Setting Up An Automatic SSH Tunnel To Epsilon
With the Coronavirus not showing any signs of letting up, we need to be prepared to work on projects remotely for some time. When working on projects remotely, Lab members must log in to the Epsilon portal and forward one of their local ports to listen to port 22 on Gimel. Additionally, we set up a SOCKS5 proxy tunnel so that we can view webpages local to the lab network with our browser. Using ssh in the command line, this is accomplished like so:
ssh -i <private key file> -CL localhost:<listen port>:gimel:22 -D<proxy port> <user>@portal.ucsf.bkslab.org
(This gives you a password prompt, if your private key is protected by password) Followed by issuing the following command on another terminal, which will open a shell for us on the gimel server.
ssh -i <private key file> -p <listen port> <user>@localhost
Connecting to Epsilon/Gimel via terminal works well enough, but has a pitfall- connection reset. If your connection to Epsilon gets reset, you need to manually restart it each time. This can become very tedious, but thankfully there are some tools that can help us.
autossh is an ssh client that will automatically reconnect if your connection gets reset. Autossh can be installed on MacOS or Linux via the command line. If you're on Windows (like me) you can install it through your Linux Subsystem. However, if your private key is protected by a password, this will still require you to manually log in each time, which brings us to our next tool...
sshpass is a simple tool for ssh that will automatically enter your ssh password when it's prompted. This can be chained together with autossh to set up an ssh connection that will automatically reconnect and enter your password when the connection is reset. Here's what that looks like:
sshpass -P "assphrase" -p <password> autossh -i <private key file> -CL localhost:<listen port>:gimel:22 -D<proxy port> <user>@portal.ucsf.bkslab.org
The -P option specifies the prompt sshpass should look for when it enters your password. When connecting to Epsilon this prompt is "Enter your passphrase" whereas with Gimel the prompt is "Enter your password". The -p <password> option does not have to be done in plain text, you can specify the password with a private file (-f) or via environmental variable (-e). Unfortunately the version of sshpass that is installed via apt-get or similar is incompatible with newer ssh clients- you will need to compile and install a newer version of sshpass from source. To top it off, I've run into some issues while trying to chain sshpass and autossh together, which means this is an unreliable solution.
Bitvise (Windows) / Secure Pipes (Mac OS)
Bitvise/Secure Pipes are GUI ssh clients that have some very useful features for us. Both of these clients will automatically reconnect when their ssh connection is reset, and will also take care of entering your password/passphrase. Other necessary features include Client-to-Server port forwarding and SOCKS5 proxy forwarding. Since I am on Windows I use the Bitvise ssh client, but Secure Pipes has all the same features.
Setting up your Bitvise profile for Epsilon
Step 1: Add your public and private keys Navigate to "Host Key Manager" and import your public key file
Navigate to "Client Key Manager" and import your private key file
Step 2: Configure Login Settings Set authentication method as "publickey", enter your passphrase and set "Client Key" to be the private key you just uploaded
Step 3: Configure your SOCKS Proxy Forwarding Settings Set Listen Interface to localhost and listen port to 1080 (or whatever port you want)
Step 4: Configure your C2S port forwarding Add a new entry in your C2S tab, set listen interface to localhost, listen port to 2222 (or whatever port you want), and destination host:port to gimel:22.
Now save your profile. You should now be able to log in to Epsilon and have the connection be automatically maintained by Bitvise. You can close the Bitvise window now, which will minimize it to your notifications bar (on windows). This tutorial shows how to set up a Bitvise client, but these steps can also be applied to Secure Pipes which works in much the same way.