UCAR runs an SSH proxy on the gatekeeper hosts for you to use when logging in to hosts on the inside of the UCAR security perimeter. Follow the instructions below to use it.
To use the proxy, simply make an SSH connection to gate.ucar.edu from anywhere, and log in using your UCAS username and UCAS token. Your UCAS token will most often be a CRYPTOCard issued to you by your sponsoring UCAR division.
From there, you can connect to any ucar.edu destination host just by typing its hostname.
The connection from the proxy to the destination will use SSH, if possible. Furthermore, you will be able to use X11 clients on the destination, and have them display properly back on your host's X11 server.
Since you are using SSH, your connection to gate.ucar.edu will of course be encrypted. Your connection from the proxy to your destination host will also use SSH, if available, to better protect it even on our local switched network.
[ your host ] <---> [ gate.ucar.edu ] <---> [ destination.subdomain.ucar.edu ]
| |
encrypted encrypted
If SSH is not available on the destination host, however, the proxy will automatically fall back to trying an unencrypted telnet connection. Since the only cleartext portion of the connection passes across our switched LAN, it is less risky than cleartext across the greater Internet.
[ your host ] <---> [ gate.ucar.edu ] <---> [ destination.subdomain.ucar.edu ]
| |
encrypted unencrypted (switched, may still be sniffable)
If you have an X11 server on your workstation or PC, and have X11 forwarding enabled in your SSH client, the gatekeeper will pass your X11 forwarding through to the destination.
Your X11 session will be passed through automagically if the destination has SSH available. You need do nothing more than run your X11 clients.
If the destination host does not have SSH available, the proxy will set your DISPLAY for you, then give you the authentication information necessary to make the cleartext X11 connection to the proxy. After you copy and paste one command line, you can run your X11 clients.
Either way, you can have X11 clients on the internal host display back on your workstation or PC's X11 server. At minimum, the connection between your host and the proxy will be encrypted, which is better than running your X11 sessions in the clear all the way back home.
101 somewhere:user % ssh -X gate.ucar.edu
CryptoCard Challenge "12345678": [your response does not echo]
Last login: Fri Apr 25 17:14:31 2008 from somewhere.else.edu
OpenBSD 4.3 (GENERIC.MP) #1: Fri Apr 25 08:50:21 MST 2008
This is a University Corporation for Atmospheric Research computer system.
...
You have authenticated to the UCAR proxy as {your username}
You are connecting to us from IP address {your client's IP address}
You are connecting through the gateway host known as {node name varies}
You are connected to gateway service address {service IP address varies}
UCAR SSH Proxy (? for help)> destination.subdomain.ucar.edu
destination.subdomain.ucar.edu appears to have SSH available; using encrypted connection
with automatic X forwarding
user@destination.subdomain.ucar.edu's password: *******
Last login: Wed May 28 13:21:37 2008 from {varies}
...
101 server:user% xeyes&
101 somewhere:user % ssh -X gate.ucar.edu
CryptoCard Challenge "12345678": [your response does not echo]
Last login: Fri Apr 25 17:14:31 2008 from somewhere.else.edu
OpenBSD 4.3 (GENERIC.MP) #1: Fri Apr 25 08:50:21 MST 2008
This is a University Corporation for Atmospheric Research computer system.
...
You have authenticated to the UCAR proxy as {your username}
You are connecting to us from IP address {your client's IP address}
You are connecting through the gateway host known as {node name varies}
You are connected to gateway service address {service IP address varies}
UCAR SSH Proxy (? for help)> destination.subdomain.ucar.edu
Trying UNENCRYPTED connection via telnet to destination.subdomain.ucar.edu.
Telnet will negotiate your DISPLAY properly on most hosts. If it fails,
you should manually set DISPLAY using one of the following commands.
csh/tcsh users: setenv DISPLAY {varies}.ucar.edu:{##.0}
sh/ksh users: export DISPLAY={varies}.ucar.edu:{##.0}
After you log in below, you must run the following command to authorize
X11 connections through the gateway.
xauth add {varies}.ucar.edu:{##.0} . {32 character hexadecimal number}
Trying ...
Connected to destination.subdomain.ucar.edu.
Escape character is '^]'.
user@destination.subdomain.ucar.edu's password: *******
Last login: Wed May 28 13:21:37 2008 from {varies}
...
101 server:user% xauth add {varies}.ucar.edu:{##.0} . {32 character hexadecimal number}
102 server:user% xeyes&