ssh -C -X MATHSNAME@enna, not to
maths.usyd.edu.au; see also the
network setup needed for internal laptops.
Choose between Web-OTP, TOTP or skeys.
You can use Web-OTP anytime, without any prior setup;
while TOTP or skeys need to be set up while in the School.
Note that our software prompts for the code first, and the password
after that.
With your browser, go to
www.maths.usyd.edu.au/s/otp
(you will need to log in with Okta MFA) to see a five-character code.
At next login, you will be prompted for this code.
NOTE: you need to get the Web-OTP code before starting the ssh
(or putty) command.
The code is for single use, and is valid for 5 minutes only.
Our Web-OTP implementation is true one-time: a second login is
possible only with a new code from the web page.
Getting a Web-OTP code takes precedence over TOTP or skeys (during its
5-minute validity or until used).
Okta,
the Uni ICT "standard" for MFA, does not directly support ssh; our
Web-OTP relies on Okta, in ways that does not decrease security.
Our Web-OTP service has rate limits, see below.
Install your favourite TOTP authenticator app (on your phone, on
your computer, or as add-on in your browser).
On enna (in a terminal window, made large enough) use command
google-authenticator
and scan the QR code (or enter the secret key) into the authenticator app.
Maybe use command totp-test to check codes.
Ensure the time on your device is correct, use "network time": set for
Android
or
iPhone.
Our TOTP implementation is true one-time, non-replayable, with a
no-reuse control: a second login is possible only after the code
changes during the next time slice.
Running google-authenticator again, invalidates any previous setting
and would need the app to be updated.
Setting up TOTP takes precedence over skeys; there is no need to have
had skeys to use TOTP.
You can set up TOTP remotely during a Web-OTP or skey login session.
To remove TOTP e.g. to go (back?) to skeys, on enna use command
rm ~/.google_authenticator
Skeys are once-only passwords generated by iterated one-way encryption.
Ask Paul, in person, to give you a paper sheet of skeys.
Each time you will need to type all the words from the line as
prompted (not the line number); each sheet has hundreds of lines.
When approaching the end of the sheet, see Paul again to obtain a
replacement.
You can choose between 2-word, 3-word or 6-word skey sheets
(previously all were 6 words for better security, see below).
Lines on your skey sheet decrement each time: cross out the last line just used, making it easy to find the next one when needed. Or, to avoid carrying the skey sheet, take a photo with your phone and use that image, also allowing you to enlarge to make it easier to read.
mkdir -p ~/bin
cp ~/Downloads/ssh-with-2fa.txt ~/bin/ssh-with-2fa
chmod 755 ~/bin/ssh-with-2fa
ln -sf ssh-with-2fa ~/bin/ssh
ln -sf ssh-with-2fa ~/bin/scp
ln -sf ssh-with-2fa ~/bin/sftp
ln -sf ssh-with-2fa ~/bin/xsess
echo 'export PATH=~/bin:$PATH' >> ~/.bash_profile
echo 'export PATH=~/bin:$PATH' >> ~/.zshrc
echo 'alias scp="noglob scp"' >> ~/.zshrc
Mac users should also do, replacing MATHSNAME by your Maths
login name (in the first line):
x=MATHSNAME
mkdir ~/Documents/M-home
echo "alias mdrives='sshfs -o follow_symlinks -o uid=$(id -u) -o gid=$(id -g) -p 12022 $x@127.0.0.1:. ~/Documents/M-home'" >> ~/.bash_profile
echo "alias udrives='umount ~/Documents/M-home'" >> ~/.bash_profile
echo "alias mdrives='sshfs -o follow_symlinks -o uid=$(id -u) -o gid=$(id -g) -p 12022 $x@127.0.0.1:. ~/Documents/M-home'" >> ~/.zshrc
echo "alias udrives='umount ~/Documents/M-home'" >> ~/.zshrc
We do .bash_profile for Linux and older Macs, .zshrc for
Mac from 10.15 Catalina.
