Technical Note - Working From Home

Summary

This tech note addresses two separate issues to working from home:

• File transfer
• Running software remotely

If you are looking for help with reading email, you should consult the email tech note.

Details

Which machine to connect to.

From Trimester 2 2025 onwards access to ECS systems from off campus needs to go via the machine entry.ecs.vuw.ac.nz.

If you are just wanting to transfer files entry.ecs.vuw.ac.nz should be as good an end point as any other ECS system but to connect in a more interactive way you will need to connect to entry and then from there connect to some internal system. Your files are visible on any of the School's servers but depending on what sort of user you are (Undergraduate/Graduate/Staff) you only have access to a subset of them. Likely machines to try are greta-pt.ecs.vuw.ac.nz or barretts.ecs.vuw.ac.nz as these are accessible to all. Workstations and specialist servers can also be accessed as a two step process - to entry and then from there connect to the machine you want.

Authenticating to entry.ecs.vuw.ac.nz

Before connecting to entry.ecs.vuw.ac.nz you will need to have set up one or the other of the following authentication mechanisms:

ssh keys

On your remote system you need to run ssh-keygen to generate an ssh keypair. Then you need to copy the public key part of the pair (probably named something like id_ed25519.pub into your ~/.ssh/authorized_keys file under your ECS home directory.

Note: Putty and WinSCP use a slightly different file format for the keys. You can convert between the Putty and Openssh forms using the command PuTTYgen

For details on using ssh keys see for example this page.

google authenticator

This authentication method will ask for a "One Time Token" along with your normal ECS username and password.

To provide the "One Time Token" you first need to generate a secret key file. This is done by running the google-authenticator command on any ECS linux machine and answering "y" to all of the questions. As part of this, google-authenticator will provide a QR code to help with adding the config to your authenticator app of choice (see below) so it probably makes sense to have that ready before you run google-authenticator.

You need to load the secret key into something that can provide you with the "One Time Token" when needed - typically this is an app on your phone such as "Microsoft Authenticator", "Google Authenticator", Bitwarden, FreeOTP or similar. You create a new account in your app by either scanning the QR code that google-authenticator provided when you set up your secret key file or by entering the secret key manually.

Note that, when logging in, the "One Time Token" will only be asked once every 30 days (for any given remote address).

For more information on Google Authenticator see for example this page.

File Transfer

File transfer from ECS machines is achieved using SCP or SFTP. There are many clients available for a variety of operating systems.

• Windows: We recommend WinSCP.
• OS X: You can use the command-line scp and sftp commands, or something like Cyberduck, Mountain Duck or Fugu, if you prefer GUIs.
• * nix variants: You should have command-line scp and sftp on your machine.

Working Remotely

Terminal (SSH)

The ECS network is configured to allow incoming ssh connections to all students. You should be able to access a machine from anywhere in the world.

• Windows: Windows users will want to use PuTTY to get an SSH connection.
• OS X, *nix variants: You should have ssh installed and accessible from the command-line.

X Forwarding (SSH with X forwarding)

X forwarding is the process of having X windows drawn on your own screen than on the remote machine. This means that you can interact with our NetBSD GUI programs at home.

Because all interactions have to be transmitted to an ECS machine and then the window section redrawn and sent back to you, this method can be slow, particularly so on an international connection. Where possible, it may make more sense to transfer the documents you wish to use with scp, and then run programs on your own machine. Many of the programs ECS utilises are open-source and free to install at home.

To view the X windows, you need an X window server to be running:

• Windows: Cygwin is the best way to achieve this. To start your X server when Cygwin is installed, you run xinit from the Cygwin window.
  More recent (Nov 2016) installations of Cygwin on the School's windows workstations appear to provide a better rendered X window if you type startxwin instead of xinit
• OS X: You need to install the X11 optional package called Xquartz https://www.xquartz.org/
• * nix variants: You should already have an X server running.

Once the X server is running, you should run ssh -X [username]@[host]. For example, Lindsay Kingston logs in with ssh -X kingstlind@entry.ecs.vuw.ac.nz.

Full Remote Session (VNC)

Advanced users only

VNC needs to be tunneled through SSH, as the traffic it sends is unencrypted. To get a VNC session, you should do the following:

1. Start vncserver by SSHing onto an ECS server. Not all servers will work, use embassy or regent.
   • For the first time only, run vncpasswd, to create a vnc password file.
   • Run vncserver
     • vncserver :1 # 1 is the display number, you may have to use a different number if it is already being used
   • Take note of the outputted information. You need the port number.
     • Eg. vncext: Listening for VNC connections on all interface(s), port 5901
2. Create an SSH tunnel:
   • For Windows and PuTTY:
     • Select Connection -> SSH -> Tunnel.
     • Type port number= into the Source Port box (eg. "5901").
     • Type [host]:[port number] into the Destination box (eg. embassy.ecs.vuw.ac.nz:5901)
     • Select Open and login as normal.
   • For OS X and *nix variants: Type ssh -L [port number]:localhost:[port number] (eg. ssh -L 5901:localhost:5901 embassy.ecs.vuw.ac.nz or if connecting via entry.ecs then something like
     ssh -J ecsusername@entry.ecs.vuw.ac.nz -L 5901:localhost:5901 ecsusername@embassy.ecs.vuw.ac.nz)
3. Start your VNC client.
4. Type in localhost:[port number] (eg. localhost:5901).
5. When you are finished close the client.
6. Make sure you kill the vnc server by exiting your first ssh session
7. Exit your SSH tunnel.

The password used by the VNC server to control access is set with the vncpasswd command and is stored in ~/.config/tigervn/passwd. If you need to reset the password delete ~/.config/tigervn/passwd first. Also an old configuration directory ~/.vnc can course problems. If it's there delete this and all it's contents 'rm -r ~/.vnc'

Full Remote Session (VPN) [Staff and Thesis Students only]

Windows and Mac users may use Remote Desktop Connection over VPN for effective access to campus services and ECS Windows servers. For VPN installation see the ITS Remote access.