 |
tadd post on ssh tunnels and delay commsenv post - adamsgaard.dk - my academic … |
 |
git clone git://src.adamsgaard.dk/adamsgaard.dk |
 |
Log |
|
Files |
|
Refs |
|
README |
|
LICENSE |
|
--- |
|
commit 65b18f20bc2ade25e39e73eba31e742ebb5931c6 |
|
parent aee9726f65f6c76cba4af628da15b41f52344e69 |
|
Author: Anders Damsgaard <[email protected]> |
|
Date: Fri, 11 Dec 2020 17:13:42 +0100 |
|
|
|
add post on ssh tunnels and delay commsenv post |
|
|
|
Diffstat: |
|
A pages/007-ssh-tunnels.cfg | 7 +++++++ |
|
A pages/007-ssh-tunnels.html | 144 +++++++++++++++++++++++++++++… |
|
A pages/007-ssh-tunnels.txt | 136 +++++++++++++++++++++++++++++… |
|
A pages/008-commsenv.cfg | 7 +++++++ |
|
A pages/008-commsenv.html | 72 +++++++++++++++++++++++++++++… |
|
A pages/008-commsenv.txt | 70 +++++++++++++++++++++++++++++… |
|
|
|
6 files changed, 436 insertions(+), 0 deletions(-) |
|
--- |
|
diff --git a/pages/007-ssh-tunnels.cfg b/pages/007-ssh-tunnels.cfg |
|
t@@ -0,0 +1,7 @@ |
|
+filename=ssh-tunnels.html |
|
+title=No VPN? No problem! Using SSH tunnels for remote access to closed networ… |
|
+description=Here I illustrate ssh-based solutions to various tasks requiring a… |
|
+id=ssh-tunnels |
|
+tags=ssh, vpn |
|
+created=2020-12-11 |
|
+updated=2020-12-11 |
|
diff --git a/pages/007-ssh-tunnels.html b/pages/007-ssh-tunnels.html |
|
t@@ -0,0 +1,144 @@ |
|
+<h2>Rationale</h2> |
|
+ |
|
+<p>Corporate and academic networks are closed by design, with routers |
|
+and firewalls forwarding and filtering content going to and from |
|
+the wider internet. For security reasons this is an absolute |
|
+necessity, as the guardkeeping prevents unwanted incoming connections |
|
+to the networked devices.</p> |
|
+ |
|
+<p>However, it is often necessary to connect to internal devices or |
|
+services from the outside. This could be the case if an employee |
|
+needs to access a shared database on the company network, or a |
|
+subscription website only allows full access from a certain range |
|
+of IP addresses. Network administrators usually offer virtual |
|
+private network (VPN) access to achieve such goals. Unfortunately, |
|
+VPN access occasionally requires particular software that may not |
|
+work on all operating systems. In other cases, the network |
|
+administrators may enforce strict requirements to the remote systems |
|
+before allowing VPN access.</p> |
|
+ |
|
+<pre><code> ###### Closed Network ###### |
|
+ # # |
|
+ # +----------+ +----------+ +----------+ |
|
+ # | Office | | Router/ | ? | Outside | |
|
+ # | Computer |<~~~~>| Firewall | ? ? | Computer | |
|
+ # +----------+ +----------+ +----------+ |
|
+ # # |
|
+ ############################ |
|
+</code></pre> |
|
+ |
|
+<p>So what do you do if you need outside access to a network, have no |
|
+administrative rights over the router and firewall, and cannot (or |
|
+don't want to) access via VPN? Fortunately, OpenSSH, the widely |
|
+used secure shell (SSH) implementation, offers simple and secure |
|
+solutions to this problem. Almost all Linux/BSD/UNIX/MacOS systems |
|
+come with OpenSSH preinstalled, so you might already have it on |
|
+your system.</p> |
|
+ |
|
+<p>If you can access the closed network from the outside via SSH, this |
|
+makes things straightforward as described in Scenario 1 below. If |
|
+not, see Scenario 2.</p> |
|
+ |
|
+ |
|
+<h2>Scenario 1: SSH access available from the outside</h2> |
|
+ |
|
+<p>Some networks are configured to allow outsiders to connect to an |
|
+internal SSH server through port forwarding on the network router:</p> |
|
+ |
|
+<pre><code> ###### Closed Network ###### |
|
+ # # |
|
+ # +----------+ +----------+ +----------+ |
