Department of Computer Science and Technology

Remote access to Lab Systems

This page explains how to access Computer Laboratory systems from machines outside the Computer Laboratory network.

If you are already using public/private key pairs to connect to CL systems, you can connect as usual — just make sure you add the location you are connecting from to your authorized_keys file. Otherwise, there are several different methods to connect to Lab machines while away:

Kerberos-based access using a VPN

A Virtual Private Network (VPN) is a means of extending a private network over a public link. In the context of the Computer Laboratory, it generally refers to a means of making a personal machine, typically a laptop or home computer, appear to be on the university or departmental network. There are three main reasons for doing this:

  • To bypass firewall and access control restrictions that apply to direct connections from the external network
  • To gain access to external services such as online journals that are authenticated by calling IP address
  • To add a layer of security to your network traffic when using an untrusted network, particularly when travelling

In order to open a VPN, the machine must present credentials to prove entitlement to access the private network.

There are two VPN services available to members of the Computer Laboratory, both provided centrally by University Information Services. The first is a generic service available to any member of the university, and gives the machine an IP address on the Cambridge University Data Network (CUDN). The second is a tailored version, available only to members of the Computer Laboratory, which gives the machine an address in the department's address space.

Generic VPN service

This is the preferred VPN service to use if it meets your needs: you will get an IP address in CUDN-private IP space, with any external connections you make going through the NAT gateway. You can find detailed information for making connections from a variety of client systems on the University Information Services website.

If you have problems using this service, the UIS service desk should be able to help you.

Computer Laboratory VPN service

This service should be used if you explicitly need an IP address belonging to the Computer Laboratory. Your machine will get a global IP address which does not need the NAT gateway for external connections; the relatively small supply of such addresses is one reason that the generic service is preferred.

To use the tailored version of the service, you should follow the documentation under the heading "Configuring clients". You will need to change the service name vpn.uis.cam.ac.uk to vpn.cl.cam.ac.uk; for some platforms, you will need to download the appropriate Computer Laboratory versions of certificate and/or configuration files.

Note that when entering your login credentials, the form [Javascript required] given in the documentation does not change.

All members of the department should be automatically granted access to the service, but there may be some errors and omissions. If the generic VPN service works but you are wrongly denied access to the CL service, please contact [Javascript required].

Security precautions

When you are connected to a VPN, your machine behaves in most respects as if it were directly connected to the remote network. This means that when using the VPN services described here, you become subject to the CUDN and JANET acceptable use policies. All VPN connections are logged against your CRSid and network traffic may be traced back to you. You should ensure that the anti-virus software on your machine is up to date, and take appropriate precautions to protect your credentials from unauthorised use.

SSH using one-time passwords

Logging in from untrusted machines such as public computers exposes passwords to snooping: you can never be certain the machine one is connecting from has not been compromised. Even if the network connection is made over a secure channel like ssh, the password can be intercepted by a keylogger. This is known to have been the cause of at least one user-account compromise which was subsequently elevated to a root compromise on several lab machines.

One-time passwords (OTPW) are a solution to this, but require some advance preparation. The idea is to generate a set of passwords and use each one only once as prompted by the login. One-time passwords can only be generated on a Linux machine.

Generating passwords

Note that generation of a new password sheet should only be done over a secure channel using ssh and from a trusted machine. Make sure you generate your password sheet before you set off!

To generate a set of passwords, use the cl-otpw-gen program on slogin-otpw. You will then be asked to input a prefix password, which should be at least 8 characters long and consist of both letters and numbers (e.g. tpf4apf2tl). This will output an ASCII list of one-time passwords:

OTPW list generated 2003-11-13 11:32 on sandy.cl.cam.ac.uk

000 yD9+ t3Wz  056 9wFf YkqU  112 Fe2S :QFP  168 fu2u nwji  224 DHsc wOf%
001 d9xT Rkpu  057 +rrN 9PLh  113 ytqC G39f  169 tE7t keFE  225 4nCC /zY5
002 :+e+ h+Ut  058 UHMY HzK=  114 eP3y fzw4  170 QQvn vneS  226 :pu5 p4x7
003 MqSo 4JA:  059 RfuB 5gyA  115 v=G4 xhYw  171 g5cr ZRCa  227 utgi mHSy

If you want to print the password list on the default printer you can just input

cl-otpw-gen | lpr

Using passwords

OTPW can only be used if you are logging into slogin-otpw. The next time you log in to it from outside the department, when a user key is not available, you will be prompted for Password NNN:, in which case you should enter the prefix password, immediately followed by the (usually eight character) one-time password number NNN from your sheet. Using the above example, if the prefix were tpf4apf2tl, the correct string to enter when prompted for passphrase 170 is tpf4apf2tlQQvnvneS.

Security depends on no-one being able to copy a significant portion of the sheet — if an attacker has control over the local machine and a copy of more than half of the current password sheet, then he or she may well be able to access the account. If at any time you lose your sheet, or use up more than half the passwords on it (at which point you will be prompted on login that this is the case), then generate another sheet using the above process. After this, none of the passwords on the previous sheets will be be useful to anyone, so you can throw them away.

Under certain circumstances, you may be prompted for three of the passwords on the sheet — this happens when concurrent logins are attempted. In this case the prompt will be in the form of Password NNNN/NNNN/NNNN. See http://www.cl.cam.ac.uk/~mgk25/otpw.html for more details.

Disabling OTPW

If for some reason you want to disable the use of one-time passwords for logging in to your account, run 'cl-otpw-gen -p1 -nh 1 -w 1 and then login once to use up the one entry.

Remote Desktop

Remote Desktop access is available to Windows workstations. By default, access from outside the CL network is denied but can be enabled on request by e-mailing win-admin. Using remote dekstop from outside the computer laboratory network is a potential security risk as you need to type your password at a keyboard to login. You should therefore only use remote desktop from a trusted machine such as your laptop or a workstation you own. You should never use it from a shared machine or cybercafe. It is safe to use it from MCS machines around the University of Cambridge and colleges.

The client software for macOS can be downloaded from Microsoft; for Linux clients, the rdesktop program is available. Windows clients have a built-in application which can be run by typing mstsc into the command prompt window.

Most newer machines are set to power down when not in use, so before you can start a remote desktop session you will need to power your machine back on using Wake on Lan (WoL). This can be done via a web page http://www-dyns.cl.cam.ac.uk/cgi/raven/boot-mc.cgi and entering either the MAC address of the machine you wish to wake up or its name. If the name does not work, you need to register the name/MAC pair for WoL by mailing sys-admin.