SSH Tricks
Remote access to TCM, or almost any other computer facility, is generally done via ssh. Short, simple, and easy to use. But there are a couple of tricks to make it even easier.
Short names
If .tcm.phy.cam.ac.uk is not automatically searched for short
hostnames, one can add them to one's .ssh/config file
in a form such as
Host pc52 HostName pc52.tcm.phy.cam.ac.uk
Jump hosts for private addresses
Some machines in TCM have addresses which are private to
Cambridge's network, and are not visible from the global
internet. One can easily log on to these by first logging in to a
TCM machine with a global IP address, and then using that to log in
to the real target. But rather than typing two ssh commands, one can
type just one. First create a .ssh/config file
containing something like:
Host fred HostName cluster.tcm.phy.private.cam.ac.uk ProxyJump [email protected]
Here "fred" is what you wish to call the remote host when you type
something like "ssh fred". Generally one would
chose the first component of name of the final target, but this
example demonstrates that one does not have to do this.
ProxyJump gives the name of the TCM host with a public
IP address that one wishes to use as an intermediate step. You will
need to prefix it with your user id.
HostName gives the name of the final target
machine. The name must be resolvable by the intermediate host, but
does not need to be resolvable by the host from which one
starts.
This will result in two password prompts.
(The syntax in this section requires OpenSSH 7.3 or later. For earlier versions one needs
ProxyCommand ssh [email protected] -W %h:%p
in place of the ProxyJump command. Or, better,
upgrade: OpenSSH 7.3 was released in 2016.)
Avoiding retyping passwords
Once an ssh connection has been established between two machines,
further ssh (or sftp, or scp) connections could simply multiplex on
the existing connection. To enable this for all hosts, the magic
needed in a .ssh/config file is
Host * ControlMaster auto ControlPath /tmp/ssh-%r@%h:%p
(Note that this will regard pc52
and pc52.tcm.phy.cam.ac.uk as being different.)
On a shared machine it is best to point ControlPath to
a directory to which only you can write. In
TCM /scratch/%u/ssh-%r@%h:%p would be a possible
choice, and on many systems /run/user/%i/ssh-%r@%h:%p
should work well.
This form will use an existing connection if one exists and permits multiplexing, else it will make a new connection which permits multiplexing.
Slow graphics
Ssh with the -Y option usually allows standard
graphical applications to display remotely. I find from a BT
broadband connection that things like emacs are quite usable, if not
quite as snappy as when run locally.
If doing something more graphics intensive, then using some form of VNC will give much improved performance. It can be painful to set up, particularly securely, particularly if Windows is involved, but the result is remarkably fast. I can barely tell the difference between remote and local applications.
File access
The traditional answers are sftp or rsync (or the now-deprecated scp). GUI interfaces for these exist, such as FileZilla.
One can also access files directly over ssh as though they were held locally. It will be slow, so it is best used for editting files rather than compiling, or reading or writing huge data files.
$ mkdir TCM $ sshfs [email protected]: TCM [... work on files which have appeared in the directory TCM ...] $ umount TCM
It even works with /scratch directories.
$ sshfs [email protected]:/scratch/spqr1 TCM
I would recommend being conservative with this command, and stopping it when not in use. Expecting it to cope well with network outages (e.g. laptops disappearing into railway tunnels) may be unreasonable.
Linux generally has sshfs. MacOS users may wish to look at macFUSE.
Public key authentication
TCM does not offer this. Used well, it is much better than password authentication. Used badly, it is much worse, as private keys are stored in files with well-known names, and may have blank, or weak, passphrases. It is not possible for us to determine whether passphrases are weak, or even exist at all. It is possible for us to determine if passwords are weak.
Experience suggests that some TCM users would be naughty.
VPNs
VPNs have always seemed too complicated to me. Ideally one would like some traffic to be routed via Cambridge (such as to journal sites to avoid paywalls), some straight to TCM, and much (such as normal web browsing and private banking) sent straight to its destination without going near Cambridge, particularly if it involves streaming videos.
For journal access, I find that the solutions on our Journal Access page are preferable to setting up VPNs.