Close this terminal window, those profile settings take effect in subsequent ones.
ssh MATHSNAME@enna
where MATHSNAME is your login name on the Maths servers.
ssh-setup
(this will create SSH keys and some symlinks for easy access to
"teaching directories").
scp MATHSNAME@enna:~/.ssh/id_rsa ~/.ssh/
chmod 600 ~/.ssh/id_rsa
See also the section on xpra.
ssh MATHSNAME@enna
so you can mix "native" and enna windows e.g. for copy-paste.
xsess MATHSNAME@enna
Leave that enna login session running: use it, say for
nedit or tuteroll or
xfrom savona.
You may minimize the window of your enna login session, but keep
it running, do not allow your computer to disconnect from the
network e.g. to go to sleep/hibernate, as most laptops do with the
lid closed.
For file access, with your enna login session running (and then without any pesky 2FA or password prompts):
sftp://MATHSNAME@127.0.0.1:12022
mdrives
then use the files in M-home (under your Documents) as normal.
udrives
to disconnect.
127.0.0.1 and port
12022.
scp file1 MATHSNAME@enna:
scp MATHSNAME@enna:file2 .
ssh MATHSNAME@enna
set x=MATHSNAME
mkdir bin
copy Downloads\ssh-with-2fa.txt bin\ssh-with-2fa
echo perl "%USERPROFILE%\bin\ssh-with-2fa" %x%@enna > bin\ssh2.bat
echo $x=$0; $x=~s,[a-z-]*$,ssh-with-2fa,; $y=`type "$x"`; eval $y > bin\xsess-helper
echo perl "%USERPROFILE%\bin\xsess-helper" %x%@enna > bin\xsess.bat
setx path "%USERPROFILE%\bin"
Maybe ctrl-C, ctrl-V will work for cut-and-paste into the command
prompt window; or just re-type if not.
In the window logged in to enna, type command:
ssh-setup
(this will create SSH keys and some symlinks for easy access to
"teaching directories").
scp -P 12022 MATHSNAME@127.0.0.1:~/.ssh/id_rsa .ssh
Drive Name: drive-M-home Drive Letter: M:
Remote host: 127.0.0.1
Remote port: 12022
Authentication: Public Key
Username: MATHSNAME
Private Key: (Browse to) C:\Users\username\.ssh\id_rsa (then Open, Open, OK)
Remote Folder: User's home folder
(then click OK).
See also the section on xpra.
nedit or tuteroll or
xfrom savona
(any such new Linux "windows" will appear within the VcXsrv window).
For file transfer, with your enna login session running, use
SFTP Drive:
click the SFTP Drive icon on the desktop, click Start.
See your files in the M drive, use them as "normal".
When done for the day, close everything in the "right" order:
Unrecognized OpenGL version
Could not initialize GLX
X server does not support XInput 2
GLX 1.3 or later is required
Instructions:
In a terminal window on your laptop (Applications > Accessories > Terminal), type commands:
ln -sf ssh-with-2fa ~/bin/xpraterm
ln -sf ssh-with-2fa ~/bin/xprasess
ln -sf ssh-with-2fa ~/bin/xprattch
In a command prompt window on your laptop (Start > Programs > Accessories > CommandPrompt) or (Start > Run > cmd), type commands, but replacing MATHSNAME with your login name on the Maths servers:
set x=MATHSNAME
echo $x=$0; $x=~s,[a-z-]*$,ssh-with-2fa,; $y=`type "$x"`; eval $y > bin\xpraterm-helper
echo $x=$0; $x=~s,[a-z-]*$,ssh-with-2fa,; $y=`type "$x"`; eval $y > bin\xprasess-helper
echo $x=$0; $x=~s,[a-z-]*$,ssh-with-2fa,; $y=`type "$x"`; eval $y > bin\xprattch-helper
echo perl "%USERPROFILE%\bin\xpraterm-helper" %x%@enna > bin\xpraterm.bat
echo perl "%USERPROFILE%\bin\xprasess-helper" %x%@enna > bin\xprasess.bat
echo perl "%USERPROFILE%\bin\xprattch-helper" %x%@enna > bin\xprattch.bat
Put shortcuts on your Desktop, pointing to xpraterm, xprasess and
xprattch: right-click anywhere in the desktop background, choose New
Shortcut, browse to C:\Users\username\bin\xpraterm (or ...\xprasess
or .../xprattch) and OK.
