To CTIO Users: In general, ssh into CTIO machines is now strongly frowned upon for security reasons, particularly older machines such as ctio60. What happens are a constant rain of ssh (24 hours a day, seven days week) dictionary attacks on any machine at CTIO which offers 'ssh', which is the ultimate reason we tightened things up. The "industry best practice" secure, recommended and safe technique is to create a VPN tunnel into the CTIO firewall, and then do the 'ssh' or 'scp'. This technique is described in the attachment below... it is generally pretty easy to set up, but one has to install a VPN client and set up a few parameters for the connection such as the IP of the firewall, the group name and password, and a user name password. ----8<-----------------8<----------------8<----------- General Instructions on Connecting to CTIO's VPN Accounts. There are several VPN accounts at CTIO set up for users, remote observers, and other specialized functions. The VPN accounts made available to observers and users are typically "point to point" where the user's computer connects to a CTIO VPN server using IPSec VPN software. Of course, once the VPN connection is extablished, all traffic to and from the client "appears" to flow from CTIO and the client IP number for example becomes 139.229.XXX.YYY for *all* its traffic (typically XXX is '14'). To connect from linux for example, one can use the standard open-source VPN client 'vpnc' available for most linux distributions. One would edit a configuration file (given at the end of this document) called 'remotevpn' or whatever, and then in linux type 'vpnc remotevpn' and that should make the connection. Typically the configuration files are in a directory '/etc/vpnc'. Under Windows (and MAC, although I've heard rumors that the native OSX VPN client works OK), one would bring in the latest and greatest Cisco VPN client, which is available at CTIO's FTP site. ftp://www.ctio.noao.edu/pub/software/VPN_CLIENTS from where one can select from these (and others - the 'linux' flavored Cisco VPN clients are also available but not recommended). Those files with "darwin" of course are for the MAC while those with "win" are for windows. vpnclient-darwin-4.9.01.0030-universal-k9.dmg vpnclient-windows-5.0.00.0340-readme.txt vpnclient-win-msi-5.0.00.0340-k9-bundle.exe the linux other files there, and 'readme' files as well, but the three above are probably the ones most likely to be of interest. The difference between the ...win-is... and ...win-msi... relate to the Windows installation machinery on a particular computer ...win-is... corresponds to "install shield" supposedly. Typically we just use the ...win-msi... version which works great w/ WinXP Pro. There is one detail which *may* still be broken (particularly with 'vpnc'): if things do not appear to work even after an apparently successful connection, it may be that the correct DNS server did not get set up. The correct DNS server once the VPN is connected should probably be 139.229.13.148 for example and in principal it should be set up automatically, but if not, *one may have to set it manually*. (NOTE - this problem seems to have gone away with newer versions of various VPN clients - included here just in case) The detailed values of IPSec gateway, group IDs and Passwords, user IDS and passwords will be sent by FAX or given out over the phone when appropriate. Contact CTIO's CISS (ciss@ctio.noao.edu) for more information or any questions/comments. NOTES: The mapping from the 'vpnc' flavor (see below the dashed line) to the Cisco VPN entries is pretty straight forward: IPSec gateway is just the Host (as in VPN server host), the IPSec ID is the Group Authentication Name, and the IPSec 'secret' is the Group Authentication Password. Under Cisco, once one connects a popup window will ask the generic user account and password, which are the last two lines below the dashes. One shouldn't select the transparent tunneling, nor ideally should one select "Local Access" - which is obsolete and meant to work with the older, insecure "Split-Tunnel" feature of Cisco VPN. At CTIO we used the industry best practices security recommendation of running VPN with "hairpinning" - ALL traffic once the VPN channel is established, will appear to be from CTIO, and will have the CTIO firewall rules applied to it. Think of it as a security cloak. Transparent tunneling is a fairly specialized feature typically used to connect to a dedicated Cisco VPN device inside the gateway - these devices are equipped to handle the *re* encapsulation of IPsec packets and Authentication Headers - the CTIO VPN is implemented by a simple PIX 525 firewall. Typically, the transparent tunneling feature is a way to connect to subnets together rather than a single client to a subnet (we use it at CTIO to connect the Business Office to the office in Santiago for example) - it can be used for clients but there is a significant performance penalty for the additional security (like the cloaking of the *real* source or destination IP numbers). At CTIO one should NOT select "Window Logon" in the Cisco configuration. ------------------------------- Typical 'vpnc' file for the CTIO VPN network IPSec gateway 139.229.XXX.YYY IPSec ID name_of_vpn IPSec secret [the string from the second line] Xauth username real_or_virtual_user Xauth password [the string from the fourth line] ------------------- Plase direct questions to Jim Hughes, CISS jhughes@ctio.noao.edu