Remote access

There are several useful ways to work remotely on another computer.
Here are some tips and tricks.

Image may contain: Blue, Dishware, Serveware, Drinkware, Creative arts.
  1. SSH

    1. 2-factor authentication with ssh

    2. Setting up ssh so you don't have to authenticate with 2FA more than once

    3. Using scp/sftp/sshfs without 2FA

    4. SSH keys - ssh without typing your password

    5. By use of jumphost login.astro.uio.no

    6. SSH tips and tricks

    7. [2021-08-30] [Linux] New (type of) ssh keys, "ED25519"

  2. VNC

    1. Starting the VNC-server on a linux workstation

    2. Starting the VNC-server on a Mac workstation

    3. Connect to a linux workstation from a linux laptop

    4. Connect to a linux workstation from a Mac laptop

    5. Connecting to a Mac workstation from a Mac laptop

    6. Setting correct screen resolution on a linux workstation

    7. Setting correct screen resolution on a Mac workstation

X11 from Windows
​​​​​​

  1. X-Win32 - only towards UiO networks 129.240.0.0/x
  2. Xming and PuTTY

Useful programs, terminal multiplexers for working at the command line

  1. Screen
  2. Tmux

SSH

«ssh is a program for logging into a remote machine and for executing commands on a remote machine» 
Simply do

ssh -Y <username>@login.astro.uio.no

The -Y switch is useful if you want to be able to open programs from the remote computer in separate windows, one may combine it with the use of compression, "-CY".
This switch can be turned on permanently by modifying the .ssh/config file in your home directory.
However, running GUI based applications using X11 forwarding is not recommended for performance reasons.
The recommended solution is to use VNC (see the VNC section further below)

By default, computers at UiO have restricted access from outside. To be able to SSH into your computer at ITA, you need to go through login.astro.uio.no. 

2-factor authentication with ssh

Logging in to login.astro.uio.no requires 2-factor authentication from outside UiO. If you haven't already, enable 2-factor authenticaton on your account

Note: When enabling 2FA, use <username>@uio.no (not astro.uio.no)

If you log in from outside the UiO network, you will be asked for 2FA.

$ ssh username@login.astro.uio.no

This host utilizes two-factor authentication via Microsoft Azure.
If you are using the Microsoft Authenticator mobile application, you
should have received a notification which you need to accept in
order to proceed. If you are using One Time Password (OTP) codes,
enter the OTP code now.

You will then be asked for your password.

Setting up ssh so you don't have to authenticate with 2FA more than once

If you configure ControlMaster in ~/.ssh/config (on your laptop), you only have to authenticate with 2FA for the first ssh session.

Example configuration:

CanonicalizeHostname yes
CanonicalDomains uio.no

Host *.uio.no !login.astro.uio.no !login2.astro.uio.no 
        ProxyJump <your user name>@login.astro.uio.no
Host *
  ControlMaster auto
  ControlPath /tmp/%r@%h:%p
  Compression yes
  ControlPersist 10m
  ForwardX11 yes

The two first lines makes it possible to log in without adding .uio.no to the host name.

The third line makes it possible to log in to your computer through login.astro.uio.no by doing ssh <your_computer>.uio.no

The ControlPersist 10m will keep the connection 10 minutes after you quit the main session, so if you accidentally log out the master session, you can log in without 2FA within 10 minutes.

The ForwardX11 yes will set up X11 forwarding, so you don't have to use the -Y to ssh.

See USITs description for more details.

Using scp/sftp/sshfs without 2FA

For those who use sftp/scp/sshfs you can still use them with login.astro.uio.no, but you will then need to authenticate with 2FA if you are outside the UiO-network.

For those who need to do scp/sftp with password-less login, you can do this without 2FA to scp.astro.uio.no. Note that it is not possible to log in with ssh to this host.

To use this, you need to set up password-less login with keys.

SSH keys - ssh without typing your password

You can ssh between computers without typing your password by using encrypted keys (you can read more on this at Wikipedia). The keys are generated by running

$ ssh-keygen -t ed25519 -C"<name of key/host">
$ssh-keygen -t rsa

Usually you will recieve a response asking you which file the key should be saved in.
The default should be on your home directory,  id_ed25519 .ssh/id_rsa. You will then be asked to provide a passphrase.
It is strongly recommended that you provide one. ssh without password should now be working betwieen university computers. This passphrase can be remembered by an ssh-agent and added with ssh-add, ie:

laptop$ ssh-add -l; read; eval `ssh-agent`; ssh-add; ssh-add -l

Connecting to another machine

You will then need to put the contents of  the file  id_ed25519.pub  id_rsa.pub key in the file ~/.ssh/authorized_keys file on the host machine (in your homedir, $HOME/.ssh)  if you're connecting from a non-UiO machine.

