Getting Remote Access to the IQMMIP Instruments

These instructions must be followed for each computer/device you wish to use to connect to the IQMMIP Instruments. The approach is to establish an authenticated, encrypted connection (VPN) between your computer/device and the network via SSH, and then use that connection to "tunnel" network traffic between your computer and the IQMMIP Instruments.

Authentication of your device is done using a public/private keypair. The public key is added to the list of known/allowed keypairs for your username. The private key never leaves the device it was generated on (preferably a hardware token). You then protect the private key with a passphrase of your choosing.


Method to Access

These assume the "Steps to do ONCE per device" (below) have already been carried out.

Windows


Mac OS X


UNIX/Linux/BSD

Follow the same instructions as for Mac OS X, using any command prompt.


iOS/Android Phone/Tablet

Run the appropriate application.



Steps to do ONCE per device

These steps should only be done once per device!

Windows

  1. Download the SSH client puTTY from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. It is recommended that you save the executable to the desktop.
  2. From the same site, also download puTTYgen, the public/private key generator (save to desktop).
  3. Run puTTYgen. You will see the puTTY Key Generator Interface. Towards the bottom of the window, make sure that the type of key to generate is SSH-2 RSA, and that the number of bits in the key is 4096. Then click the generate button. You will need to provide mouse movements or other sources of randomness to generate the key.
  4. Once you have provided sufficient entropy, a new public/private key pair will be generated. The private key never leaves the computer it was generated on. In the "Key passphrase" and "Confirm passphrase" boxes, provide a passphrase that will be used to access the private key (this is the password you will have to type in every time you login to the server).
  5. Toward the top, there is a block of text titled "Public key for pasting into OpenSSH authorized_keys file". This is the public key (anyone can know this value). Copy the entire block of text (highlight and then do ctrl-c), paste into the body of an email, and email it to TMM. The block starts with ssh-rsa, and ends with rsa-key-DATE.
  6. Click the "Save Private Key" button toward the bottom left. It is recommended that you put it in the Computer->C:->users->(your username) directory. The filename can be anything (e.g. "ssh-kahlan").
  7. You can then close puTTYgen. If desired, you can delete the executable. It is no longer required. You have now successfully created a public/private keypair to authenticate your device.
  8. Wait for confirmation that the public key has been added to the authorized keys list
  9. Now you want to setup puTTY to know how to connect to the server. So run puTTY. It will open a "puTTY Configuration" window. Set the hostname as "kahlan.pha.jhu.edu", and change the port to 22. Then in the list on the left hand side, select "connection". Change the "seconds between keepalives" to 30. Then expand the list of items under "connection", and select SSH. Also ensure to check the box "dont start a shell or command at all". For "preferred protocol version", select "2 only". In the "Encryption cipher selection policy", move the "warn below here" up in the list until it is just below "AES (SSH-2 only)". Then expand the list of items under "SSH". Select "Kex" and move the "warn below here" up in the list until it is just below "Diffie-Hellman group exchange". Next, select "Auth". Click the browse button next to the "Private key file for authentication" and select the file you created above (if not using a hardware token).
  10. After that, select "Tunnels". Under "Add new forwarded port", add a new "local" entry for every system on list of internal systems at the end of this document, one at a time, remembering to click "add" after each pair.
  11. Finally, on the list on the left, go back to the very top ("session"). In the space below "Saved Sessions" put a name for this connection (say "kahlan"), and then click the save button. Congratulations, at this point, there will be the entry "kahlan" in the list of saved sessions which can be used to establish the SSH connection between your computer and kahlan.
  12. Attempt to connect by double clicking the "kahlan" entry or highlighting it and clicking open. You will get a message stating something to the effect "that the servers host key was not found in the cache". It then provides the servers rsa2 key fingerprint. The value should be:
    ssh-rsa 4096 5e:32:92:2a:81:18:41:5d:35:35:d2:80:54:c8:63:0f or SHA256:KuZCb5fpds69QqKbZGhkcr+jTq9xq8DlNZ5z3F4ATdw
    If this is the value, click "yes" to continue connecting and add the host key to the cache. However, IF IT IS NOT THIS VALUE, CLICK CANCEL AND INFORM TMM IMMEDIATELY [someone is doing something naughty]. You can safely close puTTY.
  13. To allow file transfers, download the program winscp from http://winscp.net/eng/download.php and install it. Run WinSCP. You will be presented with the "WinSCP Login" screen. Enter "kahlan.pha.jhu.edu" for the hostname, and change the port to 22. Click the ellipses (...) next to private key file and select the file from above (if not using a hardware token). Then select "SSH" in the list on the left, set protocol version to "2 only" and move "warn below here" up in the list until it is just below "AES (SSH-2 only)". Then go back to "session" on the left hand side, and click save. You can call it anything (I recommend "kahlan").
  14. At this point, there will be the entry "kahlan" in the list of stored sessions. Attempt to connect by double clicking the "kahlan" entry or highlighting it and clicking open. You will get a message stating something to the effect "that the servers host key was not found in the cache". It then provides the servers rsa2 key fingerprint. The value should be:
    ssh-rsa 4096 5e:32:92:2a:81:18:41:5d:35:35:d2:80:54:c8:63:0f or SHA256:KuZCb5fpds69QqKbZGhkcr+jTq9xq8DlNZ5z3F4ATdw
    If this is the value, click "yes" to continue connecting and add the host key to the cache. However, IF IT IS NOT THIS VALUE, CLICK CANCEL AND INFORM TMM IMMEDIATELY [someone is doing something naughty]. You can then safely close WinSCP.
  15. VNC is required to remotely view the IQMMIP Instruments. To do so, install your favorite VNC viewer/client (e.g. http://www.tightvnc.com/download.php, only the viewer required).