|
+ # | Office | SSH | Router/ | SSH | Outside | |
|
+ # | Computer |<~~~~~| Firewall |<~~~~~| Computer | |
|
+ # +----------+ +----------+ +----------+ |
|
+ # # |
|
+ ############################ |
|
+</code></pre> |
|
+ |
|
+<p>For the purposes described here, this is an ideal situation since |
|
+it is easy to create a tunnel that connects the outside computer |
|
+with the internal network via SSH. The following command creates |
|
+the tunnel:</p> |
|
+ |
|
+<pre><code>ssh -D 1337 -C -N company-domain.com |
|
+</code></pre> |
|
+ |
|
+<p>Note that the port number specified with the -D option should be |
|
+greater than 1000 when running as an unpriviledged (non-root) user. |
|
+The -C option turns on compression, which is useful for slow network |
|
+connections at the cost of little CPU overhead.</p> |
|
+ |
|
+<p>With the SSH tunnel in place, you can make most webbrowsers and |
|
+other network programs on the outside computer use the tunnel for |
|
+all their network traffic by pointing them to the SOCKSv5 proxy |
|
+"socks://localhost:1337". This allows access from programs on the |
|
+outside computer to any device within the closed network. Connections |
|
+to the wider internet utilizing the tunnel will originate from an |
|
+IP address associated with the closed network, achieving the |
|
+objectives stated above.</p> |
|
+ |
|
+ |
|
+<h2>Scenario 2: SSH access unavailable from the outside</h2> |
|
+ |
|
+<p>Unfortunately, outside SSH access to corporate networks is becoming |
|
+increasingly rare. However, the OpenSSH toolset again offers a |
|
+solution if you have a persistent SSH server outside of the network |
|
+at your disposal:</p> |
|
+ |
|
+<pre><code> ###### Closed Network ###### |
|
+ # # |
|
+ # +----------+ +----------+ +---------+ +---------+ |
|
+ # | Office | SSH | Router/ | SSH | Outside | SSH | Outside | |
|
+ # | Computer |<~~~~>| Firewall |<~~~~>| Server |<~~~~~| Laptop | |
|
+ # +----------+ +----------+ +---------+ +---------+ |
|
+ # # |
|
+ ############################ |
|
+</code></pre> |
|
+ |
|
+<p>As long as you can initiate *outgoing* SSH connections from inside |
|
+the closed network to your outside SSH server, you can create a |
|
+reverse ssh tunnel and utilize it in a similar manner as in the |
|
+previous scenario. On the office computer, create a reverse tunnel |
|
+to the outside server:</p> |
|
+ |
|
+<pre><code>ssh -f -N -R 10022:localhost:22 outside-server.com |
|
+</code></pre> |
|
+ |
|
+<p>As long as the above command runs, you can initiate new SSH connections |
|
+from the outside server to the office computer with the command |
|
+`ssh -p 10022 localhost`. If you're working from an outside laptop, |
|
+you can utilize this reverse tunnel to connect to the office computer |
|
+and network. Add the following configuration to `~/.ssh/config` |
|
+on the outside laptop:</p> |
|
+ |
|
+<pre><code>Host office_computer |
|
+ ProxyCommand ssh -q outside-server.com nc localhost 10022 |
|
+</code></pre> |
|
+ |
|
+<p>With the above configuration, it is very easy to establish a SSH |
|
+connection from the outside laptop to the office computer:</p> |
|
+ |
|
+<pre><code>ssh office_computer |
|
+</code></pre> |
|
+ |
|
+<p>As in the previous exapmle, you can use this setup to create a SSH |
|
+tunnel all the way from outside laptop to the office computer:</p> |
|
+ |
|
+<pre><code>ssh -D 1337 -C -N office_computer |
|
+</code></pre> |
|
+ |
|
+<p>Again, this creates a SOCKSv5 proxy that you can use for tunneling |
|
+network traffic from the outside laptop to the closed network. It |
|
+is useful to automatically monitor the tunnel status using pgrep(1), |
|