Department of Geoscience has written an extensive page about ssh tips and tricks

If you do not have any ~/.ssh/authorized_keys file you may simply ssh-copy the id file(s) by:

laptop$ ssh-copy-id login.astro.uio.no

If this file exists or fails, you will have to fix this manually (type your password when asked to do so):

laptop$ scp .ssh/id_ed25519.pub login.astro.uio.no:~/.ssh/tmp.key

Then concatinate this file to the end of the file authorized_keys:

UiO-host$ cd; cd .ssh; cat tmp.key >> authorized_keys


Remember to add your username to login.astro if different on the computers

VNC

VNC works similar to SSH, but allows VNC clients from different operating systems to access the server/workstation.

In general, be advised that VNC is a screen sharing protocol. This means that what you are doing will be visible on the monitor in your office (unless you turn it off), and that you should always lock the screen before disconnecting the VNC session.

Starting the VNC server on a linux workstation

Gnome on RHEL 7:

VNC can be set up by accessing the Remote Desktop tool under "System -> Preferences -> Remote Desktop" on the Gnome menu.

It is strongly recommended that you activate the «Require the user to enter this password:» option.

On RHEL7 the dialog box will look like the image below:
Ciick on Applications -> System Tools -> Settings -> Sharing -> Screen Sharing and turn it on.

 

 

Make sure "Approve All Connections" is switched off, otherwise there will be a prompt for approval of the connection every time you try to connect to your computer. Port 5900 will be used with this method.

Running vncserver manually:

On RHEL 7, you can also run 'vncserver' manually to run a VNC server. This can be very useful if you aren't logged into your computer at ITA locally (for instance from home).

The config file is located at ~/.vnc/xstartup. Here you can choose what to start, only an xterm, or a full desktop environment. Having two instances of the same destop environment will not work. For example if you are logged into a machine using gnome, you should use an other for the vnc session. We recommend the xfce, it is stable and light. The file can look something like this:

[susinths@nishtya ~]$ more /.vnc/xstartup
#!/bin/sh

unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
#exec /etc/X11/xinit/xinitrc
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
#xfce4-session &
#startkde &
#gnome-session &
#startkde &
#mate-session &
#cinnamon-session &
Run an SSH session into your computer at ITA with X forwarding (-CX for Compression as well) and then run 'vncserver' and note the messages output by VNC server startup. Here is an example:
[susinths@nishtya ~]$ vncserver 

New 'nishtya.uio.no:1 (susinths)' desktop is nishtya.uio.no:1

Starting applications specified in /path/to/susinths/.vnc/xstartup
Log file is /path/to/susinths/.vnc/nishtya.uio.no:1.log
Here the second line (New 'nishtya.uio.no:1..) tells you that VNC server is listening on port 5901. The port number is given by adding 5900 to the number after the hostname:, which is 1 in this case.
 
NOTE: The vnc server will be running on this port, even if you quit your VNC-session. You can then later connect to the same port and get back to where you left. To quit the VNC-server session do:
vncserver -list
vncserver -kill :1

NOTE: It is highly recommended that you create a VNC password before you start vncserver the first time. User vncpasswd to do this. You will be prompted for this password when you connect with a VNC-session.

Starting the VNC server on a Mac workstation

To start the VNC server on the Mac workstation, Remote Management and Remote Login under System Preferences -> Sharing needs to be enabled, and your user needs to be listed. Note that you need to use a local account for this (either a local account or a UiO-account set up as a mobile account).

If that is not the case, talk to us in IT about setting it up.

Example connecting a Mac laptop to a Mac workstation via VNC

How to get vnc from my laptop to my stationary Mac to work after ssh to the workstations were closed (thanks to Terje F.):

ssh -CY -J USERNAME@login.astro.uio.no -L 5901:localhost:5900 USERNAME@WORKSTATION.uio.no

and then start the VNC session with command+K in Finder, and connect to it by:

vnc://localhost:5901


2) In order to ease the access you can use the following lines in ~/.ssh/config
(create the file if it doesn't exist) on the computer you are connecting from:

Host <hostname>.uio.no
     ProxyCommand ssh <username>@login.astro.uio.no -W %h:%p

Give ~/.ssh/config correct permission by running:

chmod 600 ~/.ssh/config

Replace <hostname> and <username> with your computer name and username at UiO, respectively.
This will tunnel the connection through login.astro.uio.no to <hostname>. 

Connect to a linux workstation from a linux laptop

Finally, you can connect to your computer at ITA from anywhere by using an SSH tunnel.

If you are on a UiO-network (for instance at Ullevål), you can connect directly to the workstation. From outside UiO, you need to connect through login.astro.uio.no (as defined by ~/.ssh/config file):

ssh -L 5900:localhost:5904 <hostname>.uio.no

(if vncserver for instance returned :4 when you started it).

Now you should be able to use vncviewer and connect to the server address localhost:5900.

vncviewer localhost:5900

If you have set a VNC password, you will be prompted for it when you connect.
In addition I had to start a window manager in order to move windows etc:

$ xfwm4&

Connect to a linux workstation from a Mac laptop

Finally, you can connect to your computer at ITA from anywhere by using an SSH tunnel.

