Road to Linux Intermediate: Network Edition

A sequel to Linux beginners are there-Qiita. As of April 05, 2020, the global infection of [COVID-19](Severe acute respiratory syndrome coronavirus 2) has blocked cities and demanded refraining from going out. Since teleworking is recommended as much as possible for work, we will summarize the necessary items for remotely accessing the network environment in the laboratory from outside the laboratory, keeping in mind the environment that seems to be a science laboratory of a university.

Access to the intranet from the internet

The Internet (eg, a network outside the laboratory) from the intranet (eg, a network in the laboratory) is usually less restricted and can be freely exited. At this time, the structure of the intranet cannot be seen directly from the Internet because it goes out via the gateway server. It looks like access from the global IP address of the gateway. On the contrary, here we explain what kind of command and what kind of thing can be done when entering the intranet from a specific address on the Internet. Here, we basically touch on access using ssh.

Access the intranet bastion server with ssh

Since the global IP address / host name is given to the gateway, you can access it with ssh by relying on this IP address / host name. An IP address / host name is required for access, so check with the person who manages the intranet. If this IP address is www.xxx.yyy.zzz and the host name is host.gate, when user is the user name

ssh [email protected]
ssh [email protected]

You can access it with (see below if you need a key). Maybe you can't access it as it is. The reason is that the port number usually deviates from 22 and is not specified. Please wait a little longer for the actual login as it is necessary for the convenience of explanation. </ font> If the port number is 22 by default and you cannot access it here, it is highly possible that you have not been added as a user in the first place, or that the password at the time of user setting is incorrect.

Here, I will explain a little more about what is actually happening. Normally, the gateway is often doubled as a dedicated machine router, and this dedicated machine router usually does not have user information. Then, where are you logged in? The answer is a bastion server. A bastion server is a server that handles all access to a router when entering an intranet from the Internet. When entering the intranet from the outside, you must first log in to this server.

Shift the port number -p

Normally, the port number of the gateway or ssh protocol of the bastion server is shifted from the default number of 22. The reason is that these servers facing the Internet are constantly trying to log in from unspecified computers, and since number 22 is the default port for ssh, it is a promising target for attacks. Therefore, the port number is deviated from 22 when accessing with ssh of a computer that normally faces the Internet.

For example, suppose the port number is 31415 (just the first five digits of pi). Then, access with ssh should be as follows:

ssh -p 31415 [email protected]
ssh -p 31415 [email protected]

Key specification -i

By default, ssh allows you to log in with your username and the corresponding password. If the port number is 22, a common user name and a password that can be easily guessed will easily allow a malicious person / calculator to log in. You can use the ssh key authentication method to make this intrusion even more difficult. By placing the public key in the specified location of the login destination and placing the private key in the computer of the login source, you can log in only when this key pair matches. Here, with the RSA key in mind, we have described how to access the server using the key. You can find out more by looking around "ssh key authentication". The login command can be specified with the -i option as follows when the key is in ~ / .ssh / id_rsa:

ssh -p 31415 -i ~/.ssh/id_rsa [email protected]
ssh -p 31415 -i ~/.ssh/id_rsa [email protected]

You will be asked for the passphrase you specified when you generated the key, so enter it.

I want to use the X Window System -X, -Y

Remote access with ssh allows most apps to display a window at hand. You can skip most GUI screens such as gnuplot, firefox from something like xterm, xpdf, xdvi that looks like an X window system. (However, note that there are quite a few apps that leave a strange daemon at the end.) If you want to launch an app on a server that has data you want to analyze, or if the app is only on a specific server due to the effect, installing the app is extremely troublesome ( It is effective when it is installed only in a specific computer due to the dependency of OS, library, etc.). If you want to use these features, add the -X or -Y option. I don't know the difference, but if you're using a Mac, the former disconnects in a relatively short span and the latter is more stable. An example command is as follows

ssh -X [email protected]
ssh -X [email protected]
ssh -Y [email protected]
ssh -Y [email protected]

If the communication speed is slow (such as a mobile phone network), such as a server in a remote location, you can save bandwidth by compressing the communication content. Looking at man ssh, it is rather slow when using a fast network.

ssh -XC [email protected]
ssh -YC [email protected]

After logging in to the bastion server, I want to automatically move to another computer in the intranet -t

On an intranet, a bastion server is usually prepared for it and generally has no other function. Usually, after logging in to the platform server, there will be a great demand for logging in to a cluster computer, a file server, or a personally managed computer to view the data. If you want to achieve these goals, one way is to log in to the bastion server and then log in to the next server in the form of ssh -XC [email protected]. But I think it's silly to do this every time, and it must be automated. Someone is almost always practicing "Isn't it possible to do this?" That an amateur can think of, and information can be found on the Web. In this case, this can be achieved with the default option -t provided by ssh. Specify the -t option and write the command on the terminal you want to execute on the terminal logged in to the right of the host name.

ssh -p 31415 -t [email protected] ssh [email protected]
ssh -p 31415 -t [email protected] ssh [email protected]

Even if there is no -t, the command written to the right of the host name will be executed, but in this case the -t option is required. When this command is executed, you should be asked for the password of 192.268.xxx.yyy/linux.intra.