+and reinitialize it if the ssh command unexpectedly quits.</p> |
|
+ |
|
+ |
|
+<h2>References</h2> |
|
+ |
|
+<ul> |
|
+<li>OpenSSH: <a href="https://www.openssh.com/">https://www.openssh.com/</a></… |
|
+<li>ssh(1) manual page: <a href="https://man.openbsd.org/ssh">https://man.open… |
|
+<li>gramscii(1), used for drawings in this post: git://bitreich.org/gramscii</… |
|
+</ul> |
|
+ |
|
+<p>Thanks to KatolaZ for feedback on this post.</p> |
|
diff --git a/pages/007-ssh-tunnels.txt b/pages/007-ssh-tunnels.txt |
|
t@@ -0,0 +1,136 @@ |
|
+# NO VPN? NO PROBLEM! USING SSH TUNNELS FOR REMOTE ACCESS TO CLOSED NETWORKS |
|
+ |
|
+## Rationale |
|
+ |
|
+Corporate and academic networks are closed by design, with routers |
|
+and firewalls forwarding and filtering content going to and from |
|
+the wider internet. For security reasons this is an absolute |
|
+necessity, as the guardkeeping prevents unwanted incoming connections |
|
+to the networked devices. |
|
+ |
|
+However, it is often necessary to connect to internal devices or |
|
+services from the outside. This could be the case if an employee |
|
+needs to access a shared database on the company network, or a |
|
+subscription website only allows full access from a certain range |
|
+of IP addresses. Network administrators usually offer virtual |
|
+private network (VPN) access to achieve such goals. Unfortunately, |
|
+VPN access occasionally requires particular software that may not |
|
+work on all operating systems. In other cases, the network |
|
+administrators may enforce strict requirements to the remote systems |
|
+before allowing VPN access. |
|
+ |
|
+ ###### Closed Network ###### |
|
+ # # |
|
+ # +----------+ +----------+ +----------+ |
|
+ # | Office | | Router/ | ? | Outside | |
|
+ # | Computer |<~~~~>| Firewall | ? ? | Computer | |
|
+ # +----------+ +----------+ +----------+ |
|
+ # # |
|
+ ############################ |
|
+ |
|
+So what do you do if you need outside access to a network, have no |
|
+administrative rights over the router and firewall, and cannot (or |
|
+don't want to) access via VPN? Fortunately, OpenSSH, the widely |
|
+used secure shell (SSH) implementation, offers simple and secure |
|
+solutions to this problem. Almost all Linux/BSD/UNIX/MacOS systems |
|
+come with OpenSSH preinstalled, so you might already have it on |
|
+your system. |
|
+ |
|
+If you can access the closed network from the outside via SSH, this |
|
+makes things straightforward as described in Scenario 1 below. If |
|
+not, see Scenario 2. |
|
+ |
|
+ |
|
+## Scenario 1: SSH access available from the outside |
|
+ |
|
+Some networks are configured to allow outsiders to connect to an |
|
+internal SSH server through port forwarding on the network router: |
|
+ |
|
+ ###### Closed Network ###### |
|
+ # # |
|
+ # +----------+ +----------+ +----------+ |
|
+ # | Office | SSH | Router/ | SSH | Outside | |
|
+ # | Computer |<~~~~~| Firewall |<~~~~~| Computer | |
|
+ # +----------+ +----------+ +----------+ |
|
+ # # |
|
+ ############################ |
|
+ |
|
+For the purposes described here, this is an ideal situation since |
|
+it is easy to create a tunnel that connects the outside computer |
|
+with the internal network via SSH. The following command creates |
|
+the tunnel: |
|
+ |
|
+ ssh -D 1337 -C -N company-domain.com |
|
+ |
|
+Note that the port number specified with the -D option should be |
|
+greater than 1000 when running as an unpriviledged (non-root) user. |
|
+The -C option turns on compression, which is useful for slow network |
|
+connections at the cost of little CPU overhead. |
|
+ |
|
+With the SSH tunnel in place, you can make most webbrowsers and |