xpraterm MATHSNAME@enna
xprasess MATHSNAME@enna
where MATHSNAME is your login name on the
Maths servers.
xprattch MATHSNAME@enna
where MATHSNAME is your login name on the
Maths servers.
xpra stop
To clear old left-over sessions, (on enna) use command
xpra list
to show all session numbers, and for each use something like
xpra stop 7
Please do this on occasions, not to leave things running forever.
ssh -C -X MATHSNAME@maths.usyd.edu.au
with MATHSNAME being your login name on the Maths servers.
The ssh client is probably present already.
Beware of the MacOSX "feature" of ForwardX11Timeout set to 20 minutes,
and the wrong setting of XauthLocation in MacOSX since 10.12.
You should run ssh something like
(in a terminal window on your laptop,
Applications > Accessories > Terminal):
ssh -C -X -oForwardX11Timeout=596h -oXauthLocation=/opt/X11/bin/xauth MATHSNAME@maths.usyd.edu.au
with MATHSNAME being your login name on the Maths servers.
Up-to-date Windows10 (or later) has "native" ssh, and you can use it typing
commands as detailed for Linux above, in a command prompt window
(Start > Programs > Accessories > CommandPrompt)
or (Start > Run > cmd).
Windows10 native ssh may need to be enabled:
Settings > Apps > Optional Features > OpenSSH Client > Install
see
here
or
here
for instructions. It also has some
oddities:
you need to (once) use commands
mkdir \dev & echo x > \dev\tty
and for VcXsrv you need to (each time) use command
set DISPLAY=127.0.0.1:0
and use ssh option -Y instead of -X.
Or anyway (and as it seems easier) you may install and use putty.
The "standard" ssh client for Windows is putty, use latest
(current) version from
www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
To use putty, with WindowsExplorer (e.g. MyComputer) find
putty.exe, double-click.
You will have full X-windows access, so could xfrom to
other machines, or use other X-windows software like nedit
or tuteroll, or licenced software like matlab,
mathematica or maple, or even
firefox or thunderbird (with full access to
scnews and other internal pages or mail files, though these may be too
slow over the network); or for a slow but authentic login experience,
use xnest or nxagent and in there run
/usr/sms/share/ldm/Xsession.
Tempting to try some GUI clients ... but mostly they do not
understand the 2FA prompt (expecting to send just a plain password) so
they fail; they work fine once you save 2FA prompts ... see below under
made easy.
Some GUI clients for SFTP:
ssh -C -L 12022:127.0.0.1:22 -X MATHSNAME@maths.usyd.edu.au
ssh -C -L 12022:127.0.0.1:22 -X -oForwardX11Timeout=596h -oXauthLocation=/opt/X11/bin/xauth MATHSNAME@maths.usyd.edu.au
Save typing your password
... use public keys.
Generate some keys and copy things around so you end up having the
private key on the laptop and the public key as authorized on
enna.
At the initial login with 2FA you still get a password prompt,
as configured for security.
Easy for Linux or Mac, not so easy to do on Windows.
You may also use this to ssh/scp between enna and the research servers.
Do not inadvertently
publish your private key,
e.g. when uploading to web or Git servers.
ssh-keygen (press ENTER twice: to accept filename, and to use empty passphrase)
ln -s id_rsa.pub ~/.ssh/authorized_keys
then in another terminal window on your laptop, copy the
"private key" file from enna to your laptop:
scp MATHSNAME@enna:~/.ssh/id_rsa ~/.ssh/
chmod 600 ~/.ssh/id_rsa
scp -P 12022 MATHSNAME@127.0.0.1:file-on-enna place-on-local-machine
scp -P 12022 file-on-local-machine MATHSNAME@127.0.0.1:place-on-enna
but there are better ways.
sftp://MATHSNAME@localhost:12022
mkdir ~/Documents/M-home
sshfs -o follow_symlinks -p 12022 MATHSNAME@127.0.0.1:. ~/Documents/M-home
and use the files in M-home (under your Documents) as normal.
