tadd post on ssh tunnels and delay commsenv post - adamsgaard.dk - my academic … | |
git clone git://src.adamsgaard.dk/adamsgaard.dk | |
Log | |
Files | |
Refs | |
README | |
LICENSE | |
--- | |
commit 65b18f20bc2ade25e39e73eba31e742ebb5931c6 | |
parent aee9726f65f6c76cba4af628da15b41f52344e69 | |
Author: Anders Damsgaard <[email protected]> | |
Date: Fri, 11 Dec 2020 17:13:42 +0100 | |
add post on ssh tunnels and delay commsenv post | |
Diffstat: | |
A pages/007-ssh-tunnels.cfg | 7 +++++++ | |
A pages/007-ssh-tunnels.html | 144 +++++++++++++++++++++++++++++… | |
A pages/007-ssh-tunnels.txt | 136 +++++++++++++++++++++++++++++… | |
A pages/008-commsenv.cfg | 7 +++++++ | |
A pages/008-commsenv.html | 72 +++++++++++++++++++++++++++++… | |
A pages/008-commsenv.txt | 70 +++++++++++++++++++++++++++++… | |
6 files changed, 436 insertions(+), 0 deletions(-) | |
--- | |
diff --git a/pages/007-ssh-tunnels.cfg b/pages/007-ssh-tunnels.cfg | |
t@@ -0,0 +1,7 @@ | |
+filename=ssh-tunnels.html | |
+title=No VPN? No problem! Using SSH tunnels for remote access to closed networ… | |
+description=Here I illustrate ssh-based solutions to various tasks requiring a… | |
+id=ssh-tunnels | |
+tags=ssh, vpn | |
+created=2020-12-11 | |
+updated=2020-12-11 | |
diff --git a/pages/007-ssh-tunnels.html b/pages/007-ssh-tunnels.html | |
t@@ -0,0 +1,144 @@ | |
+<h2>Rationale</h2> | |
+ | |
+<p>Corporate and academic networks are closed by design, with routers | |
+and firewalls forwarding and filtering content going to and from | |
+the wider internet. For security reasons this is an absolute | |
+necessity, as the guardkeeping prevents unwanted incoming connections | |
+to the networked devices.</p> | |
+ | |
+<p>However, it is often necessary to connect to internal devices or | |
+services from the outside. This could be the case if an employee | |
+needs to access a shared database on the company network, or a | |
+subscription website only allows full access from a certain range | |
+of IP addresses. Network administrators usually offer virtual | |
+private network (VPN) access to achieve such goals. Unfortunately, | |
+VPN access occasionally requires particular software that may not | |
+work on all operating systems. In other cases, the network | |
+administrators may enforce strict requirements to the remote systems | |
+before allowing VPN access.</p> | |
+ | |
+<pre><code> ###### Closed Network ###### | |
+ # # | |
+ # +----------+ +----------+ +----------+ | |
+ # | Office | | Router/ | ? | Outside | | |
+ # | Computer |<~~~~>| Firewall | ? ? | Computer | | |
+ # +----------+ +----------+ +----------+ | |
+ # # | |
+ ############################ | |
+</code></pre> | |
+ | |
+<p>So what do you do if you need outside access to a network, have no | |
+administrative rights over the router and firewall, and cannot (or | |
+don't want to) access via VPN? Fortunately, OpenSSH, the widely | |
+used secure shell (SSH) implementation, offers simple and secure | |
+solutions to this problem. Almost all Linux/BSD/UNIX/MacOS systems | |
+come with OpenSSH preinstalled, so you might already have it on | |
+your system.</p> | |
+ | |
+<p>If you can access the closed network from the outside via SSH, this | |
+makes things straightforward as described in Scenario 1 below. If | |
+not, see Scenario 2.</p> | |
+ | |
+ | |
+<h2>Scenario 1: SSH access available from the outside</h2> | |
+ | |
+<p>Some networks are configured to allow outsiders to connect to an | |
+internal SSH server through port forwarding on the network router:</p> | |
+ | |
+<pre><code> ###### Closed Network ###### | |
+ # # | |
+ # +----------+ +----------+ +----------+ | |
+ # | Office | SSH | Router/ | SSH | Outside | | |
+ # | Computer |<~~~~~| Firewall |<~~~~~| Computer | | |
+ # +----------+ +----------+ +----------+ | |
+ # # | |
+ ############################ | |
+</code></pre> | |
+ | |
+<p>For the purposes described here, this is an ideal situation since | |
+it is easy to create a tunnel that connects the outside computer | |
+with the internal network via SSH. The following command creates | |
+the tunnel:</p> | |
+ | |
+<pre><code>ssh -D 1337 -C -N company-domain.com | |
+</code></pre> | |
+ | |
+<p>Note that the port number specified with the -D option should be | |
+greater than 1000 when running as an unpriviledged (non-root) user. | |
+The -C option turns on compression, which is useful for slow network | |
