Integrating a Home Machine or Wireless Laptop into the UBC CS Network

This web page is primarily of interest for new UBC CS grad students who want to configure their home machine so that it feels pretty much like a machine in the department. It is also useful for integrating laptops that are on the wireless network. I have been working with this kind of configuration for more than 2 years now, and I am very happy with it.

This page describes the procedures for Redhat Linux (I currently run version 8.0 at home), and Mac OS X. The latter I just set up recently, so it is not as thoroughly tested as the Linux variant. I am confident that most tricks will directly work under other UNIX-style OS. I would think that similar possibilities exist under Windows, but in some cases I don't know for sure, and frankly, I don't care. If you are interested in Windows, the department FAQ pages are a good place to start looking.

Background: ssh Tunneling

For security reasons, the department servers will not accept requests from computers outside the department network for services such as mail, news, or mounting file systems. Ssh tunneling is a secure way to work around this restriction and access these services anyway. Since it is the central mechanism used in the following, here a little explanation on how it works.

Firstly, ssh by itself is a secure terminal application. It works like telnet but encrypts all the communication, so that the transmission of passowrds cannot be snooped by third parties. In addition, to this basic service, ssh also offers the possibility to tunnel communication channels for certain services.

To make this specific, assume I run the following command (as root - more about this below) from my home machine:

ssh -L25:mail:25 cascade.cs.ubc.ca -l heidrich

I will be prompted for my password, and then be logged into cascade under my UBC account. At the same time, ssh will monitor connections to TCP port 25 on my home machine, encrypt the data exchanged over this port, and send it on ("tunnel" it) to cascade. The ssh server on cascade will then decrypt the communication, and send it on to port 25 of mail.cs.ubc.ca. Note that mail.cs.ubc.ca will accept this connection, since it looks like it is coming from cascade, not my home machine.

As it happens, port 25 is reserved for the SMTP service, which is the networking service responsible for sending email. So, if I now configure my mail reader at home to use "localhost" as the SMTP server, then any outgoing mail is tunneled to mail.cs.ubc.ca, and sent from there. This causes all mails to look like they have been sent from within the UBC CS network.

The same basic machanism works for many many other services as detailed below. The actual ssh command I us on both Linux and Mac OS X is

ssh -L119:news:119 -L143:mail:143 -L25:mail:25 -L139:cs-smb:139 -L80:www:80 -L88:www.ugrad:80 cascade.cs.ubc.ca -l heidrich

Note that most of these ports are protected, meaning that only root can access them. Because of this, the ssh command has to be issued by root. Since I am too lazy to change users every time, I actually wrote a tiny C program that issues the command. I just install that program with the SUID bit, so I can run it as a regular user. The program is set up to run in the background (i.e. it won't actually give you a shell on cascade).

Mail, IMAP, News

Linux and Mac OS X:

The previous section already discussed how to set up the sending part of email (i.e. SMPT). The same principle applies to receiving email via IMAP (port 143), and connecting to the news server (port 119). All you need to do is start your favourite mail/news browser, and select "localhost" as your IMAP/news server.

One note: if you use IMAP from one machine you are better off if you completely move over your mail browsing to IMAP, even when you are on a department machine (just specify mail.cs.ubc.ca as an IMAP server while on a department machine). Otherwise it is possible to loose email under certain conditions...

Mounting Home and Project Directories

This is where it really gets interesting. It is actually possible to mount your research directories at home. To this end, you don't use NFS, like you normally would under Linux/Unix, but SMB (windows filesystem services - "samba" is the open source implementation of these). In order to make this work, you need to know that SMB occupies port number 139, that the departmental samba server is cs-smb.cs.ubc.ca, and that the workgroup/network name is UBC-CS.

Cs-smb exports two kinds of file systems: your individual user home, and "research" filesystems, which include pretty much everything, including /imager, /lci, etc. Files that you can't read on the CS machines will simply not show up at all in the SMB mount. After issuing an ssh command such as the one from the introduction, the user home is mountable from a "device" called //localhost/your_department_user_name. The research directories are available as the "device" //localhost/research.

Linux:

On my home machine, I mount these devices to /cshome and /dept, respectively. You can either do this manually as root, or add the following two lines to /etc/fstab to allow arbitrary users to mount the file systems.

