|
The Theory sector workstations do not accept ssh connections from machines
outside the local domain. The only way to make an inward ssh connection is
to log into chimaera, and then ssh on to the workstation you want. This
makes copying files between machines difficult when you are on an external
system, because all transfers have to go first to chimaera and then from
there to the target. There is a way round this though, and this document
describes it.
You need an ssh client on your external machine that can do port
forwarding, and and account on chimaera. On Linux the ssh client is almost
always OpenSSH which does support this. On Windows you can download plink,
part of the Putty
suite of programs. Putty itself can also set up forwardings though its GUI
interface but plink is probably easier.
The following instructions assume you are trying to copy to a machine
called liberator in Chemistry, and that your username on liberator and
chimaera is cen1001.
- First set up a connection to Chimaera with a local port forwarded to
the remote host you want to copy from/to:
ssh -L 10000:liberator.ch.cam.ac.uk:22 -l cen1001 chimaera.ch.cam.ac.uk
Log into chimaera, and leave the session running. Switch to another
window for the next bit.
- Now do the copy by connecting to localhost port 10000. The ssh
session you just opened will transparently send this data to chimaera,
which will send it to the ssh port on liberator.
scp -P 10000 '-oNoHostAuthenticationForLocalhost=yes' memory_hogs.c \
cen1001@localhost:/scratch/cen1001
This copies memory_hogs.c from the local machine into /scratch/cen1001
on liberator, even though liberator's ssh daemon cannot be seen from the
local machine.
- Now you can also copy the other way:
scp -P 10000 '-oNoHostAuthenticationForLocalhost=yes' \
cen1001@localhost:/scratch/cen1001/memory_hogs.c thingy.c
This copies liberator's /scratch/cen1001/memory_hogs.c into the file thingy.c on the
local machine.
- When you've finished copying, remember to close the session on
chimaera.
- Larger numbers of files can be transferred in one go by rsync:
rsync -ave "ssh -p 10000 -oNoHostAuthenticationForLocalhost=yes" \
cen1001@localhost:/path/to/files /path/to/local/files
A bit more detail: 22 is the port that ssh normally listens on. 10000 is a
port that normally nothing listens on, and that ordinary users are allowed
to bind to, so it is a reasonable choice for the port to run the forwarder
on. Other services may already be using the port though: if you have
problems, try a different number. Don't try to use anything less than 1024
(ordinary users can't bind to these). One thing to be aware of is that any
process on the local machine can connect to your open port 10000 and therefore
connect to liberator's ssh daemon despite liberator's firewall protection. On a multiuser machine, this means any other user.
I used the -oNoHostAuthenticationForLocalhost=yes option in the
above example. This disables host key checking for the host known as
localhost. This is needed because when you connect to localhost, you will
actually connect to liberator. Your ssh client doesn't know this and so
host key checking will probably fail as you may well have a genuine
'localhost' entry in your list of known host keys.
If you are on a Mac running OS X, the ssh client works the same way as
described above. Windows users will need to use plink to set up the
forwarding (I have not tested this yet but will at some point). The syntax is the same as for ssh. You should then be able to
use pscp to make the copy with the appropriate -P option. I can't find an
equivalent of the -oNoHostAuthenticationForLocalhost=yes option
for pscp. I suspect you're much less likely to have a localhost known key
on a Windows machine. You can also set up forwarding using the Putty GUI.
More advanced things
This document is not finished. Feedback welcome, to the usual address.
|