+connections at the cost of little CPU overhead.</p> | |
+ | |
+<p>With the SSH tunnel in place, you can make most webbrowsers and | |
+other network programs on the outside computer use the tunnel for | |
+all their network traffic by pointing them to the SOCKSv5 proxy | |
+"socks://localhost:1337". This allows access from programs on the | |
+outside computer to any device within the closed network. Connections | |
+to the wider internet utilizing the tunnel will originate from an | |
+IP address associated with the closed network, achieving the | |
+objectives stated above.</p> | |
+ | |
+ | |
+<h2>Scenario 2: SSH access unavailable from the outside</h2> | |
+ | |
+<p>Unfortunately, outside SSH access to corporate networks is becoming | |
+increasingly rare. However, the OpenSSH toolset again offers a | |
+solution if you have a persistent SSH server outside of the network | |
+at your disposal:</p> | |
+ | |
+<pre><code> ###### Closed Network ###### | |
+ # # | |
+ # +----------+ +----------+ +---------+ +---------+ | |
+ # | Office | SSH | Router/ | SSH | Outside | SSH | Outside | | |
+ # | Computer |<~~~~>| Firewall |<~~~~>| Server |<~~~~~| Laptop | | |
+ # +----------+ +----------+ +---------+ +---------+ | |
+ # # | |
+ ############################ | |
+</code></pre> | |
+ | |
+<p>As long as you can initiate *outgoing* SSH connections from inside | |
+the closed network to your outside SSH server, you can create a | |
+reverse ssh tunnel and utilize it in a similar manner as in the | |
+previous scenario. On the office computer, create a reverse tunnel | |
+to the outside server:</p> | |
+ | |
+<pre><code>ssh -f -N -R 10022:localhost:22 outside-server.com | |
+</code></pre> | |
+ | |
+<p>As long as the above command runs, you can initiate new SSH connections | |
+from the outside server to the office computer with the command | |
+`ssh -p 10022 localhost`. If you're working from an outside laptop, | |
+you can utilize this reverse tunnel to connect to the office computer | |
+and network. Add the following configuration to `~/.ssh/config` | |
+on the outside laptop:</p> | |
+ | |
+<pre><code>Host office_computer | |
+ ProxyCommand ssh -q outside-server.com nc localhost 10022 | |
+</code></pre> | |
+ | |
+<p>With the above configuration, it is very easy to establish a SSH | |
+connection from the outside laptop to the office computer:</p> | |
+ | |
+<pre><code>ssh office_computer | |
+</code></pre> | |
+ | |
+<p>As in the previous exapmle, you can use this setup to create a SSH | |
+tunnel all the way from outside laptop to the office computer:</p> | |
+ | |
+<pre><code>ssh -D 1337 -C -N office_computer | |
+</code></pre> | |
+ | |
+<p>Again, this creates a SOCKSv5 proxy that you can use for tunneling | |
+network traffic from the outside laptop to the closed network. It | |
+is useful to automatically monitor the tunnel status using pgrep(1), | |
+and reinitialize it if the ssh command unexpectedly quits.</p> | |
+ | |
+ | |
+<h2>References</h2> | |
+ | |
+<ul> | |
+<li>OpenSSH: <a href="https://www.openssh.com/">https://www.openssh.com/</a></… | |
+<li>ssh(1) manual page: <a href="https://man.openbsd.org/ssh">https://man.open… | |
+<li>gramscii(1), used for drawings in this post: git://bitreich.org/gramscii</… | |
+</ul> | |
+ | |
+<p>Thanks to KatolaZ for feedback on this post.</p> | |
diff --git a/pages/007-ssh-tunnels.txt b/pages/007-ssh-tunnels.txt | |
t@@ -0,0 +1,136 @@ | |
+# NO VPN? NO PROBLEM! USING SSH TUNNELS FOR REMOTE ACCESS TO CLOSED NETWORKS | |
+ | |
+## Rationale | |
+ | |
+Corporate and academic networks are closed by design, with routers | |
+and firewalls forwarding and filtering content going to and from | |
+the wider internet. For security reasons this is an absolute | |
+necessity, as the guardkeeping prevents unwanted incoming connections | |
+to the networked devices. | |
+ | |
+However, it is often necessary to connect to internal devices or | |
+services from the outside. This could be the case if an employee | |
+needs to access a shared database on the company network, or a | |
+subscription website only allows full access from a certain range | |
+of IP addresses. Network administrators usually offer virtual | |
+private network (VPN) access to achieve such goals. Unfortunately, | |
+VPN access occasionally requires particular software that may not | |
