Logging in to internal machines from outside the department

Here's how to log in to a machine inside the department which doesn't have a public IP address, from outside the department (e.g. from home).

Suppose you are trying to log in as username "user" to a machine named "happy" in the sandbox network "joy.sandbox", and suppose that "user" is also your CSLab login name. We'll discuss the command-line version first because it's easiest.

From within the department, you can type "ssh user@happy.joy.sandbox".

From outside the department, you can instead type 

	ssh -t user@apps0.cs.toronto.edu ssh happy.joy.sandbox
You can put this in an "alias", of course.
Sidenotes for the curious:
  • There are two forms of "ssh" -- "ssh host" and "ssh host command". In the latter case, it doesn't allocate a "tty" by default, but we need to do so to provide a full login session, so we use "-t" above. The "ssh happy.joy.sandbox" is of the form "ssh host" and thus will already allocate a tty by default (-t wouldn't change anything).
  • And you don't need to specify your user name for happy.joy.sandbox above because it is the same as the user name on apps0.

By default the above command will ask you for the password first for user@apps0, and second for user@happy. The second stage can be made passwordless by copying your .ssh/id_rsa.pub file on an apps machine to .ssh/authorized_keys on happy. If you don't have an .ssh/id_rsa.pub file, type ssh-keygen -trsa and then just press return to all of the questions.

I don't recommend making the first stage passwordless (the logging in to apps0 from your home computer).

If you are using the ms-windows program "putty" to log in to your machine from the outside, you can do something similar to that "ssh -t ..." command above in putty, as follows.

In the main putty connection window (the thing you get as soon as you run putty), first type the host name "apps0.cs.toronto.edu" in the usual place, but don't press return or OK. Then on the panel on the left side, click on "SSH" under the "Connection" list, and then type "ssh happy.joy.sandbox" under "remote command" at the top. You can then press return to do the login, or you can click back on Session at the very upper left to get the ability to save this as a "session", which means you can select it from the initial screen in future. (In case you were wondering, the "-t" option is (apparently) default in putty.) (To save it as a "session", type a name under "saved sessions" and then press "save".)

After all that you might be asking, does it really help for us to make you go through all of this when you can log in externally anyway? Yes it does help, because you first have to log in to an apps machine before you log in to happy.joy.sandbox. This means that only people with accounts on an externally-accessible machine in the department can attempt to log in to happy.joy.sandbox, or otherwise probe it in any way for security vulnerabilities. It's a big department, but it's still 0.00000% of the internet, so this is a significant security gain.