Mac OS X

  1. Open a command line Terminal by running the Terminal or X11 application. It is under Applications->Utilities
  2. Once the command line is open, generate a public/private keypair for authentication with kahlan by running the command:
    ssh-keygen -t rsa -b 4096
    Follow the prompts. The defaults are fine, but make sure to choose a passphrase that is not blank. Once complete, print the public key using the command:
    cat ~/.ssh/id_rsa.pub
    and copy the entire block of text, paste into the body of an email, and email it to TMM. The block starts with ssh-rsa, and is quite long. Make sure to get the whole thing.
  3. Wait for confirmation that the public key has been added to the authorized keys list
  4. Attempt a connection to kahlan using the command:
    ssh -N -p 22 USERNAME@kahlan.pha.jhu.edu
    where USERNAME is replaced with your username on kahlan. You will get a message stating something to the effect "that the servers host key was not found in the cache". It then provides the servers rsa2 key fingerprint. The value should be:
    ssh-rsa 4096 5e:32:92:2a:81:18:41:5d:35:35:d2:80:54:c8:63:0f or SHA256:KuZCb5fpds69QqKbZGhkcr+jTq9xq8DlNZ5z3F4ATdw
    If this is the value, answer "yes" to continue connecting and add the host key to the cache. However, IF IT IS NOT THIS VALUE, ANSWER NO AND INFORM TMM IMMEDIATELY [someone is doing something naughty]. You can then safely close the connection.
  5. To allow file transfers, install an SFTP client (such as Fugu, http://rsug.itd.umich.edu/software/fugu/ ). Enter "kahlan.pha.jhu.edu". for the hostname, and change the port to 22. Find the location to specify a private key file and select the one from above (if not using a hardware token). It is also recommended that you allow only AES and protocol version 2, and then save the configuration (I recommend "kahlan"). Try the connection, and make sure the servers fingerprint matches that above.
  6. VNC is required to remotely view the IQMMIP Instruments. To do so, install your favorite VNC viewer/client (e.g. http://www.tightvnc.com/download.php, only the viewer required).

UNIX/Linux/BSD

Follow the same instructions as for Mac OS X, using any command prompt.


iOS/Android Phone/Tablet

Install an SSH client and VNC viewer than supports public/private keypair authentication and VNC tunneling over SSH. Configure as given above (you need to provide the public key to TMM for adding to the authorized keys list). RemoterPro (full version) on iOS works great for this purpose.



Table of Accessible Systems

Source PortIP AddressDestination PortIdentity
4203192.168.42.35900IQM PPMS
4204192.168.42.45900IQM LAUE
4205192.168.42.55900IQM HALOGEN
4206192.168.42.65900IQM XENON
4232192.168.42.325900PARADIM SPS Press
4233192.168.42.335900PARADIM Mass Spec 1
4234192.168.42.345900PARADIM Mass Spec 2
4235192.168.42.355900PARADIM TGA/DSC
4236192.168.42.365900PARADIM Induction Furnace
4237192.168.42.375900PARADIM HP-FZ
4238192.168.42.385900PARADIM Tilt LD-FZ