This page describes the procedures for Redhat Linux (I currently run version 8.0 at home), and Mac OS X. The latter I just set up recently, so it is not as thoroughly tested as the Linux variant. I am confident that most tricks will directly work under other UNIX-style OS. I would think that similar possibilities exist under Windows, but in some cases I don't know for sure, and frankly, I don't care. If you are interested in Windows, the department FAQ pages are a good place to start looking.
Firstly, ssh by itself is a secure terminal application. It works like telnet but encrypts all the communication, so that the transmission of passowrds cannot be snooped by third parties. In addition, to this basic service, ssh also offers the possibility to tunnel communication channels for certain services.
To make this specific, assume I run the following command (as root - more about this below) from my home machine:
ssh -L25:mail:25 cascade.cs.ubc.ca -l heidrichI will be prompted for my password, and then be logged into cascade under my UBC account. At the same time, ssh will monitor connections to TCP port 25 on my home machine, encrypt the data exchanged over this port, and send it on ("tunnel" it) to cascade. The ssh server on cascade will then decrypt the communication, and send it on to port 25 of mail.cs.ubc.ca. Note that mail.cs.ubc.ca will accept this connection, since it looks like it is coming from cascade, not my home machine.
As it happens, port 25 is reserved for the SMTP service, which is the networking service responsible for sending email. So, if I now configure my mail reader at home to use "localhost" as the SMTP server, then any outgoing mail is tunneled to mail.cs.ubc.ca, and sent from there. This causes all mails to look like they have been sent from within the UBC CS network.
The same basic machanism works for many many other services as detailed below. The actual ssh command I us on both Linux and Mac OS X is
ssh -L119:news:119 -L143:mail:143 -L25:mail:25 -L139:cs-smb:139 -L80:www:80 -L88:www.ugrad:80 cascade.cs.ubc.ca -l heidrichNote that most of these ports are protected, meaning that only root can access them. Because of this, the ssh command has to be issued by root. Since I am too lazy to change users every time, I actually wrote a tiny C program that issues the command. I just install that program with the SUID bit, so I can run it as a regular user. The program is set up to run in the background (i.e. it won't actually give you a shell on cascade).
One note: if you use IMAP from one machine you are better off if you completely move over your mail browsing to IMAP, even when you are on a department machine (just specify mail.cs.ubc.ca as an IMAP server while on a department machine). Otherwise it is possible to loose email under certain conditions...
Cs-smb exports two kinds of file systems: your individual user home, and "research" filesystems, which include pretty much everything, including /imager, /lci, etc. Files that you can't read on the CS machines will simply not show up at all in the SMB mount. After issuing an ssh command such as the one from the introduction, the user home is mountable from a "device" called //localhost/your_department_user_name. The research directories are available as the "device" //localhost/research.
//localhost/heidrich /cshome smbfs noauto,users,username=heidrich,workgroup=UBC-CS,rw,uid=heidrich,gid=heidrich 0 0 //localhost/research /dept smbfs noauto,users,username=heidrich,workgroup=UBC-CS,rw,uid=heidrich,gid=heidrich 0 0The entries for uid and gid refer to user and group names on your home machine, while username is your department login name. There are additonal options to smbmount that could be interesting. For those, please read the man pages.
Any user on your home machine can now mount the two directories with the commands "mount /cshome" and "mount /dept", respectively (you will be prompted for your CS password when you issue these commands). To give you a concrete example of the effects of the mount operations: I am currently editing this web page from my home machine, where it is mounted as both
/cshome/World/vpn.htmlas well as
/dept/faculty/heidrich/World/vpn.html
/sbin/mount_smbfs -U heidrich -W UBC-CS -f 600 -d 700 -g heidrich -u heidrich //localhost/heidrich /cshome /sbin/mount_smbfs -U heidrich -W UBC-CS -f 600 -d 700 -g heidrich -u heidrich //localhost/research /deptThe -f and -d options are the local (i.e. Mac OS X) UNIX permissions of files and directories, respectively. -g and -u are the local (i.e. Mac OS X) user name and group. I define shell aliases for the above commands in practice.
How do you use it? Simply use "localhost" rather than "www.cs.ubc.ca" in any URL. For example,
http://localhost/nest/imager/imager-web/Resources/machines_name.htmlrefers to an address-protected web page within the Imager web site.
The problem with this approach is that it will work only for one specific web server (in this case www.cs.ubc.ca). What if you need to access protected pages on multiple servers? You can do that, too, but you will have to choose a different local port number for every server. For example, my ssh command includes the option -L88:www.ugrad:80, which takes port 88 (previously unused on my machine), and forwards it to port 80 (HTTP) on www.ugrad.cs.ubc.ca. Hence,
http://localhost:88/~cs424refers to the course web page of CPSC 424 (some parts of which are protected).
/etc/ntp.conffrom one of the departmental Linux boxes to your home machine. The server gets started automatically at reboot. If you want to start it manually, run
/etc/init.d/ntpd startas root. If that command reports "cannot sunchronize to server", your clock is probably too different form the server's time. In that case, manually adjust your clock to the server time, by running (as root)
ntpdate ntp1.cs.ubc.caNow try starting the server again.