(The mkdir command is needed once only.) When done (and
before disconnecting from enna) use command
umount ~/Documents/M-home
to disconnect.
ssh MATHSNAME@enna
or use
scp file1 MATHSNAME@enna:
scp MATHSNAME@enna:file2 .
and the "right" things would happen: connect to the right host and port
(maybe with 2FA, or 2FA-less via the port forwarding while your enna
login session is running), with the "correct" options (all those
mentioned above and below), whether your laptop is "outside" or
connected to the School's internal network; it will also do the right
thing for any other uses, connecting to any other places, not just for
"School related".
To use the script:
mkdir ~/bin
and place the script file there (in your browser right-click the link
above, choose SaveAs; or click and view, then press Ctrl-S to save),
then set permissions and create a few symlinks:
cp ~/Downloads/ssh-with-2fa.txt ~/bin/ssh-with-2fa
chmod 755 ~/bin/ssh-with-2fa
ln -sf ssh-with-2fa ~/bin/ssh
ln -sf ssh-with-2fa ~/bin/scp
ln -sf ssh-with-2fa ~/bin/sftp
so it all looks like:
$ ls -l ~/bin/*
lrwxrwxrwx ... .../bin/scp -> ssh-with-2fa
lrwxrwxrwx ... .../bin/sftp -> ssh-with-2fa
lrwxrwxrwx ... .../bin/ssh -> ssh-with-2fa
-rwxr-xr-x ... .../bin/ssh-with-2fa
Make use of this by using
export PATH=~/bin:$PATH
and adding that line to your ~/.bash_profile or
~/.zshrc file or similar (for future invocations).
mkdir bin
copy Downloads\ssh-with-2fa.txt bin\ssh-with-2fa
echo perl "%USERPROFILE%\bin\ssh-with-2fa" %* > bin\ssh2.bat
setx path "%USERPROFILE%\bin"
and then close this command prompt window, as setx is for any
future ones.
Using setx appends to PATH, not prepend as we do for Linux or Mac, so need to use the new name ssh2, thus use
ssh2 MATHSNAME@enna
in the example above.
For scp or sftp from the command line, do also:
copy bin\ssh-with-2fa bin\scp-with-2fa
echo perl "%USERPROFILE%\bin\scp-with-2fa" %* > bin\scp2.bat
copy bin\ssh-with-2fa bin\sftp-with-2fa
echo perl "%USERPROFILE%\bin\sftp-with-2fa" %* > bin\sftp2.bat
and use
scp2 file1 MATHSNAME@enna:
scp2 MATHSNAME@enna:file2 .
or similar.
Please let Paul know if you
find anything that is any less than magical and perfect.
If you have any problems with ssh-with-2fa then run it as
ssh --debug MATHSNAME@enna to see more verbose messages.
There may be some use for "local" Maths email services. You may want to (and ssh-with-2fa will) use the port forwarding options
-L 12143:enna:143 -L 12025:rome:25
to make our internal IMAP server (enna) and SMTP server (rome)
accessible, while the enna login session is running. Set your mail
client (e.g. mutt, alpine, thunderbird) to use:
| proto | server | port | |||
|---|---|---|---|---|---|
| IMAP | 127.0.0.1 | 12143 | |||
| SMTP | 127.0.0.1 | 12025 |
mkdir -p ~/Mail/.imap for IMAP login to succeed.
You may also want to (and ssh-with-2fa will) set the same port forwardings for "internal" laptop clients connecting ssh to enna, so the mail client configuration does not need to change between internal and external uses.
No POP to rome anymore: was unused anyway.
-L 12631:siv:631
to make our internal CUPS server (siv) accessible, while the enna login
session is running. To use, set up CUPS printing as described in the
printing page.