The command is not a variable that has received the -t option separately, so it can be separated, but personally, I prefer to write it together as follows:

ssh -p 31415 [email protected] -t ssh [email protected]
ssh -p 31415 [email protected] -t ssh [email protected]

Also, if you want to skip X from the last login destination, you can use ssh -p 31415 -X [email protected] -t ssh -X [email protected]. The window launched with 192.168.xxx.yyy will fly to you.

Application of commands using -t

As you can see, the command to the right of the hostname doesn't have to be ssh. If you have a command that you want to execute immediately on the computer you logged in to, not just the bastion server, you should write it here. For example, if you want to check the execution status of supercomputer jobs and the remaining budgets.

ssh -t [email protected] qstat
ssh -t [email protected] point

If you write, etc., you will be logged out immediately after displaying the execution status and the number of remaining points. Also, there are many cases where you can go without the -t option. However, note that some options associated with the command (perhaps depending on which config file is loaded) may be ignored at this time.

I want to replace access to a specific port with access to my port -L

There is a function called port forwarding that substitutes / converts the port access to a specific computer on the laboratory intranet to the port of the computer that is the access source. As an example, remote access to the jupyter notebook described below and access to ssh will be convenient.

Jupyter notebook -L 8888:192.168.xxx.yyy:8888 By default, Jupyter notebook launches a browser on the launched device. Actually, by setting remote access (see [For example, Start jupyter notebook on a remote server and use it in a local environment-Qiita) From a computer with no access restrictions, you can access it by entering 192.168.xxx.yyy: 8888 from your browser. The meaning of this character string is IP address: port number, which means that the port number is 8888. When you launch Jupyter notebook multiple times, the port number usually increases by one, 8888, 8889, 8890. Since the bastion server exists on the intranet, by performing port forwarding from here, the port of the specific computer on the intranet can be skipped to the specific port of the login source. For example, if you want to skip 8888 of 192.168.xxx.yyy on the intranet to 8888 or 18888 of the login source, the writing method is as follows:

# -L [Login source port number]:[Intranet Calculator IP]:[Intranet calculator port]
ssh -p 31415 [email protected] -L 8888:192.168.xxx.yyy:8888 -t ssh [email protected]
ssh -p 31415 [email protected] -L 18888:192.168.xxx.yyy:8888 -t ssh [email protected]

The command ssh [email protected] to the right of -t is not required for port forwarding itself, but it is usually required to log in to the target computer once when launching Jupyter notebook, so it is described. It is done. If you already have a Jupyter notebook accessible at 8888, you don't need this command. As for the port number of the login source, basically any number can be prepared. However, 0-1023 is reserved for existing frequently used services, so it is better not to specify it.

ssh / sftp access -L 10022: 192.168.xxx.yyy: 22

As mentioned above, the state of the intranet cannot be seen directly from the Internet. By preparing a bastion server on the intranet and logging in to it via the gateway, you can enter the intranet. Once you log in to the bastion server, you can access the intranet more easily by port forwarding. The method is explained here using ssh / sftp connection as an example. If you map port 22 of the computer (192.168.xxx.yyy) in the intranet to the login source 10022 on the bastion server, specify your own 10022 as the login destination for ssh for subsequent connections. Then, it becomes the behavior of accessing No. 22 of the intranet. The first command for that is

ssh -p 31415 [email protected] -L 10022:192.168.xxx.yyy:22 

Then you can access the intranet 192.168.xxx.yyy with ssh / sftp with the following command:

ssh -p 10022 user@localhost
sftp -P 10022 user@localhost

Note that the sftp port number is specified as -P and P is uppercase. Also, depending on the version of sftp, it may be -Port = 10022. Check with man sftp. To be honest, sftp is more beneficial to the settings here than ssh. When uploading a file to the desired computer, if the computer is on the intranet, if you want to do it simply, "Put the file on the step server first with sftp" → "Login to the step server with ssh" → "sftp on the step server" It's an extremely lazy procedure of "execute and move the file to the desired computer". By using port forwarding, this effort can be reduced at once. There is a criticism that "since you log in to the bastion server with ssh, the effort may be reduced." Since sftp is an interactive app, you can upload / download while looking at both the environment at hand and at the login destination. On the other hand, if you go through the procedure of putting the file on the bastion server once, for example, if the uploaded / downloaded file is wrong, you will have to redo all the procedures again. If you use port forwarding and connect directly with sftp, this kind of problem cannot occur.

I want to browse web pages that can only be accessed from the intranet with my browser -D

At various layers, there are web pages that are accessible from the intranet, although access is restricted or cannot be accessed from the general Internet due to authentication reasons. How to access it using port forwarding. The port forwarding used above is called local forwarding, and here we use dynamic forwarding. The option is -D to specify the port number:

ssh -p 31415 -D 10080 [email protected]

If you write it like this, it becomes a SOCKS proxy server with port number 10080. By specifying localhost for the SOCKS host and 10080 for the port in the browser proxy server settings, it behaves as if you are accessing from the bastion server with a browser.