|
+other network programs on the outside computer use the tunnel for |
|
+all their network traffic by pointing them to the SOCKSv5 proxy |
|
+"socks://localhost:1337". This allows access from programs on the |
|
+outside computer to any device within the closed network. Connections |
|
+to the wider internet utilizing the tunnel will originate from an |
|
+IP address associated with the closed network, achieving the |
|
+objectives stated above. |
|
+ |
|
+ |
|
+## Scenario 2: SSH access unavailable from the outside |
|
+ |
|
+Unfortunately, outside SSH access to corporate networks is becoming |
|
+increasingly rare. However, the OpenSSH toolset again offers a |
|
+solution if you have a persistent SSH server outside of the network |
|
+at your disposal: |
|
+ |
|
+ ###### Closed Network ###### |
|
+ # # |
|
+ # +----------+ +----------+ +---------+ +---------+ |
|
+ # | Office | SSH | Router/ | SSH | Outside | SSH | Outside | |
|
+ # | Computer |<~~~~>| Firewall |<~~~~>| Server |<~~~~~| Laptop | |
|
+ # +----------+ +----------+ +---------+ +---------+ |
|
+ # # |
|
+ ############################ |
|
+ |
|
+As long as you can initiate *outgoing* SSH connections from inside |
|
+the closed network to your outside SSH server, you can create a |
|
+reverse ssh tunnel and utilize it in a similar manner as in the |
|
+previous scenario. On the office computer, create a reverse tunnel |
|
+to the outside server: |
|
+ |
|
+ ssh -f -N -R 10022:localhost:22 outside-server.com |
|
+ |
|
+As long as the above command runs, you can initiate new SSH connections |
|
+from the outside server to the office computer with the command |
|
+`ssh -p 10022 localhost`. If you're working from an outside laptop, |
|
+you can utilize this reverse tunnel to connect to the office computer |
|
+and network. Add the following configuration to `~/.ssh/config` |
|
+on the outside laptop: |
|
+ |
|
+ Host office_computer |
|
+ ProxyCommand ssh -q outside-server.com nc localhost 10022 |
|
+ |
|
+With the above configuration, it is very easy to establish a SSH |
|
+connection from the outside laptop to the office computer: |
|
+ |
|
+ ssh office_computer |
|
+ |
|
+As in the previous exapmle, you can use this setup to create a SSH |
|
+tunnel all the way from outside laptop to the office computer: |
|
+ |
|
+ ssh -D 1337 -C -N office_computer |
|
+ |
|
+Again, this creates a SOCKSv5 proxy that you can use for tunneling |
|
+network traffic from the outside laptop to the closed network. It |
|
+is useful to automatically monitor the tunnel status using pgrep(1), |
|
+and reinitialize it if the ssh command unexpectedly quits. |
|
+ |
|
+ |
|
+References: |
|
+ |
|
+- OpenSSH: https://www.openssh.com/ |
|
+- ssh(1) manual page: https://man.openbsd.org/ssh |
|
+- gramscii(1), used for drawings in this post: git://bitreich.org/gramscii |
|
+ |
|
+Thanks to KatolaZ for feedback on this post. |
|
diff --git a/pages/008-commsenv.cfg b/pages/008-commsenv.cfg |
|
t@@ -0,0 +1,7 @@ |
|
+filename=commsenv.html |
|
+title=New paper out on the coupled dynamics of ice, meltwater, and till |
|
+description=A brief summary of my new paper published in Communications Earth … |
|
+id=commsenv |
|
+tags=science, glaciology, ice sheet |
|
+created=2020-12-09 |
|
+updated=2020-12-09 |
|
diff --git a/pages/008-commsenv.html b/pages/008-commsenv.html |
|
t@@ -0,0 +1,72 @@ |
|
+<p>The majority of glaciers and ice sheets flow on a bed of loose |
|
+and thawed sediments. These sediments are weakened by pressurized |
|
+glacial meltwater, and their lubrication accelerates the ice movement. |
|
+In formerly-glaciated areas of the world, for example Northern |
|