You may also want to (and ssh-with-2fa will) set the same port forwarding for "internal" laptop clients connecting ssh to enna, so the printing client configuration does not need to change between internal and external uses.
Seems tempting to use -L 515:siv:515 for LPD printing. But we cannot use low ports on Linux: maybe not on the laptop for listening, and certainly not on enna for connecting to the LPD server. Setting up local LPD printing would not be trivial; copying the file to be printed with scp and then printing directly from enna may be simpler. Use CUPS printing instead, as above.
-L 14022:savona:22
and then (while the enna login session is running) separately connect to
127.0.0.1, port 14022 (with ssh, scp, FileZilla, WinSCP etc).The ssh-with-2fa script will not (by itself) use the above forwarding, but you would need to get things started with a command like
ssh -L 14022:savona:22 MATHSNAME@enna
(or on Windows similar command but with ssh2).Generally users have passwords set on enna only, not on other servers like savona. If you use public keys as suggested above, that is shared by savona so will work there also; otherwise, if needed, a password could be set on savona.
The BioInformatics people have a page about using RStudio Server though with restricted access.
Using the ssh ProxyJump option, via ~/.ssh/config (on your laptop) containing:
Host savona
HostName savona
User MATHSNAME
ProxyJump enna
Host enna
HostName maths.usyd.edu.au
User MATHSNAME
(or some complicated command line) might work. The current Windows putty
has a similar
Proxy panel
feature.Port forwarding seems more generally useful (e.g. for other servers or for file transfer).
-D 13080
so on your laptop (in a terminal, not the ssh-ed one running on
enna) you can use e.g. proxychains to access any
"internal" services.To use proxychains (Linux, Mac): on the laptop, edit ~/.proxychains/proxychains.conf (or /etc/proxychains.conf) to contain the lines
quiet_mode
[ProxyList]
socks5 127.0.0.1 13080
(do not use proxy_dns, and with just one line in ProxyList).On your laptop (in a terminal, not the ssh-ed one running on enna) use commands like
proxychains command args...
Examples:
proxychains xvncviewer myoffice.pc.maths.usyd.edu.au
proxychains xfreerdp /u:unikey /v:myoffice.pc.maths.usyd.edu.au
proxychains ssh me@myoffice.pc.maths.usyd.edu.au
when outside (or directly without proxychains when inside).
-L 5902:myoffice.pc:5900 -L 3390:myoffice.pc:3389 -L 14022:myoffice.pc:22
and connect to 127.0.0.1 (on port 5902, 3390 or 14022 respectively,
probably by using name 127.0.0.1:5902 etc).
proxychains mutt
proxychains alpine
proxychains thunderbird
when outside (or directly without proxychains when inside).
proxychains firefox
with network via Maths to access scnews and /loc/ pages. File access
e.g. download location would be on your laptop.
Very tempting to use -L 139:enna:139 then use connect-to-server
smb://127.0.0.1 to access the
Samba
server on enna (for file access), but that might not work:
on Linux/Mac it requires root access e.g. sudo on the laptop;
on Windows, port 139 may be "in use" already.
I could not get it to work on Windows, not even with the tricks in
support.blue.net.au/support/tunneling-smb-over-ssh-secure-file-sharing/
Known issues:
ping maths.usyd.edu.au
traceroute maths.usyd.edu.au
show "round-trip time" delays between 15 to 40 milliseconds, spent
mostly within "home network provider" equipment. Seeing how X11
network message counts are:
| Command | write | recv | |||
|---|---|---|---|---|---|
| tuteroll | 1560 | 3180 | |||
| nedit | 270 | 280 | |||
| xterm | 290 | 470 |
| bugs.debian.org/366096 |
| bugs.debian.org/384105 | xterm | |
| bugs.debian.org/408759 | gnome-terminal | |
| bugs.debian.org/764276 | dxpc | |
| bugs.debian.org/766299 | nxproxy | |
| /usr/sms/bin/OLD/x11proxy | script that had been used at Maths |
| lists.mindrot.org/pipermail/openssh-unix-dev/2023-February/040593.html |
| bugzilla.mindrot.org/show_bug.cgi?id=2888 |
See also the section on xpra.