Collect the bastion server and access settings via config file

So far, we have described the procedure for enabling various functions on the intranet by making full use of the ssh options. But it's tedious to type these commands every time. It would be cool if it could be put together in a configuration file. The configuration file is ~ / .ssh / config. I will explain the files that have been described so far and reflect the functions (the ".ssh / config file" of my thoughts).

The basic grammar is

Host [Favorite name]
    Hostname [IP/hostname}
    IdentityFile [Key path]
    Port [port number]
    LocalForward [Login source port] [Intranet Calculator IP]:[Intranet calculator port]
    DynamicForward [Port number used for dynamic forwarding]
    ForwardX11 [If yes, use the X Window System] 
    Compression [If yes, the communication content will be compressed]
    ProxyCommand [Commands executed after logging in]

Feeling like that. The summary is as follows:

~.ssh/config


#
Host Bastion
    HostName 192.168.xxx.zzz
    IdentityFile /home/user/.ssh/id_rsa
Host linux
    HostName 192.168.xxx.yyy
Host Bastionout
    HostName www.xxx.yyy.zzz
    IdentityFile /home/user/.ssh/id_rsa
    Port 31415
Host linuxout
    HostName 192.168.xxx.yyy
    ProxyCommand ssh -XCW %h:%p Bastionout
Host linuxtunnelout
    HostName 192.168.xxx.yyy
    ProxyCommand ssh -XCW %h:%p Bastionout
    LocalForward 10022 localhost:22
    LocalForward 8888 localhost:8888
    LocalForward 8889 localhost:8889
    LocalForward 8890 localhost:8890
    LocalForward 8891 localhost:8891
    DynamicForward 10080
    GatewayPorts yes
Host linuxsecondout
    HostName localhost
    Port 10022
#
HOST *out
    ServerAliveInterval 60
    TCPKeepAlive yes
    Compression yes
HOST *
    User user
    ForwardX11 yes
    ForwardX11Trusted yes

The last SeverAliveInterval and TCPKeepAlive are options to mitigate the phenomenon of being disconnected when ssh connection is connected via the Internet. Not explained here. I expected that about four Jupyter notebooks would be launched at the same time, so I port-forwarded four serial numbers from 8888 to 8891. Since it seems that Jupyter notebook will not be used at the same time at the login source, the port number is the same as the one on the intranet. Port forwarding spits a warning when it is launched twice, which is very unpleasant. Therefore, we prepared plain linuxout, linuxtunnelout for port forwarding, and linuxsecondout for continuous access in the state of port forwarding. If you enter Gateway Ports yes while performing port forwarding, access to the forwarded port is permitted from computers other than the computer that performed port forwarding. Wildcards (*) can be used in the name of the Host part. Here, I wanted to use the X window system for all connections, so I've listed it in the Host * section. Here, all access from the Internet is named \ * out, and all of them have settings for not disconnecting ssh and settings for communication compression. If you look at the manual with man ssh_config

Since the first obtained value for each parameter is used, more host-spe‐ cific declarations should be given near the beginning of the file, and general defaults at the end.

Therefore, it is necessary to write variables that you want to change due to environmental concerns at the top of the file, and general variables at the bottom as much as possible.

Commands often used for remote access

Command download file on remote calculator: wget

Sometimes you have a file you want to download and you want to put it on a remotely connected machine. At this time, it seems too stupid to download it to your computer and then transfer it with sftp. If you know the URL that specifies the file to download

wget [URL]

The purpose can be achieved with.

FAQ Where we are gathering

Recommended Posts

Road to Linux Intermediate: Network Edition
A road to intermediate Python
Introduction to Linux Commands ~ LS-DYNA Edition ~
[Road to Intermediate] Understanding Python Properties
[Road to intermediate Python] Use ternary operators
Tools used to check Linux network communication
[Road to intermediate Python] Use lambda expressions
[Road to intermediate Python] Article link summary
Network Linux commands
[Linux] Introduction to Linux
Linux Network Namespace
[Road to Intermediate] Python seems to be all objects
[Road to Intermediate] What are Python's * args, ** kwargs?
Introduce serverspec to Linux
[Road to Python Intermediate] Define __getattr__ function in class
Linux commands to remember
The road to Pythonista
[Road to intermediate Python] Define in in your own class
The road to Djangoist
[Road to intermediate level] Utilize Python's built-in function vars
Road to LPIC-1 acquisition
Network (mainly Linux) notes
[Road to intermediate Python] Install packages in bulk with pip
[Road to intermediate Python] Use if statement in list comprehension
[Road to intermediate Python] Enables comparison operations with original classes
[Windows] RDP to Windows via Linux
A super introduction to Linux
The road to download Matplotlib
[Linux] welcome to emergency mode!
I tried to reintroduce Linux
Easy to use E-Cell 4 Intermediate
[Road to Python Intermediate] Call a class instance like a function with __call__
Get the IPv4 address assigned to the network interface in code (Linux)