It's called a secure shell because the data sent across the network between your home machine and the DICE machine is encrypted meaning that any third party listening in to your connection won't be able to get any useful information such as passwords. ssh is command-line orientated but it can be configured to allow the DICE machine to display X windows on your home machine if you are running an X server. For more details, see our External login (ssh) servers page.

How do I get it?

For instructions for installing our recommended version of ssh (PuTTY) on Windows, see Installing PuTTY. If you're using MacOS or Linux, ssh should already be installed.

Anything else I should know

Unless you're using OpenVPN (see below) or you have made a special request to support, you will not be able to connect directly to your desktop machine using ssh from outside the Informatics network. Instead, you will have to connect to one of the gateway machines, staff.ssh.inf.ed.ac.uk or student.ssh.inf.ed.ac.uk, and then connect from them to the DICE machine you are interested in. The gateway machines are for accepting ssh connections only, you should not try to do work on them.

It is entirely possibly that when you try to connect to your desktop machine from one of the ssh servers, you will find that it has gone to sleep. see Remote wake-up for sleeping computers for information on how to wake it up.

If you have your own office machine and you need to interact with its desktop from home, see Using VNC. (However, if you just want to use a DICE desktop from home - or anywhere else - then use NX, the remote graphical login service, not VNC.)

If your ssh connection from home seems to time out and disconnect quickly, see ssh timeouts from home for a solution.

How secure is it?

As mentioned above, the traffic between your home machine and the DICE machine is encrypted and is therefore pretty secure. However, when you connect to the DICE machine, you will be prompted for your DICE username and password and there is a small but real chance that if the machine at either end of the connection has been compromised, then the bad guys could capture your login details. Only you can make sure your home machine is secure and we would encourage you to install all security updates as soon as they become available. The gateway machines are obvious targets for compromise and though we make great efforts to ensure that this does not happen, we cannot guarantee that these machines will never be compromised. It would be far better if there was some way of avoiding the need to send your DICE password over the network to the DICE machine at all. This leads us to:

Kerberos

What is it?

Kerberos is an authentication mechanism, that is, a way of identifying yourself to a computer. Of course you can do that simply by typing in your username and password at a login prompt but one of the advantages of Kerberos is that it removes the requirement to send your password over the network to the remote machine you are trying to connect to. As we saw above, that can pose a small but significant security risk.

Kerberos can do a lot more than just simplify the login process. Kerberos can also be used to give access to services including our authenticated file service which we will come to shortly. If you're interested in finding out more about how Kerberos works, the Wikipedia page 'Kerberos (protocol)' is a good place to start, as is the classic Designing an Authentication System: a Dialogue in Four Scenes.

How do I get it?

See the instructions for installing kerberos on Windows, Cygwin, MacOS and Ubuntu Linux.

Anything else I should know?

Kerberos works by issuing tickets for services. The first ticket Kerberos issues is known as the ticket getting ticket (tgt) and has a limited lifetime, normally 18 hours. Tickets for other services, for example the AFS file service are issued using the tgt and will expire when the tgt expires. This can cause problems if you are trying to run jobs for longer than 18 hours since once your ticket has expired, your job will no longer have access to the file system or any other kerborised service it is trying to use. There are ways and means around this, see our AFS top ten tips page for details.

For kerberos to work correctly, the clock on your home machine must be in sync (agree within 5 minutes or so) with the clock on the School machine managing the kerberos service. If this isn't the case, you won't be able to authenticate using kerberos. To make sure that the clock on your machine is correct, you may wish to run NTP on it.

For more information on Kerberos, see our What is Kerberos? page.

AFS

What is it?

AFS is the filesystem used to store most of the School's data. One of its many desirable features is that it is a strongly authenticated file system and the security this offers means that it is possible to allow access to the file system for authenticated users from outwith the School's network. This authentication is based on Kerberos and you must have a correctly configured Kerberos client installed on your home machine for the AFS client to work. Once you have set up AFS, you will be able to read from or write to your School home directory and any other file space you may have been given access to from your home machine.

How do I get it?

Instructions for installing the AFS client on Windows, MacOS and common distributions of Linux are available. You can even access the AFS file system from your iOS device.

How secure is it?

AFS uses Kerberos (see above) for authentication and authorisation making it very unlikely that bad guys will be able to access your data by pretending to be you. Note however that data sent between the AFS server and client is either very weakly encrypted (if using the Windows client) or not encrypted at all (any other OS client) meaning that there is a possibility that someone snooping on the connection between the machine you are running the client on and the AFS server might be able to extract some useful data from the passing traffic. For this reason, whenever you access the AFS filesystem from outside the School's network, we recommend that you do so over an OpenVPN connection (see below). This will ensure that all traffic is strongly encrypted.

Anything else I should know?

It is possible to access the School's AFS file system without installing the Kerberos and AFS clients. The School's iFile service (http://ifile.inf.ed.ac.uk) provides web based access to the filesystem and can be used if you cannot install software on the machine you are using for some reason. For more information about iFile see ifile.inf.ed.ac.uk.

OpenVPN

What is it?

OpenVPN is a means of making it appear that your home machine is actually located within the Informatics network. Why might you wish to do this? The main reason is that some Informatics services and in particular some web pages with sensitive information can only be accessed by computers with IP addresses within the School's network. Note that you don't have to have the services mentioned above installed on your computer to make use of OpenVPN, though you will have to install an OpenVPN client. For more information about restricted web pages, see Remote access to restricted web pages.

How do I get it?

For more information about OpenVPN including how to install it on your machine, see OpenVPN - how and why.

NX

What is it?

NX is a software technology which handles X Window traffic in order to display remote desktop environments on your home machine. The end effect is a complete remote DICE desktop running within a window on your machine.

How do I get it?

For more information about NX, including how to install the necessary client on your machine, see Remote Graphical Login Service (NX).

Last reviewed: 
27/01/2017

System Status

Home dirs (AFS)
Network
Mail
Other services
Scheduled downtime

Choose a topic