To maintain an SSH connection, the IP address of your computer must remain the same. Many home internet services occasionally (daily?) change the IP address, your SSH connection will drop out at each change. (Google search for "what is my IP", choose any to see.)
If you allow your computer to disconnect from the network e.g. to go to sleep/hibernate, as most laptops do with the lid closed, then your ssh session will be terminated.
There are idle timeouts set in several network "appliances", after which they drop the connection:
TCPKeepAlive all
ClientAliveInterval 60
ClientAliveCountMax 20
in the Maths
/etc/ssh/sshd_config
file, and the OpenSSH patches
| bugzilla.mindrot.org/show_bug.cgi?id=3921 |
If affected still, you may try to add the
-oTCPKeepAlive=yes -oServerAliveInterval=60 options to ssh (for Linux or Mac,
putty has keepalive settings but not for command line); or leave command
while :; do date; sleep 60; done
running.
Connection closed by remote host
server unexpectedly closed network connection
Connection refused
or our Web-OTP service may show "Too Many Requests".When that happens, try again in a little while. Long story below.
That is our protection against password guessing attacks, in action: we have rate limiting on ssh connections. When that happens, try again in a little while; or maybe wait until the next wall-clock hour, then try; maybe use "ssh -v ..." (or "putty -v ...") to see the "error" message; try soon after the restriction is lifted, before the "bad guys" use up all permitted tries.
For some background, see:
https://isc.sans.edu/diary/Guess+what+SSH+again/6214
https://isc.sans.edu/diary/Dealing+With+Unwanted+SSH+Bruteforcing/7855/
and example log lines from 2011:
Aug 25 22:17:33 bari sskd: Failed for invalid user aaa
Aug 25 22:17:48 bari sskd: Failed for invalid user aaron
Aug 25 22:17:51 bari sskd: Failed for invalid user abacus
Aug 25 22:17:56 bari sskd: Failed for invalid user abby
Our ssh service is handled by:
Our Web-OTP service also has limits: 2 per minute for each connecting machine, and a limit of 2 per second or 20 per minute for all connections.
We are pretty safe against any breakins with 2FA; in fact I have never noticed them trying 2FA at all, they just try single passwords. Many try root only as the login name (and root does not have 2FA).
We limit connections to protect against attackers wasting resources, hoping to make the attacker "go away" and try another victim. Our protections have stopped many ssh password guessing runs/attacks, significantly lowering the CPU load on our machines.
Any limits (in xinetd, sshind or sskd) will affect legitimate users also: hopefully our rates and back-off times are not too annoying.
For incoming connections, ssh or putty talks to the firewall, and only the firewall knows which internal machine the connection is sent to: currently enna.
For outgoing connections you may still want to use the ssh-with-2fa script, to choose sensible options.
When using Cygwin (its ssh and its X server), or maybe from MacOSX, you need the (unsafe) -Y option instead of -X: I guess needed whenever xdpyinfo does not show the SECURITY extension.
Dire warnings (words of Jim Richardson):
Note that skeys are only for use of the person to whom the sheet was
allocated, and no forwardings or tunnels other than the above should
be used without prior arrangement with the School Computing Manager.
Note for Maths (e.g. Magma) users:
You do not need 2FA from such "trusted" hosts.
Our 2FA software is available in directory
/usr/sms/etc/2fa (on enna).
NOTE: file:/ links (as above) do not work in Firefox.
Copy link location then paste to Firefox URL bar, see
kb.mozillazine.org/Links_to_local_pages_don't_work .
This "SSH HowTo" page is referenced from (or referred to in):
www.maths.usyd.edu.au/local.html (click "Incoming ssh")
www.maths.usyd.edu.au/loc/comp/alpha/net-security.html#incoming
www.maths.usyd.edu.au/u/psz/ssh-howto.html (here).
Paul Szabo psz@maths.usyd.edu.au 19 Feb 26