Some students in TCD may need to access their desktops in the lab remotely via SSH. However, the network is behind a firewall, which blocks the incoming traffic and requires a penetration method. Serval potential solutions are listed, and there is no perfect solution for SSH penetration so far.
| Method | Cost | Baned | SSH | Remote Desktop | Reliable |
|---|---|---|---|---|---|
| Direct SSH | Free | ✓ | ✓ | ✗ | high |
| RestDesk | Free | ✓ | ✓ | ✓ | medium |
| ToDesk | ~25Euro+/Year | ✗ | ✗ | ✓ | high |
| TeamViewer | Free | ✗ | ✗ | ✓ | low (commercial usage ban) |
This document provides a simple solution to access the desktops in the lab remotely using SSH. The core idea is:
- Reverse SSH tunneling between the desktop in the lab and an ACCESSIBLE server (e.g., Azure).
- Port forwarding from prot 22 to another port (e.g., 2222) on the server.
- Make sure you have an ACCESSIBLE server (e.g., Azure, free for TCD students) with a public IP address (or a domain name).
- Set up an SSH service on your DESKTOP in the lab.
Sign in to the Azure portal, click Free service from the 'create a resource' menu, and then click Linux VM.
A 1-core VM with 1GB memory is enough for this purpose. Remember to close the diagnosis function for cost-saving.
The final configuration should look like this:
- 1 core cpu, 1 GB memory
- 64GB disk
- SSH public key authentication (recommended)
- Dynamic public IP address
Azure VM Fee Policy: The student Azure account can get 750 hours of B1s VMs for free every month. So just setup and forget it, if you have only 1 VM.
Band domain name to the public IP address of the VM. The Azure provides a free domain name. You can get it in the 'DNS name' section of the VM.
You can also use your own domain name.
- Make sure the SSH service is running on the server.
- Open the 'gateway ports' of SSH in the server. With Linux server, edit the SSH configuration file
/etc/ssh/sshd_config:make sure the following line is uncommented:sudo vim /etc/ssh/sshd_config
Then restart the SSH service:GatewayPorts yes
sudo systemctl restart sshd
- Add firewall rules to allow the traffic on the port you want to forward. For example, if you want to forward port 2222, add the following rule:
sudo ufw allow 22/tcp sudo ufw allow 2222 sudo ufw enable - For cloud services users, you may need to add inbound/outbound rules in the portal to allow the traffic on the port you want to forward.
For Azure VMs, add inbound/outbound rules in the Azure portal to allow the traffic on the port you want to forward.
Open a reverse SSH tunneling from the desktop to the server. Assume your private key is located at ~.ssh/YOUR_KEY.pem, the username is USER, the domain name is DOMAIN_NAME, and the port you want to forward is 2222. Run the following command on the desktop:
ssh -i ~/.ssh/YOUR_KEY.pem -R 0.0.0.0:2222:localhost:22 USER@DOMAIN_NAMEPlease note that the option -R 0.0.0.0:2222:localhost:22 means forwarding the port 22 of your desktop to the port 2222 of the server.
If everything goes well, you should login to the server. Please keep the terminal open.
For public key authentication users: You should set your private key to be read-only by the owner.
- For Linux, run the following command to set the permission:
sudo chmod 600 ~/.ssh/YOUR_KEY.pem
- For Windows, it may be a little bit tricky according to my experience. You can find many tutorials on the internet.:P
Check if the port forwarding is working. Run the following command on the server:
sudo netstat -tuln | grep 2222if you see the following output, the port forwarding is working:
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN
tcp6 0 0 :::2222 :::* LISTENNow you can access the desktop remotely. Assume the domain name of the Azure server is DOMAIN_NAME, the username of your lab desktop is LOCAL_USER, and the port you want to forward is 2222. Run the following command on your local machine:
ssh -p 2222 LOCAL_USER@DOMAIN_NAMEIf connected successfully, you should input the password of your lab desktop and login to the desktop.
If you have set up the public key authentication in your lab desktop, you add `-i' option to specify the private key.
- You can use autossh to keep the tunnel alive.
- Or write a script to automate the process. For example, create a file
tunnel.shwith the following content:#!/bin/bash # configs REMOTE_USER="tcd_user" # Cloud server user name REMOTE_HOST="tcd_user.serverlocation.cloudapp.azure.com" # domain name OR ip REMOTE_PORT="2222" # listen port LOCAL_PORT="22" # ssh port of your desktop in TCD PRIVATE_KEY="~/.ssh/my_key.pem" # your private key of the CLOUD SERVER WAITING_TIME_SECOND="600" while true; do echo "Try SSH to the server..." # Establish ssh ssh -i "$PRIVATE_KEY" -R 0.0.0.0:"$REMOTE_PORT:localhost:$LOCAL_PORT" "$REMOTE_USER@$REMOTE_HOST" # Waiting and retry sleep WAITING_TIME_SECOND done
You can set the script to start automatically when the desktop boots up.
Sometimes you may need to SSH from your lab desktop to other servers (at your home, for example). You can try following the same steps to establish a reverse SSH tunneling from the lab desktop to the server at home. Then you can SSH from the lab desktop to the server at home.
I have not tried this yet. If you have any questions or suggestions, please feel free to contact me. I am happy to help you.