RCS User Guides
Help Guides and User documentation for Services in RCS. Publicly accessible.
SSH
Tunnelling
Public Key Authentication
SFTP - using access.eps to transfer files
How to connect to a Raspberry Pi
BASH vs TCSH SSH
The RCS SSH service, access.eps.surrey.ac.uk SSH Tunnelling
What is Tunnelling?
Whenever a connection is made to the local port or socket, the connection is forwarded over the secure channel, and a connection is made to either host port hostport, or the Unix socket remote_socket, from the remote machine. This is useful or accessing on remote machines inside the University network which are not normally available externally.
Getting Started
If you are attempting to do this from over WiFi or from home, you will need to be set up to use Two- Factor Authentication before you're able to progress with this guide.
Depending on the operating system you are running, you will need slightly different software to establish the tunnel.
Windows
To use tunnelling on Windows you will need to have PuTTY SSH Client installed on your machine.
You can get application from Surrey Software or direct from the PuTTY website: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html (recommended).
Now PuTTY is installed, open the application. We can now run through an example, establishing an RDP connection to a Windows server 'foobar.eps.surrey.ac.uk'. You will need to enter the following details:
On the first screen 'Window' you will need enter the server you want to connect through. Image not found or type unknown
Host Name (or IP address): access.eps.surrey.ac.uk Port: 22 Connection type: SSH
You can optionally give your session a 'Saved Session' name and choose 'Save', however you will want to do this after you have set up your Tunnel. You may also wish to go to the Connection > Data and entering your username into Auto-login username before you save it.
Now go to Connection > SSH > Tunnels
Image not found or type unknown On this screen you need to enter your Source port and Destination.
Source Port: 13389 Destination: foobar.eps.surrey.ac.uk:3389 (replace this with the server you're trying to access)
All other settings can be left on default.
Now optionally return to Window, enter your 'Saved Session' name and choose 'Save'.
Now click the Open button, and enter your password and two-factor authentication token.
Now you would use your RDP client (Remote Desktop Connection) to establish a connection to: localhost:13389 . This will establish an RDP connection to foobar.eps.surrey.ac.uk via access.eps.surrey.ac.uk
Linux / macOS
All flavours of Linux, and macOS come with an SSH client built in. You can access it using the Terminal (command line interface)
ssh [email protected] -L 2000:destination-server.tld:25 ssh The ssh command [email protected] This is the server you wish to connect to, prefixed by your username. For example: [email protected] . This server will be used as the gateway to tunnel your access to the destination server
-L Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port on the remote side..
2000: The local port that you want to access on your local machine. It will need to be above destination-server.tld The server you wish to connect to.
:25 The destination port that you wish to connect to. See Regularly used ports.
So if you want to use access.eps.surrey.ac.uk to then establish an RDP (Remote Desktop session) to foobar.eps.surrey.ac.uk, you would use the following command:
ssh [email protected] -L 13389:foobar.eps.surrey.ac.uk:3389 Upon executing the command you will be prompted for your password and two-factor authentication code, or RSA keypair passphrase.
Now you would use your RDP client (Remote Desktop Connection on macOS or Remmina on Linux) to establish a connection to: localhost:13389 . This will establish an RDP connection to foobar.eps.surrey.ac.uk (replace this with the server you're trying to access) via access.eps.surrey.ac.uk
Advanced options
-f This flag forks the SSH process and runs it in the background. Must be run in conjunction with a command or the -N flag
-N Use this to run no command but place SSH in the background.
Creating shortcuts
Useful information
Regularly used ports
Application Port
HTTP 80
HTTPS 443
SMB 445
RDP (Remote Desktop Protocol) (WIndows) 3389
SSH Public Key Authentication
The access.eps.surrey.ac.uk service requires that you either have Multi Factor Authentication setup on your Surrey account or use Public Key authentication. For more information on MFA and how to set it up on your Surrey account please see here.
Public Key Authentication
Key pairs work on the basis that a username or password can be stolen, but a token is something you have, and thus harder to steal. The key pair consists of two elements, both of which are files stored on computers:
Public Key – This is what you distribute to the systems you wish to log in to. This part of the key is considered public, and thus can be stolen, transferred, or copied without any fears.
Private Key – This part of the key pair is stored by you on the system you wish to connect from. If it is stolen then it is considered compromised, and both the Private Key and Public Key’s must be replaced. To help protect from theft / misuse of a Private Key, it should always be protected by a passphrase.
Once the key pair is in place, logging in will prompt you for your username. Once entered, you will be prompted for the passphrase for your Private Key (stored on your local computer). Once entered, you will be successfully logged in to the remote compute.
Setting Up Public Key Authentication
Step 1 – Setting up the .ssh folder:
These instructions should be carried out on a University Linux machine, either in person or via the Global Protect VPN service.
First we need to check if the .ssh directory exists in your home directory. Your Linux home path is denoted by the ~ (tilda) symbol. Please be sure to type all commands exactly and double check before you press Enter.