If you are on a UiO-network you can connect directly to the workstation. From outside UiO, you need to connect through login.astro.uio.no (as defined by ~/.ssh/config file). From a terminal window on your laptop do:

ssh -L 5901:localhost:5904 <hostname>.uio.no

(if vncserver for instance returned :4 when you started it).

NOTE: If you are using Mac OS X to connect you can't use local port 5900. You need to use port 5901 (as in the example above) or higher.

If the VNC server is successfully contacted, you will be prompted for the VNC password to authenticate.

To get the keyboard mapping right, you need to run a VNC Viewer on the laptop. One possible app is RealVNC. It is free and can be downloaded from here. In app store there are several other options as well if you prefer.

If you have set a VNC password, you will be prompted for it when you connect.

Connecting to a Mac workstation from a Mac laptop

If you are on a UiO-network (for instance at Ullevål), you can connect directly to the workstation. From outside UiO, you need to connect through login.astro.uio.no (as defined by ~/.ssh/config file).

ssh -L 5901:localhost:5900 <hostname>.uio.no

NOTE: If you are using Mac OS X to connect you can't use local port 5900. You need to use port 5901 (as in the example above) or higher.

In Finder, go to Go -> Connect to Server and type in vnc://localhost:5901. Alternatively you can use Safari and type in vnc://localhost:5901 as the URL and click on Connect on the following prompt for Screen Sharing.

If the VNC server is successfully contacted, you will be prompted for the VNC username and password to authenticate. Remember that this is the local user described in "Starting the VNC server on a Mac workstation".

Setting the correct screen resolution on a linux workstation

You can configure the screen resolution to match the resolution on your monitor. You do this by adding a geometry statement to ~/.vnc/config file on the workstation, for instance:

geometry=2560x1440

Setting the correct screen resolution on a Mac workstation

On a Mac workstation, the  screen resolution is automatically detected by the connected monitor(s). Since we don't have monitors connected, MacOS will assume 640x480. To fix this, we connect HDMI plugs emulating monitors. At the moment we have only one per workstation, but we have more on order so you can set up two displays. Expected delivery within week 2/19.

With the plugs connected, you can run at 4K (3840 × 2160) resolution to match the new 28" and 32" monitors.

To be able to select 3840x2160, you need to run a small app called "Display menu". It has been installed on all Mac workstations. When you start it you will get a small display icon on the the top menu bar.

NOTE: You can choose to automatically start "Display menu" with the "Start on login" option at the bottom of the menu (click the small arrow to access options).

X11 from Windows

You should test your connection towards login.astro.uio.no or login.uio.no before you may test a connection to your workstation or compute node.

X-Win32: See the Norwegian page from UiO for X-Win32
Set up connections to MACHINE.uio.no with the Wizard using ssh.
(Unknown: Does X-Win32 support the use of jumphost?)

Xming & PuTTY
Download Xming and PuTTY, PuTTY is a ssh-alike tool.

Useful programs, terminal multiplexers for working at the command line

Tmux

A Terminal multiplexer is a program that can be used to multiplex login sessions inside the Terminal. This allows users to have multiple sessions inside a single Terminal window. One of the important features of the Terminal multiplexer is that users can attach and detach these sessions.

Much like Screen, Tmux might be used to follow your session in terminals from where you connect.

LinuxHint has written a comparison between tmux and screen

Superuser has a thread showing the difference as well.

Screen

Screen is a nice little program that can be used if you don't want or it's difficult to keep an ssh connection open at all time. All programs started within a screen session will continue to run if you disconnect the ssh or login session you have on the computer. To start screen, simply type

> screen

in a terminal and on a computer you want to run your program (for example one of the compute nodes). You can now start the program of your choice (for example IDL or a C++ program) within this screen session. To detach (i.e. disconnect) the screen session, simply type ctrl+a ctrl+d. You can now log out from the computer while your programs continue to run within the screen session. The next time you want to check in on your programs, simply log on to the computer running your screen session, and type

> screen -dR

to reattach the screen session. You can run several terminal sessions/«windows» in the same screen session. Say you want to run both IDL and run a C++ code at the same time. Simply do ctrl+a ctrl+c to open a new terminal. To switch between the terminals, use ctrl+a ctrl+a.

Useful screen commands:

ctrl+a ctrl+c Create new terminal
ctrl+a ctrl+a Jump to previously used terminal
ctrl+a <space> Jump to next terminal
ctrl+a ctrl+d Detach screen ('screen -dR' to reattach)
ctrl+a <number> Jump to terminal number <number>
ctrl+a ctrl+w List of open terminals/windows
ctrl+a ? List more commands

To quit screen, simply log out of all the terminals.

You should make sure that your jobs does not open any windows (plots for example). Save such things to file instead.

Published Mar. 23, 2012 4:44 PM - Last modified July 4, 2023 11:38 AM