SSH and Port Forwarding for DETER

Contributors:
Peter A. H. Peterson, UCLA. pahp@cs.ucla.edu
Contents
  1. Introduction to SSH
  2. Secure Shell and Secure Copy
    1. Secure Shell
    2. Secure Copy
    3. SSH and SCP for Windows
    4. Moving files to/from experimental nodes
  3. SSH Tunneling for Fun and Profit
    1. About SSH Tunnels
    2. Linux, Mac, and BSD Setup
    3. Windows Instructions with PuTTY
    4. Using SSH Tunnels

Introduction to SSH

Unlike your desktop computer -- which is probably right in front of you -- DETER is only accessible via the Internet. Thus, in order to use your experimental nodes, you need a way to access those machines over the Internet. We primarily use Secure Shell (SSH), which provides a command-line interface and other networking tools over encrypted links.

DETER has an emphasis on security. One product of this emphasis is the firewall that DETER uses to keep unauthorized users from getting in and malicious software from getting out. This also means that the DETER's experimental nodes are not directly accessible via the Internet. Instead, nodes must be accessed by connecting to DETER's public site, and then connecting from there to internal nodes. As you might expect, this makes some tasks on DETER more complicated than usual, such as installing software, accessing network services, and uploading/downloading your assignment work.

This tutorial will explain how to do all of the above, and more.

Secure Shell and Secure Copy

Secure Shell (SSH) is a secure, encrypted replacement for telnet -- a means of accessing a remote command line. You'll use SSH to log into the "public" side of DETER -- a server called users.deterlab.net. From there you can ssh into your experimental nodes. Secure Copy (scp on Unix-like systems) is a secure, encrypted replacement for the older rcp (remote copy). You'll use it to transfer data to or from DETER.

Windows does not include an SSH or SCP client by default, but there are free versions available. We will discuss the basic mechanics of SSH and SCP, and then we'll describe how to use the popular Windows versions, PuTTY and pscp.

Secure Shell

Linux, BSD Unix, and Macintosh OS X all include the command ssh, which is an SSH client. Users of those systems can SSH to DETER simply by opening a terminal and running the command: 

$ ssh username@users.deterlab.net

The SSH client will request their password, and if it matches the username, they'll be able to log in. The whole process looks like this: 

[laptop(~)] ssh jstudent@users.deterlab.net
Password:
Last login: Thu May 27 21:16:46 2010 from tastytronic.net
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
	The Regents of the University of California.  All rights reserved.

FreeBSD 7.3-RELEASE-p2 (USERS7) #8: Thu Jul 15 17:50:10 PDT 2010

> _

The ">" is the system prompt, and it signifies that users.deterlab.net is waiting for input!

Secure Copy

Linux, BSD Unix, and Macintosh OS X all include the command scp, which is a Secure Copy utility. Here's an example of how to use scp to copy a file from users.deterlab.net to your machine: 

$ scp username@users.deterlab.net:~username/homework.tar.gz .

... in that command line, the final "." means "here," or the "current directory.". So the above command copies the file homework.tar.gz from the user's home directory on users.deterlab.net to the current directory on the user's home computer (or any other computer from which the command is issued).

You can do the reverse, to copy a file from your computer to DETER, like this: 

$ scp john.tar.gz username@users.deterlab.net:~/username/

... which copies a file (john.tar.gz) from the user's computer to the user's home directory on users.deterlab.net.

People sometimes use SSH and SCP as verbs; instead of saying "log in to the host," or "copy that file" they often say "ssh to the host," or "scp that file!"

SSH and SCP for Windows

Unfortunately, Microsoft has not chosen to include SSH and SCP support "out of the box." Fortunately, there is a fantastic free software package called PuTTY that provides a free GUI SSH client (putty.exe) and command-line SCP (pscp.exe) client. You can find them at the PuTTY homepage -- download the files and save them on your local machine. If you put them both in your C:\WINDOWS directory, you can run the commands directly from the Run menu or command prompt.

For example, after installing the executables, you can run PuTTY by clicking Start | Run, enter "putty", and hit enter.

To scp (pscp for PuTTY scp) a file, click Start | Run, enter "cmd", and hit enter. This will open a Windows command line shell.

