Offsite Access

From CELS IT Wiki
Revision as of 21:26, 12 March 2007 by Stace (talk | contribs)

Jump to: navigation, search

Note: Work in progress

Secure Access Policy (includes SSH and VPN info)

What is the Secure Access policy?

External network connections to MCS resources shall not use clear text reusable passwords for authentication. Additionally, SSH connections without VPN tunneling will not use reusable passwords for authentication.

What does that mean to me?

It means that if you're using a network to access MCS resources from outside Argonne Building 221 or MCS office space in Argonne Building 203, you must use some mechanism to hide your password from being "sniffed" or otherwise captured in transit to the MCS network, especially without your knowledge.

Note: As of April 26, 2003, machines in MCS are, by default, disallowing any password-based authentication on connections initiated from outside the MCS firewall including wireless. The list of machines to which you can SSH directly is:

  • General Login
(The above can all be accessed as "")
  • DSL-only

These machines require SSH keys for login. See the SSH Key FAQ for details. If you use the VPN, you can SSH direct to any machine (except those listed above) you can use onsite, using your password as authentication.

How do I log in?

The MCS Systems Group has installed the Secure Shell (SSH) server on all UNIX systems that it maintains. You can use this protocol from anywhere on the Internet to connect to the above listed MCS computing resources, provided you are set up for SSH key-based login. If the host to which you need to connect is not in that list, you can either SSH from one of the hosts above, or you can use the MCS VPN client first.

Other protocols may also be available, depending on circumstance.

How do I transfer files?

You're probably asking this question because you're used to using the old Internet protocol FTP. There are several ways to work around the fact that this protocol uses reusable clear text passwords:

  • Use SCP or SFTP to transfer files over SSH.
  • You can use the Windows VPN, and ftp via

FTP is pretty much disabled on hosts inside the firewall. The host "unixhome" accepts FTP connections so make sure that's the only host with which you try to use FTP.

Where do I get SSH software for my computer?

This depends on what kind of computer you are using and whether you are an employee of Argonne's MCS Division.

Most unix and linux machines have SSH and its associated utilities installed by default. If you're running your own unix/linux machine, you should know how to get these packages.

Mac OS X machines include SSH and its associated utilities by default.

Windows clients: PuTTY, cygwin, others

What is port forwarding, and how do I set it up?

Port forwarding is a technique where an insecure protocol (like FTP, X, POP3) is tunneled through a secure protocol (like SSH). This is a good way to continue to use your familiar protocols in a secure way.

Using SSH Port Forwarding with X on UNIX

This is easy, just use ssh -Y <hostname> and your X display settings will be sent to the remote machine, and all X Windows will open on your own display.

If you have a $DISPLAY set properly, and use ssh to connect to another system, ssh will automatically set $DISPLAY on the remote end and set up everything for you. All you have to do is start your favorite X application on the remote end. Check to make sure you're not setting your $DISPLAY in any of your startup files. Also, never use xhost +, especially in your startup files, as it's a big security hole.

Using SSH Port Forwarding with X on Microsoft Windows with SecureCRT

See the X-Windows section in the Windows FAQ.

How can I check my email when I'm not on the MCS network?

The officially supported method for getting your mail is to use SMTP and IMAP via SSL/TLS. You authenticate using your regular workstation/e-mail credentials.

The relevant servers and ports are:

  • Secure IMAP: (port 993) recommended
  • Secure POP: (port 995) (yes, the hostname doesn't make a lot of sense)
  • SMTP: (port 25 or port 465) (You might have more luck with port 465)

The IMAP and POP certificate is self-signed. You can accept the certificate (if you view it you'll see it's really us). If your mail application won't seem to remember your preference for allowing a self-signed certificate, some tips are included in the instructions below.

Mailer specific instructions:

Thunderbird: to-do


  1. Click Tools, then Personalties.
  2. Right-click in the white area and choose "New"
  3. Click the Skip directly to advanced setup option and choose Finish:
  4. Fill in the required information. SMTP server is, check Authentication allows and Use relay personality. Under Secure Sockets when Sending, choose "Required, Alternate Port". Check the "Check Mail" box as well.
  5. Select the Incoming Mail tab and fill in the required information. Server is, regardless of if you're using POP or IMAP. Under Secure Sockets when Receiving, choose "Required, Alternate Port in the SSL". Choose OK.
    • You may get an error. It's okay.
  6. We need to add the certificate, so right click the Personality you just created and choose Properties.
  7. Choose the Incoming Mail tab, and click the Last SSL Info button.
    • If you get an error, cancel from this menu and try to check your mail. Then, after the error, return to step 6.
  8. Choose the Certificate Information Manager button.
  9. Click Add to Trusted.
  10. Click Done, then OK, then OK, then click the Mailboxes tab in the lower left of the Eudora Window. If using IMAP, Right-click the personality you created, and choose Refresh Mailbox List.

You're done!

Outlook/Outlook Express:

To make your mailer remember your certificates, point Internet Explorer (not any other browser) at and choose to view the certificate. Click Install Certificate, then when asked where you'd like to place the certificate, choose "Place all certificates in the following store" and Browse to "Trusted Root Certificate Authority", then click Next, then Finish. It will ask to confirm (say yes), then you can click your way through with "OK". When back at the Security Alert window, choose no and close the browser. Outlook now has the mail server's certificate.

MacOS X Mail:

Follow the directions here to-do.

^ Back to Questions ^

How can I dial in over the phone? If you want a PPP connection, you have a couple of choices. Please note that if you want to use anything other than Windows for your dialup networking, you are on your own.

   * You can sign up with ECT's  modem pool. This is painless, but you need a cost code.  This is also the type of account you'll need for toll-free dialup.  Your local access number can be found here.  The list of pertinent ECT info, including instructions, numbers, and the 800 number can be found here.
   * If you're running Windows, and don't want to pay for a dialup, try a free dialup provider, such as NetZero.

^ Back to Questions ^

What do I need to do to be able to interact with the MCS Windows domain?

Use the VPN.

^ Back to Questions ^

What do I do if I want to use more than one computer with my connection at home?

Send e-mail to to request a NAT box.