From the command line or terminal, run the following command to create your SSH directory and press Enter (take special note of the . ahead of ssh): mkdir ~/.ssh
Now run the following command to change directory (cd) into the newly created (or existing) .ssh directory cd ~/.ssh
Now that you should be in your .ssh directory, we can check the contents of this to see if any existing key pairs exist. Run the following command to print a file list: ls -lah
If your .ssh directory already existed, you should see output similar to the following:
drwx------1
drwx------1
-rw------1
-rw------1
-rw------1
-rw------1
-rw-r--r-- 1
In this example we can see the .ssh directory has existed for some time and contains files. We can also see the existence of the id_rsa and id_rsa.pub files. If you have not previously set up a key pair then these two files will not exist yet. If you already see them, you already have an key pair created. id_rsa is your private key, while id_rsa.pub is your public key.
Step 2 – Creating your key pair:
Now that the relevant .ssh folder exists and we’ve confirmed that it does not contain existing keys, it is time to generate a new key pair.
WARNING: The following commands will delete any existing RSA keys. From the command line, run the following command to begin your RSA key pair generation. ssh-keygen
The following prompt will be displayed:
[1:38pm]
Generating public/private rsa key pair.
Enter file in which to save the key (/user/
The value described in brackets (/user/
Now you will be prompted to enter a passphrase. This secures your private key.
WARNING: Do not leave this blank otherwise if your private key is stolen it could be used by the malicious party to gain entry to your account or any other computer containing your public key.
Please enter your passphrase now, then press enter. Now you will be prompted to enter the passphrase again.
Once you press Enter your key will be generated and the following information displayed to you:
Your identification has been saved in /user/
Your public key has been saved in /user/
The key fingerprint is: SHA256:9J5U1UjIYX+TL1gEvXkrKCCynM61aIM5qpDZ3AuR8T0
The key's randomart image is:
Your keys have now been successfully generated.
Under the directory ~/.ssh or /user/
• id_rsa Your private key, protected by your passphrase. This is stored on the machine you are connecting from.
• id_rsa.pub Your public key. This is stored in the account you are connecting to.
It is now important to ensure the permissions are correctly set for the .ssh folder that you created. To do this, run the following commands: chmod 700 ~/.ssh chmod -R 600 ~/.ssh/*
The first command will set the correct permissions for the .ssh directory, while the second will set the correct permissions for all files in the directory.
If you attempt to use an private key with an insecure .ssh directory you will receive an error stating that the key is not secure.
Step 4 – Deploying your keys:
In order to use this key pair, you will need to move the private key to a computer you wish to connect from, and the public key must be located on the computer you wish to connect to in the ‘authorized_keys’ file.
Private Key
On Linux or Mac machines, your private key (id_rsa) needs to be stored in the correct folder so that it can be accessed by the operating system. By default, this is the ~/.ssh directory (~/.ssh/id_rsa), just like on the Surrey Linux machines. If you have previously used SSH on that account, the .ssh directory should already exist, but if it doesn’t you can follow the steps in this guide to create it.
On Windows Machines - Your private key file (id_rsa) can be stored anywhere on the system, but usually somewhere inside of your Home Directory. When establishing an SSH connection using PuTTY, WinSCP or FileZilla you can specify the path to your id_rsa file.
Note: For PuTTY / WinSCP you will be required to convert your keys to the .ppk format using PuTTYgen (part of the PuTTY suite).
Public Key
Your public key (id_rsa.pub) can be deployed to any account on any system that you wish to establish an SSH connection to. As SSH is exclusively a Unix/Linux service (including MacOS), the location for the public key should always be inside the ~/.ssh directory, in the ‘authorized_keys’ file (~/.ssh/authorized_keys). To add your key to this file, run the following command to append the key to the end of an existing authorized_keys file, or to generate a new file if it does not already exist cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Step 5 - Using your key pair:
You can test if your key pair is working by establishing an SSH connection to access.eps.surrey.ac.uk from any computer containing your private key. As your public key is located in the .ssh directory your Surrey home area, logging onto any Linux machine will use the key pair over your password.
During login, you should be prompted for:
Username Private Key passphrase
Now that you have successfully tested your key pair, you are able to use the public key on any system that you wish to SSH into, while the private key must be on the machine you wish to connect from.
Fallback
SSH will always prefer to use key pairs over username and password as it is considered more secure, but should your key pair not be available on the system it will fall back to password authentication.
Please note that fallback to username and password on access.eps.surrey.ac.uk is not available externally. If a key pair is not available, then the system will fall back to username, password and MFA. It is recommended that all key pair users still set up MFA.
Additional Information
If you occasionally get disconnected when using SSH, resulting in the program running to stop working.
Using the command ‘screen’ followed by the command you wish to run will detach the command from your active session. This means that if your connection is lost, the screen / session containing your application is able to be restored.
If you need to run computational applications from outside the University.
If you wish to run computational applications, please establish your connection to access.eps.surrey.ac.uk before then creating another SSH connection from there to the machine you wish to run the application on (i.e. your own desktop or dedicated application or departmental server).
Are other key types supported apart from RSA?
Surrey Ubuntu 18.04 and Ubuntu 20.04 machines support RSA, ECDSA and Ed25519 key algorithms.
