Using SSH Tunnels

If remote access to a particular port on an Ames Laboratory machine is required by an employee, a more palatable alternative to making the system green-zone visible is to set up an encrypted tunnel via SSH. This can be done easily with the openssh command-line client or the SSH client available from the ISU site license. The documenation below is specific to the ISU SSH version for Windows, but should be easily translated to the openssh client (try 'man ssh' at a command line in *nix or Mac OSX).

Create and then edit a profile as described in the SSH documentation. Then click on the "Tunneling" tab to setup the tunnels.

1. If X Windows is all you want to tunnel simply check this box and then click "OK"
2. Make sure the Outgoing tab is selected and
3. Click the Add... button to add a new tunnel.

The following dialog box will appear:

1. Enter a display name; this is an arbitrary identifier but should be descriptive.
2. Choose the protocol. If unsure, you probably want TCP.
3. Select the listen port. This is the port number that you will contact on your local machine in order to communicate with the remote machine.
4. Check this box to restrict connections to local only. If this is not checked then other people can contact the Ames Laboratory system through your tunnel remotely. This is bad and you will be held responsible for incidents that occur due to this not being checked.
5. Enter the hostname of the destination host on the Ames Laboratory network. For instance, to browse internal web pages enter "www.internal.ameslab.gov" here.
6. Enter the port number to connect to on the remote system.

After entering all the required information, click "Ok" and then "Ok" again to exit the profile editor. After exiting, edit the same profile again.

1. Check this box if an interactive login is not required. This will prevent the system from dropping the connection after 30 seconds of inactivity on the interactive login screen.