+Europe, North America, and in the forelands of the Alps, the landscape |
|
+is reshaped and remolded by past ice moving the sediments along |
|
+with its flow. The sediment movement is also observed under current |
|
+glaciers, both the fast-moving ice streams of the Greenland and |
|
+Antarctic ice sheets, as well as smaller glaciers in the mountainous |
|
+areas of Alaska, northern Sweden, and elsewhere. The movement of |
|
+sediment could be important for the past progression of glaciations, |
|
+and how resilient marine-terminating ice streams are against sea-level |
|
+rise.</p> |
|
+ |
|
+<p>Today, the Nature-group journal <a |
|
+href="https://www.nature.com/commsenv/">Communications Earth & |
|
+Environment</a> published my paper on sediment beneath ice. Together |
|
+with co-authors Liran Goren, University of the Negev (Israel), and |
|
+Jenny Suckale, Stanford University (California, USA), we present a |
|
+new computer model that simulates the coupled mechanical behavior |
|
+of ice, sediment, and meltwater. We calibrate the model against |
|
+real materials, and provide a way forward for including sediment |
|
+transport in ice-flow models. We also show that water-pressure |
|
+variations with the right frequency can create create very weak |
|
+sections inside the bed, and this greatly enhances sediment transport. |
|
+I designed the freely-available program <a |
|
+href="https://src.adamsgaard.dk/cngf-pf">cngf-pf</a> for the |
|
+simulations.</p> |
|
+ |
|
+<h2>Abstract</h2> |
|
+<blockquote> |
|
+<b>Water pressure fluctuations control variability in sediment flux |
|
+and slip dynamics beneath glaciers and ice streams</b> |
|
+<br><br> |
|
+Rapid ice loss is facilitated by sliding over beds consisting of |
|
+reworked sediments and erosional products, commonly referred to as |
|
+till. The dynamic interplay between ice and till reshapes the bed, |
|
+creating landforms preserved from past glaciations. Leveraging the |
|
+imprint left by past glaciations as constraints for projecting |
|
+future deglaciation is hindered by our incomplete understanding of |
|
+evolving basal slip. Here, we develop a continuum model of |
|
+water-saturated, cohesive till to quantify the interplay between |
|
+meltwater percolation and till mobilization that governs changes |
|
+in the depth of basal slip under fast-moving ice. Our model explains |
|
+the puzzling variability of observed slip depths by relating localized |
|
+till deformation to perturbations in pore-water pressure. It |
|
+demonstrates that variable slip depth is an inherent property of |
|
+the ice-meltwater-till system, which could help understand why some |
|
+paleo-landforms like grounding-zone wedges appear to have formed |
|
+quickly relative to current till-transport rates. |
|
+</blockquote> |
|
+ |
|
+<h2>Metrics</h2> |
|
+<p>It is a substantial task to prepare a scientific publication. The |
|
+commit counts below mark the number of revisions done during |
|
+preparation of this paper:</p> |
|
+ |
|
+<ul> |
|
+ <li>Main article text: 239 commits</li> |
|
+ <li>Supplementary information text: 35 commits</li> |
|
+ <li>Experiments and figures: 282 commits</li> |
|
+ <li>Simulation software: 354 commits</li> |
|
+</ul> |
|
+ |
|
+<h2>Links and references:</h2> |
|
+<ul> |
|
+ <li><a href="">Publication on journal webpage</a></li> |
|
+ <li><a href="">Article PDF</a> (?? MB)</li> |
|
+ <li><a href="">Supplementary information PDF</a> (?? MB)</li> |
|
+ <li><a href="https://src.adamsgaard.dk/cngf-pf-exp1">Source code for p… |
|
+ <li><a href="https://src.adamsgaard.dk/cngf-pf">Simulation software</a… |
|
+</ul> |
|
diff --git a/pages/008-commsenv.txt b/pages/008-commsenv.txt |