SSH SFTP - using access.eps to transfer files
Did you know you can use access.eps.surrey.ac.uk for SFTP access? This means you can use an FTP client such as filezilla to securely transfer files from your computer to your University Linux home drive or a Project Space.
SFTP
SFTP stands for SSH File Transfer Protocol and is a method for tranferring data between computer systems via SSH.
There are many different SFTP clients out there, we reccomend Filezilla which is free, open source and works on most Operating systems.
How to use SFTP with access.eps.surrey.ac.uk
This guide will show you step by step instuctions on connecting to your home area or project space using the SFTP client filezilla - others are available and you should be able to use this guide to get a rough idea of how to connect even if you are using a different client.
Download and install filezilla on your computer
https://filezilla-project.org/download.php?type=client
Run filezilla Once it has launched Choose ‘File’ and then choose ‘Site Manager…’ in the new pop-up window choose ‘New Site’ and fill out the ‘General’ tab to the right side with the following details:
Field Setting
Protocol SFTP – SSH File Transfer Protocol
Host access.eps.surrey.ac.uk
Port 22
Logon Type Ask for password
User Surrey Username Under the Advanced tab set Default Remote Directory to the path of the directory you want to connect to -
Connecting to Home Directory
for this example I am connecting to my home drive which is at /user/hs300/dr0017
To find the path to your home area if you don't know it simply log into access.eps.surrey.ac.uk via ssh and type the command pwd (print name of current/working directory). When you first log in your home directory is always the defualt directory you land in.
Connecting to Project space
If you want to connect to project space then the path you need to use will be the /vol path you usually use to access it from a Linux system such as: /vol/www/external/sairanetwork
Once you have specified the default remote directory click connect. After pressing connect you might be asked to accept the host key if this is your first time connecting
You should now be connected and Filezilla will display the files from you local system on the left, and files from the remote system on the right. You can now navigate the filesystems and drag and drop files between your local machine and the remote directory. Files can be transfered in either direction.
Full Filezilla user instructions and documentation can be found here. How to connect to a Raspberry Pi
The Raspberry Pi's are available for use for Students of the department of computing
To log into the Raspberry Pi's you must first log into one of the IFH Lab ubuntu desktops ( hostnames are heron001 - heron200).
Once you are logged into a heron machine, you will be able to connect to the Raspberry Pi's via SSH from a terminal.
Method 1:
Connect to the Raspberry Pi directly as the tpm-user
open a terminal type the command ssh tpm-user@tpm when prompted for a password type "raspberry"
You are now logged into the raspberry pi as the user "tpm-user".
Method 2:
Connect to the Raspberry Pi as your own user account
open a terminal type the command ssh tpm when prompted type your surrey credentials password
Now you are logged into the raspberry pi. for the purposes of your classes you will probably need to switch to the tpm-user account. To do this you will need the su command.
type su - tpm-user when prompted for a password type "raspberry"
You have now switched to the user "tpm-user".
Disconnecting:
When you have finished working on the raspberry pi please use the logout command until your terminal returns to the heron machine you are logged into. BASH vs TCSH
This page contains some helpful information about the differences between BASH and TCSH.
What is a Shell?
The shell is a program that takes commands from the keyboard and gives them to the operating system to perform. In order to interact with the shell you should open a program called a terminal emulator. This program opens a window and lets you interact with the shell. There are a few different types of terminal emulators you can use. Most Linux distributions supply several, such as: gnome-terminal, konsole, xterm, rxvt, kvt, nxterm, and eterm.
Shell Startup Files:
BASH TCSH
~/.profile is a config file for entries that you want to apply on login. For example, if you wanted to execute a command but only when you first log in you would put it in your ~/.profile . Here you should also have the following entry so that your ~/.bashrc is also read on ~/.login is a config file for entries that you want to apply login: on login. For example if you wanted to execute a if [ -f ~/.bashrc ]; then command but only when you first log in you would put it source ~/.bashrc in your .login. Your .cshrc file is always read on login. fi
~/.bash_profile can be used instead of ~/.profile , but it is read by bash only, not by any other shell.
~/.bashrc is a config file to put customisation that ~/.cshrc is a config file to put customisation that applies applies only to bash itself, such as alias and function only to tcsh itself, such as alias and function definitions, definitions, shell options, and prompt settings. Every entry shell options, and prompt settings. Every entry in your in your .bashrc is read by all new terminals that are ~/.cshrc is read by all new terminals that are executed. executed.
Setting Environment Variables:
BASH TCSH
export p=7 setenv p 7
Setting Aliases: BASH TCSH
alias ls="ls -l" alias ls ls -l
Customising the Command Prompt:
BASH TCSH
PS1=abc- set prompt=abc-
Modifying PATH:
BASH TCSH
set path = ($path /path/to/dir /path/to/dir2) or export PATH=$PATH:/path/to/dir:/path/to/dir2 setenv PATH $PATH:/path/to/dir:/path/to/dir2
Additional differences between TCSH/CSH, BASH and other shells can be found here.