+work on all operating systems. In other cases, the network | |
+administrators may enforce strict requirements to the remote systems | |
+before allowing VPN access. | |
+ | |
+ ###### Closed Network ###### | |
+ # # | |
+ # +----------+ +----------+ +----------+ | |
+ # | Office | | Router/ | ? | Outside | | |
+ # | Computer |<~~~~>| Firewall | ? ? | Computer | | |
+ # +----------+ +----------+ +----------+ | |
+ # # | |
+ ############################ | |
+ | |
+So what do you do if you need outside access to a network, have no | |
+administrative rights over the router and firewall, and cannot (or | |
+don't want to) access via VPN? Fortunately, OpenSSH, the widely | |
+used secure shell (SSH) implementation, offers simple and secure | |
+solutions to this problem. Almost all Linux/BSD/UNIX/MacOS systems | |
+come with OpenSSH preinstalled, so you might already have it on | |
+your system. | |
+ | |
+If you can access the closed network from the outside via SSH, this | |
+makes things straightforward as described in Scenario 1 below. If | |
+not, see Scenario 2. | |
+ | |
+ | |
+## Scenario 1: SSH access available from the outside | |
+ | |
+Some networks are configured to allow outsiders to connect to an | |
+internal SSH server through port forwarding on the network router: | |
+ | |
+ ###### Closed Network ###### | |
+ # # | |
+ # +----------+ +----------+ +----------+ | |
+ # | Office | SSH | Router/ | SSH | Outside | | |
+ # | Computer |<~~~~~| Firewall |<~~~~~| Computer | | |
+ # +----------+ +----------+ +----------+ | |
+ # # | |
+ ############################ | |
+ | |
+For the purposes described here, this is an ideal situation since | |
+it is easy to create a tunnel that connects the outside computer | |
+with the internal network via SSH. The following command creates | |
+the tunnel: | |
+ | |
+ ssh -D 1337 -C -N company-domain.com | |
+ | |
+Note that the port number specified with the -D option should be | |
+greater than 1000 when running as an unpriviledged (non-root) user. | |
+The -C option turns on compression, which is useful for slow network | |
+connections at the cost of little CPU overhead. | |
+ | |
+With the SSH tunnel in place, you can make most webbrowsers and | |
+other network programs on the outside computer use the tunnel for | |
+all their network traffic by pointing them to the SOCKSv5 proxy | |
+"socks://localhost:1337". This allows access from programs on the | |
+outside computer to any device within the closed network. Connections | |
+to the wider internet utilizing the tunnel will originate from an | |
+IP address associated with the closed network, achieving the | |
+objectives stated above. | |
+ | |
+ | |
+## Scenario 2: SSH access unavailable from the outside | |
+ | |
+Unfortunately, outside SSH access to corporate networks is becoming | |
+increasingly rare. However, the OpenSSH toolset again offers a | |
+solution if you have a persistent SSH server outside of the network | |
+at your disposal: | |
+ | |
+ ###### Closed Network ###### | |
+ # # | |
+ # +----------+ +----------+ +---------+ +---------+ | |
+ # | Office | SSH | Router/ | SSH | Outside | SSH | Outside | | |
+ # | Computer |<~~~~>| Firewall |<~~~~>| Server |<~~~~~| Laptop | | |
+ # +----------+ +----------+ +---------+ +---------+ | |
+ # # | |
+ ############################ | |
+ | |
+As long as you can initiate *outgoing* SSH connections from inside | |
+the closed network to your outside SSH server, you can create a | |
+reverse ssh tunnel and utilize it in a similar manner as in the | |
+previous scenario. On the office computer, create a reverse tunnel | |
+to the outside server: | |
+ | |
+ ssh -f -N -R 10022:localhost:22 outside-server.com | |
+ | |
+As long as the above command runs, you can initiate new SSH connections | |
+from the outside server to the office computer with the command | |
+`ssh -p 10022 localhost`. If you're working from an outside laptop, | |
+you can utilize this reverse tunnel to connect to the office computer | |
+and network. Add the following configuration to `~/.ssh/config` | |
+on the outside laptop: | |
+ | |
+ Host office_computer | |
+ ProxyCommand ssh -q outside-server.com nc localhost 10022 | |
+ | |
+With the above configuration, it is very easy to establish a SSH | |
+connection from the outside laptop to the office computer: | |
+ | |
+ ssh office_computer | |
+ | |
+As in the previous exapmle, you can use this setup to create a SSH | |
