SSH
Introduction
You can connect to the server remotely over SSH, authentifying yourself using either a password or a public key at your preference.
Note, however, that even if you do decide to use public key cryptography and disable password-based SSH login, you may still want to set up a strong password that you can easily remember, for reasons that will be explained elsewhere.
Currently, depending on how the server is set up, you may access it from either the internal IJCLab network or its own Wi-Fi hotspot, as explained below.
At this point in time, public access to the server from the Internet has not
been negotiated with the local security team. Therefore, even when the server is
“at home” inside of IJCLab network, it is not yet possible to access it from
outside of the lab’s internal network. Note that public Wi-Fi hotspots inside of
IJCLab’s buildings, such as lalpublic or eduroam (when connecting to the
latter using a non-IJCLab account), are considered to be external to the
lab network from this perspective.
IJCLab network specifics
When the server is connected to the IJCLab network, it is accessible to everyone with an IJCLab LDAP computing account.
On that network, for legacy reason, ssh user@srv-calcul-ambulant may or may
not work, and you need to use the fully qualified
srv-calcul-ambulant.lal.in2p3.fr domain name as of 2022.
For easier remote access, you may want to set up something like this in your
~/.ssh/config file, adjusting the usernames as appropriate for your IJCLab and
srv-calcul-ambulant user accounts.
Host ssh-ubuntu*.ijclab.in2p3.fr
User grasland
ForwardAgent yes
Host srv-calcul-ambulant
User hadrien
HostName srv-calcul-ambulant.lal.in2p3.fr
ProxyJump ssh-ubuntu1.ijclab.in2p3.fr
Provided that you have set up passwordless SSH login on both IJCLab’s “lx” SSH
gateways and srv-calcul-ambulant using your public key, this will allow you
to easily connect to the server from outside the lab using the same
ssh srv-calcul-ambulant command that you would use on the local network, with
the added benefit of not having to specify the username.
Note, however, that this SSH configuration will also prevent direct access to
the server from its local Wi-Fi network, and you will want to comment out or
otherwise bypass the Host srv-calcul-ambulant section of ~/.ssh/config in
that scenario.
Wi-Fi hotspot specifics
When you are directly connected to srv-calcul-ambulant via its Wi-Fi hotspot,
ssh <your username>@srv-calcul-ambulant should in principle work. But there
are two important scenarios where it will fail:
- Your computer is simultaneously connected to
srv-calcul-ambulantand the Internet (think webcasting) - Your computer DNS configuration enforces translation of this unqualified
domain name to an incorrect fully qualified domain name such as
srv-calcul-ambulant.ijclab.in2p3.fr.- While this may seem like an obscure edge cases, laptops installed by the IJCLab computing service are actually preconfigured like so as of 2021.
In those scenarios, you will need to use the raw server IP address instead,
which is 192.168.24.2. To keep the convenience of a readable bash history, you
can tell SSH to associate the srv-calcul-ambulant name with that IP adress
through the following ~/.ssh/config entry.
Host srv-calcul-ambulant
HostName 192.168.24.2
This entry replaces the one suggested above, which must be commented out or
deleted in this network configuration. You can, however, also add a User
configuration, as suggested above, so that ssh srv-calcul-ambulant without a
user@ qualifier works.