|
t@@ -0,0 +1,70 @@ |
|
+The majority of glaciers and ice sheets flow on a bed of loose and |
|
+thawed sediments. These sediments are weakened by pressurized glacial |
|
+meltwater, and their lubrication accelerates the ice movement. In |
|
+formerly-glaciated areas of the world, for example Northern Europe, |
|
+North America, and in the forelands of the Alps, the landscape is |
|
+reshaped and remolded by past ice moving the sediments along with |
|
+its flow. The sediment movement is also observed under current |
|
+glaciers, both the fast-moving ice streams of the Greenland and |
|
+Antarctic ice sheets, as well as smaller glaciers in the mountainous |
|
+areas of Alaska, northern Sweden, and elsewhere. The movement of |
|
+sediment could be important for the past progression of glaciations, |
|
+and how resilient marine-terminating ice streams are against sea-level |
|
+rise. |
|
+ |
|
+Today, the Nature-group journal Communications Earth & Environment |
|
+published my paper on sediment beneath ice. Together with co-authors |
|
+Liran Goren, University of the Negev (Israel), and Jenny Suckale, |
|
+Stanford University (California, USA), we present a new computer |
|
+model that simulates the coupled mechanical behavior of ice, sediment, |
|
+and meltwater. We calibrate the model against real materials, and |
|
+provide a way forward for including sediment transport in ice-flow |
|
+models. We also show that water-pressure variations with the right |
|
+frequency can create create very weak sections inside the bed, and |
|
+this greatly enhances sediment transport. I designed the freely-available |
|
+program cngf-pf for the simulations. |
|
+ |
|
+ |
|
+## Abstract |
|
+ |
|
+ Water pressure fluctuations control variability in sediment |
|
+ flux and slip dynamics beneath glaciers and ice streams |
|
+ |
|
+ Rapid ice loss is facilitated by sliding over beds consisting |
|
+ of reworked sediments and erosional products, commonly referred |
|
+ to as till. The dynamic interplay between ice and till reshapes |
|
+ the bed, creating landforms preserved from past glaciations. |
|
+ Leveraging the imprint left by past glaciations as constraints |
|
+ for projecting future deglaciation is hindered by our incomplete |
|
+ understanding of evolving basal slip. Here, we develop a continuum |
|
+ model of water-saturated, cohesive till to quantify the interplay |
|
+ between meltwater percolation and till mobilization that governs |
|
+ changes in the depth of basal slip under fast-moving ice. Our |
|
+ model explains the puzzling variability of observed slip depths |
|
+ by relating localized till deformation to perturbations in |
|
+ pore-water pressure. It demonstrates that variable slip depth |
|
+ is an inherent property of the ice-meltwater-till system, which |
|
+ could help understand why some paleo-landforms like grounding-zone |
|
+ wedges appear to have formed quickly relative to current |
|
+ till-transport rates. |
|
+ |
|
+ |
|
+## Metrics |
|
+ |
|
+It is a substantial task to prepare a scientific publication. The |
|
+commit counts below mark the number of revisions done during |
|
+preparation of this paper: |
|
+ |
|
+ - Main article text: 239 commits |
|
+ - Supplementary information text: 35 commits |
|
+ - Experiments and figures: 282 commits |
|
+ - Simulation software: 354 commits |
|
+ |
|
+ |
|
+## Links and references: |
|
+ |
|
+ - Publication on journal webpage: |
|
+ - Article PDF (?? MB): |
|
+ - Supplementary information PDF (?? MB): |
|
+ - Source code for producing figures: git://src.adamsgaard.dk/cngf-pf-exp1 |
|
+ - Simulation software: git://src.adamsgaard.dk/cngf-pf |