+tunnel all the way from outside laptop to the office computer: | |
+ | |
+ ssh -D 1337 -C -N office_computer | |
+ | |
+Again, this creates a SOCKSv5 proxy that you can use for tunneling | |
+network traffic from the outside laptop to the closed network. It | |
+is useful to automatically monitor the tunnel status using pgrep(1), | |
+and reinitialize it if the ssh command unexpectedly quits. | |
+ | |
+ | |
+References: | |
+ | |
+- OpenSSH: https://www.openssh.com/ | |
+- ssh(1) manual page: https://man.openbsd.org/ssh | |
+- gramscii(1), used for drawings in this post: git://bitreich.org/gramscii | |
+ | |
+Thanks to KatolaZ for feedback on this post. | |
diff --git a/pages/008-commsenv.cfg b/pages/008-commsenv.cfg | |
t@@ -0,0 +1,7 @@ | |
+filename=commsenv.html | |
+title=New paper out on the coupled dynamics of ice, meltwater, and till | |
+description=A brief summary of my new paper published in Communications Earth … | |
+id=commsenv | |
+tags=science, glaciology, ice sheet | |
+created=2020-12-09 | |
+updated=2020-12-09 | |
diff --git a/pages/008-commsenv.html b/pages/008-commsenv.html | |
t@@ -0,0 +1,72 @@ | |
+<p>The majority of glaciers and ice sheets flow on a bed of loose | |
+and thawed sediments. These sediments are weakened by pressurized | |
+glacial meltwater, and their lubrication accelerates the ice movement. | |
+In formerly-glaciated areas of the world, for example Northern | |
+Europe, North America, and in the forelands of the Alps, the landscape | |
+is reshaped and remolded by past ice moving the sediments along | |
+with its flow. The sediment movement is also observed under current | |
+glaciers, both the fast-moving ice streams of the Greenland and | |
+Antarctic ice sheets, as well as smaller glaciers in the mountainous | |
+areas of Alaska, northern Sweden, and elsewhere. The movement of | |
+sediment could be important for the past progression of glaciations, | |
+and how resilient marine-terminating ice streams are against sea-level | |
+rise.</p> | |
+ | |
+<p>Today, the Nature-group journal <a | |
+href="https://www.nature.com/commsenv/">Communications Earth & | |
+Environment</a> published my paper on sediment beneath ice. Together | |
+with co-authors Liran Goren, University of the Negev (Israel), and | |
+Jenny Suckale, Stanford University (California, USA), we present a | |
+new computer model that simulates the coupled mechanical behavior | |
+of ice, sediment, and meltwater. We calibrate the model against | |
+real materials, and provide a way forward for including sediment | |
+transport in ice-flow models. We also show that water-pressure | |
+variations with the right frequency can create create very weak | |
+sections inside the bed, and this greatly enhances sediment transport. | |
+I designed the freely-available program <a | |
+href="https://src.adamsgaard.dk/cngf-pf">cngf-pf</a> for the | |
+simulations.</p> | |
+ | |
+<h2>Abstract</h2> | |
+<blockquote> | |
+<b>Water pressure fluctuations control variability in sediment flux | |
+and slip dynamics beneath glaciers and ice streams</b> | |
+<br><br> | |
+Rapid ice loss is facilitated by sliding over beds consisting of | |
+reworked sediments and erosional products, commonly referred to as | |
+till. The dynamic interplay between ice and till reshapes the bed, | |
+creating landforms preserved from past glaciations. Leveraging the | |
+imprint left by past glaciations as constraints for projecting | |
+future deglaciation is hindered by our incomplete understanding of | |
+evolving basal slip. Here, we develop a continuum model of | |
+water-saturated, cohesive till to quantify the interplay between | |
+meltwater percolation and till mobilization that governs changes | |
+in the depth of basal slip under fast-moving ice. Our model explains | |
+the puzzling variability of observed slip depths by relating localized | |
+till deformation to perturbations in pore-water pressure. It | |
+demonstrates that variable slip depth is an inherent property of | |
+the ice-meltwater-till system, which could help understand why some | |
+paleo-landforms like grounding-zone wedges appear to have formed | |
+quickly relative to current till-transport rates. | |
+</blockquote> | |
+ | |
+<h2>Metrics</h2> | |
+<p>It is a substantial task to prepare a scientific publication. The | |
+commit counts below mark the number of revisions done during | |