In that window, change directory (using cd) to the one you want to copy to or from, and use pscp (PuTTY SCP) on the command line. The basic operation is very similar to the Unix-like SCP clients: 

C:\SOMEDIR\> pscp username@users.deterlab.net:/users/username/top_secret.tar.gz .

You must provide the full path, such as /users/username/somefile.tar.gz instead of ~/somefile.tar.gz) because Windows does not understand that the "~" character refers to the home directory.

Moving files to/from experimental nodes

We've already discussed here how you have to "bounce" through users.deterlab.net to reach your experimental nodes. However, this means that you can't directly scp files to or from your experimental nodes. This may seem inconvenient, because during the course of a lab, you might want to copy your work from an experimental node to your home computer, or download source code to an experimental node.

However -- as discussed in the introduction to DETER -- your home directory on users is mounted via NFS on all your experimental nodes. In other words, your home directory is the same on every DETER computer you will use. This means that if you scp data to or from your home directory on users, it is just as good as scp-ing it directly to or from your nodes!

Downloading software packages to experimental nodes

To install software from the Internet on experimental nodes, the easiest method is to log in to users.deterlab.net and use a text-based web browser such as elinks to download the software to your home directory. Then, ssh to your experimental node and install it. If you know the download link, you can also use a command line tool wget like this wget url_with_sw_to_download.

SSH Tunneling for Fun and Profit

About SSH Tunnels

As discussed previously, your experimental nodes are not directly available via the Internet. This means that applications running on those nodes, such as web servers, cannot be directly accessed from your desktop computers.

However, SSH can perform "tunneling" -- more accurately known as "port forwarding" -- which creates encrypted channels that can make remote ports appear to be local to your own computer. The SSH client opens a port on the local computer, and forwards any traffic sent or received across the encrypted link. If you're familiar with virtual private networks (VPNs), port forwarding is sort of like a one-port VPN. With this, you can create an SSH tunnel through users.deterlab.net that will allow you to use your own web browser to view web servers (or any other forwarded port) inside DETER.

For example, if you are logging in to users.deterlab.net from your desktop, you can map your local TCP port 5555 (or any other non-privileged port) to port 80 on somenode.experiment.YourClass.isi.deterlab.net (a webserver on an experimental node) because users.deterlab.net can communicate with that node, and you can communicate with users.deterlab.net. While each tunnel can only map one port, you can map multiple ports with multiple tunnels.

Linux, Mac, and BSD Setup

Unix systems such as Linux, BSD, Mac OS X can use OpenSSH directly. Windows users can also port forward through the free ssh application PuTTY.

From your Linux, Mac, or BSD computer: 

ssh username@users.deterlab.net -L 8118:somenode.experiment.YourClass.isi.deterlab.net:80

Authenticate with your DETER password as usual. This maps your local port 8118 to port 80 on somenode.

Windows Instructions with PuTTY

Create a PuTTY SSH session by entering users.deterlab.net in the "Host Name" field and providing a useful name in the "Saved Sessions" field. However, don't click "Save" yet -- expand the "Connection" configuration option and the "SSH" option. Click on the "Tunnel" item.

In the main part of the window, under "Add a new forwarded port," enter some high, unused port into the "Source port" field (I used 8118), and under "Destination" enter the qualified name of the experimental node you want to reach. In this case, I've entered server.alpha-perm.UCLAClass.isi.deterlab.net:80. Make sure the "Local" radio button is selected, and click "Add".

Now go back up to "Session" and click "Save". Using this session to log into DETER will set up the tunnel you just defined.

Using SSH Tunnels

The login process is the same as it is normally for either Unix or PuTTY, and once you are logged in you can use that terminal for commands just as you normally would. But something cool has happened behind the scenes -- your local port 8118 (or whatever you put in) has been mapped to port 80 on somenode.experiment.YourClass.isi.deterlab.net. This allows you to fire up your own web browser, and navigate to this url: 

http://localhost:8118/

... to view the web browser running on somenode! As long as that terminal stays open, and you stay connected to users.deterlab.net, the tunnel will remain open. That's it!

A single local port can only map to one remote port. This means if you want to create another tunnel, just repeat the steps using a different local port. It also means that if your connection dies, but your SSH client stays open, it may "hold" the port open. In that case, you'll probably have to close the client that is supporting your tunnel and restart it.