Wireless and VPN Networking
Questions/comments? email to gripe@ig.utexas.edu.
Wireless Networking
The ROC building is equipped with a wireless network. This network is part of the University wide wireless network at Pickle Research Campus and on the main campus
There are 3 wireless networks available: utguest is a non-encrypted network meant for visitors. No login is needed. It may not be used by UT staff. eduroam is an encrypted network meant for visiting members of other universities which permit them to authenticate on this network via their home institution: utexas is encrypted and must be used by UT faculty, staff and students. Login wth your eid and password. Users on utguest and eduroam may be throttled down for excessive bandwidth use or quarantined for misbehavior, and they can't access many UT specific services.
You can access UTIG printers and network file sharing from utexas, and connect to UTIG systems via Remote Desktop, ssh or VNC. Note that you are not on the UTIG internal network. You must append the ".ig.utexas.edu" domain to host names to connect to all services; these are known as "fully qualified domain names" or FQDN's.
VPN Networking
Two options exist to connect securely to UTIG from off-campus: virtual private network or tunneling services over ssh. Most users find VPN works fine; please ask if you find VPN doesn't suit you.
The same services which are allowed from the utexas wireless network are allowed via VPN. You must also use fully qualified domain names with the VPN to access UTIG resources. Install Cisco Anyconnect from UT VPN first, and also sign up for two-factor authentication here. Having multiple DUO access paths set up is a very good idea if VPN is critical to your plans. Smart phones break or are stolen. There are connection time limits imposed on the VPN session; currently about 24 hours. See the note below about x2go and turbovnc. Both of these work fine over VPN with any linux system.
SSH access on standard port 22 to UTIG hosts requires secure access (known UT network, UTexas wireless, UT VPN) from March 2019 onward. If you are elsewhere, you must first turn on the VPN. If you are at another location (say at an HPC site) and you can't use the VPN, SSH via another port is allowed if you have previously established a public key with local passphrase. Usernames/Passwords are not allowed over this port. Email gripe to learn the identity of "some-port". It isn't included here because of paranoia; although it doesn't keep attackers from trying -every- port.
ssh -p some-port
scp -P some-port [ note that is a capital P ]
rsync -e "ssh -p some-port"
This may help expain things a bit: Why Public Key?
By configuring public keys, you may get higher transfer rates, bypassing the VPN using some-port on some hosts,
We recommend x2go for 2D X11 graphics, and TurboVNC for 3D graphics using VirtualGL on workstations with nVidia cards.
And as mentioned above, other protocols (like X11) can be tunnelled across a secure ssh connection. Ask if you need this.
Current Windows x2go v4.1.2.2 does not seem to work properly - Please use x2go v4.1.2.0 instead.
If you use X2GO, use MATE or XFCE for your desktop - Gnome will not work.
Making a public key at UTIG and setting up various remote programs to use it
UPDATE: 2021 - using ed25519 instead of rsa 4096 may be faster if your system supports it.
Suggested filenames of id_X will be id_rsa or id_ed25519 below, depending or which you choose.
The most widely accepted key considered safe now is 4096 bit RSA, as shown below. A compelling alternative now widely supported is EllipticalCurve ed25519, a proposed NIST standard. Procedures are given below for both Mac/Linux, and for Windows, for applications we think are likely to be used. Once these are set up, you should be able to access selected linux/unix computers at UTIG remotely without VPN. Remember that your "my-utig-user" UTIG username will probably be different from your remote username, so you can't generally let it default to your remote username. Not all UTIG hosts listen on "some-port", but some do, and these all work the same. Please email gripe to learn the current list of willing partners.
Macintosh
command line ssh (do this first) ls ~/.ssh - if you don't already have a .ssh/id_rsa or .ssh/d_ed25519 file, do this: ssh-keygen -t rsa -b 4096 or ssh-keygen -t ed25519 In order to comply with ISO rules, you must have a non-blank passphrase for remote access. Type this twice; this will be used each time you start a new remote connection from this computer. if you already have a .ssh/id_X file, but it doesn't use a passphrase, do this: ssh-keygen -p -f .ssh/id_X Then copy .ssh/id_X.pub to UTIG and append to or create ~/.ssh/authorized_keys at UTIG - any host is the same. mkdir .ssh; cat id_X.pub >> .ssh/authorized_keys; chmod 700 .ssh; chmod 600 .ssh/authorized_keys If you don't have local or VPN access, email the id_X.pub file to gripe. test by ssh -p some-port my-utig-user@some-utig-host, and you should be logged in without needing to type your UTIG password. If there is a problem, ssh -v -p some-port may provide a clue where the problem lies. X2GO When command line ssh works, set your Login: username, and tell x2go to use the same .ssh/id_X key as above (not the .pub part of the key). Please turn off Audio and Printer in the Media tab in your x2go setup. Cyberduck Create a new session to your favorite host, eg some-host.ig.utexas.edu or other. Enter your username, and the password. Select the SSH private key .ssh/id_X, save it, and you should be able to login without a password.LINUX:
command line - same as MAC command line, above
Windows
Cmd window Modern releases of Windows 10 have a built in ssh command line program. This is the simplest way to get command line linux access. Enter cmd in the search box, select Command Prompt App, and then proceed as for Mac/linux command line ssh. Putty Use PuttyGEN to create an RSA 4096 bit or ED25519 key, with a passphrase. Save it someplace safe; I made a folder called ssh so it is both visible and obvious to me. Also save the public key - add its content onto the end of your UTIG ~/.ssh/authorized_keys. See the sequence under Macintosh, above. In putty itself, set up a host connection. enter utig.ig.utexas.edu (as a test), and click Connection -> Data enter your username (only, no hostname) in the Auto-login username window click the + by the SSH Category. Click the + by Auth, Browse to the Private key file you just saved. In the X11 sub-menu, you may want to turn on ssh tunneling if you won't be using X2GO. (Using X11 remotely is possible but generally discouraged. Ask gripe for details.) Back in the top level Session window, save these settings to a named entry, then test it. If you will use X2GO or TurboVNC, you can use this as a fallback - change the hostname to your preferred hostname and test. Using the Pageant application to store keys is possible but beyond the scope here. X2GO on your pc start -> run -> cmd mkdir ssh (or whatever folder you want) cd c:\program files (x86)\x2goclient ssh-keygen.exe -t rsa -b 4096 choose a passphrase per the discussion under MAC. ssh-keygen.exe -t ed25519 choose a passphrase per the discussion under MAC. c:\users\myname\ssh\id_X for example - your username and folder will differ Add the content of your new id_X.pub file to the end of ~/.ssh/authorized_keys at UTIG. Login with Putty or windows ssh. cd .ssh, cp authorized_keys authorized_keys.bak, cat >> authorized_keys paste the key string from the .pub file, control-d to close the file. The >> is important, do not use a single > ! back on the client pc, run x2go, edit a login, and fill in the Login: name if it is blank. Browse to the key you saved in the keygen step (not the .pub); Save and test. Please turn off Printer and Audio support in the Media tab in x2go settings. No other changes need be made. WinSCP create a new setting Enter a hostname and a username; leave the password blank. Click on Advanced, then select the private key file you created with Putty. If you didn't already install Putty, click on Tools -> Run PuttyGEN and proceed as for the first two steps for Putty, above. Save these settings and test.