+preparation of this paper:</p> | |
+ | |
+<ul> | |
+ <li>Main article text: 239 commits</li> | |
+ <li>Supplementary information text: 35 commits</li> | |
+ <li>Experiments and figures: 282 commits</li> | |
+ <li>Simulation software: 354 commits</li> | |
+</ul> | |
+ | |
+<h2>Links and references:</h2> | |
+<ul> | |
+ <li><a href="">Publication on journal webpage</a></li> | |
+ <li><a href="">Article PDF</a> (?? MB)</li> | |
+ <li><a href="">Supplementary information PDF</a> (?? MB)</li> | |
+ <li><a href="https://src.adamsgaard.dk/cngf-pf-exp1">Source code for p… | |
+ <li><a href="https://src.adamsgaard.dk/cngf-pf">Simulation software</a… | |
+</ul> | |
diff --git a/pages/008-commsenv.txt b/pages/008-commsenv.txt | |
t@@ -0,0 +1,70 @@ | |
+The majority of glaciers and ice sheets flow on a bed of loose and | |
+thawed sediments. These sediments are weakened by pressurized glacial | |
+meltwater, and their lubrication accelerates the ice movement. In | |
+formerly-glaciated areas of the world, for example Northern Europe, | |
+North America, and in the forelands of the Alps, the landscape is | |
+reshaped and remolded by past ice moving the sediments along with | |
+its flow. The sediment movement is also observed under current | |
+glaciers, both the fast-moving ice streams of the Greenland and | |
+Antarctic ice sheets, as well as smaller glaciers in the mountainous | |
+areas of Alaska, northern Sweden, and elsewhere. The movement of | |
+sediment could be important for the past progression of glaciations, | |
+and how resilient marine-terminating ice streams are against sea-level | |
+rise. | |
+ | |
+Today, the Nature-group journal Communications Earth & Environment | |
+published my paper on sediment beneath ice. Together with co-authors | |
+Liran Goren, University of the Negev (Israel), and Jenny Suckale, | |
+Stanford University (California, USA), we present a new computer | |
+model that simulates the coupled mechanical behavior of ice, sediment, | |
+and meltwater. We calibrate the model against real materials, and | |
+provide a way forward for including sediment transport in ice-flow | |
+models. We also show that water-pressure variations with the right | |
+frequency can create create very weak sections inside the bed, and | |
+this greatly enhances sediment transport. I designed the freely-available | |
+program cngf-pf for the simulations. | |
+ | |
+ | |
+## Abstract | |
+ | |
+ Water pressure fluctuations control variability in sediment | |
+ flux and slip dynamics beneath glaciers and ice streams | |
+ | |
+ Rapid ice loss is facilitated by sliding over beds consisting | |
+ of reworked sediments and erosional products, commonly referred | |
+ to as till. The dynamic interplay between ice and till reshapes | |
+ the bed, creating landforms preserved from past glaciations. | |
+ Leveraging the imprint left by past glaciations as constraints | |
+ for projecting future deglaciation is hindered by our incomplete | |
+ understanding of evolving basal slip. Here, we develop a continuum | |
+ model of water-saturated, cohesive till to quantify the interplay | |
+ between meltwater percolation and till mobilization that governs | |
+ changes in the depth of basal slip under fast-moving ice. Our | |
+ model explains the puzzling variability of observed slip depths | |
+ by relating localized till deformation to perturbations in | |
+ pore-water pressure. It demonstrates that variable slip depth | |
+ is an inherent property of the ice-meltwater-till system, which | |
+ could help understand why some paleo-landforms like grounding-zone | |
+ wedges appear to have formed quickly relative to current | |
+ till-transport rates. | |
+ | |
+ | |
+## Metrics | |
+ | |
+It is a substantial task to prepare a scientific publication. The | |
+commit counts below mark the number of revisions done during | |
+preparation of this paper: | |
+ | |
+ - Main article text: 239 commits | |
+ - Supplementary information text: 35 commits | |
+ - Experiments and figures: 282 commits | |
+ - Simulation software: 354 commits | |
+ | |
+ | |
+## Links and references: | |
+ | |
+ - Publication on journal webpage: | |
+ - Article PDF (?? MB): | |
+ - Supplementary information PDF (?? MB): | |
+ - Source code for producing figures: git://src.adamsgaard.dk/cngf-pf-exp1 | |
+ - Simulation software: git://src.adamsgaard.dk/cngf-pf |