//localhost/heidrich /cshome smbfs noauto,users,username=heidrich,workgroup=UBC-CS,rw,uid=heidrich,gid=heidrich 0 0

//localhost/research /dept smbfs noauto,users,username=heidrich,workgroup=UBC-CS,rw,uid=heidrich,gid=heidrich 0 0

The entries for uid and gid refer to user and group names on your home machine, while username is your department login name. There are additonal options to smbmount that could be interesting. For those, please read the man pages.

Any user on your home machine can now mount the two directories with the commands "mount /cshome" and "mount /dept", respectively (you will be prompted for your CS password when you issue these commands). To give you a concrete example of the effects of the mount operations: I am currently editing this web page from my home machine, where it is mounted as both

/cshome/World/vpn.html

as well as

/dept/faculty/heidrich/World/vpn.html

Mac OS X:

On my Apple laptop I use the same principle. The ssh forwarding command is identical to the one under Linux. Unfortunately, the forwarded port is not automatically detected by the Mac OS X automounter, and hence doesn't show up in Finder. Luckily, Mac OS X is running Unix under the hood, and hence we can fall back to a command line solution. The following two commands mount the same directories I mentioned for Linux:

/sbin/mount_smbfs -U heidrich -W UBC-CS -f 600 -d 700 -g heidrich -u heidrich //localhost/heidrich /cshome

/sbin/mount_smbfs -U heidrich -W UBC-CS -f 600 -d 700 -g heidrich -u heidrich //localhost/research /dept

The -f and -d options are the local (i.e. Mac OS X) UNIX permissions of files and directories, respectively. -g and -u are the local (i.e. Mac OS X) user name and group. I define shell aliases for the above commands in practice.

Web Access

The department has several web pages that are protected in some way. Some pages are protected by the IP address (i.e. they are only readable from within the department or from within UBC). Others require you to provide your department login and password (of the latter ones, some use encrypted communication, but a lot don't - which is really unsafe when working from home).

Linux and Mac OS X

By forwarding port 80 (HTTP), you can tunnel your requests to the department web server through ssh. This way, pages protected by address will work, but also any communication with password protected pages will actually be encrypted.

How do you use it? Simply use "localhost" rather than "www.cs.ubc.ca" in any URL. For example,

http://localhost/nest/imager/imager-web/Resources/machines_name.html

refers to an address-protected web page within the Imager web site.

The problem with this approach is that it will work only for one specific web server (in this case www.cs.ubc.ca). What if you need to access protected pages on multiple servers? You can do that, too, but you will have to choose a different local port number for every server. For example, my ssh command includes the option -L88:www.ugrad:80, which takes port 88 (previously unused on my machine), and forwards it to port 80 (HTTP) on www.ugrad.cs.ubc.ca. Hence,

http://localhost:88/~cs424

refers to the course web page of CPSC 424 (some parts of which are protected).

Printing

Printing is another service that can be tunneled over ssh. There are at least two diffferent ways to do this: one involves the printer protocol (port 515), the other one uses samba (SMB) for printing. I haven't really looked into this since so far I did not feel the need for remote printing from home. If I ever get around to look into this, I'll report the summary here. (Recent update: I might take this on as my next pet project to get printing going on my Apple notebook).

Network Time Protocol

The network time protocol (NTP) keeps your clock synchronized with a time server, which saves you the trouble of setting the clock every few weeks. More importantly, it also helps avoiding time difference problems with samba-mounted file systems (these can potentially throw off make systems, for example).

Linux:

Thankfully, the department NTP servers accept requests from the outside, so there is no need to use ssh tunneling for this service. Setting up NTP is consequently pretty simple: copy the file

/etc/ntp.conf

from one of the departmental Linux boxes to your home machine. The server gets started automatically at reboot. If you want to start it manually, run

/etc/init.d/ntpd start

as root. If that command reports "cannot sunchronize to server", your clock is probably too different form the server's time. In that case, manually adjust your clock to the server time, by running (as root)

ntpdate ntp1.cs.ubc.ca

Now try starting the server again.

Mac OS X:

The "Date&Time" module of the System Preferences allow you to select a time server that Apple provides. This is not the ideal solution: if one mounts a file system from the CS servers, one would really like to have the same time as those servers. However, using the Apple server is better than nothing, and the two are typically within a second of each other which is not so bad. I haven't figured out a way to specify a different NTP server, yet. If you work this out, please let me know.