New York University Faculty of Arts and Science College of Arts and Science Graduate School of Arts and Science

Computing Resources

Accessing Your DataAccount

Mounting your CIMS Home Directory via SSH Tunneling



What is SSH Tunneling?

A tunnel is a networking term with an appropriate name. It refers to a connection, usually encrypted, that connects two computers together across another, usually untrusted network. Picture a mountain of evil internet users sitting between your laptop and the CIMS server. You don't want to just throw your traffic really hard at the mountain and hope it gets there; you want to first form a protected tunnel from you to CIMS, and then send the traffic through it.

Take this typical scenario, you're at work or at home, merrily typing away on your wireless laptop. You want to retrieve your e-mail from CIMS. If you connect to the machine directly, your e-mail client will send your login and password "in the clear." This means that a nefarious individual somewhere between you and your mail server (either elsewhere on your wireless network, or even "on the wire" if you are separated by an untrusted network) could be listening, and grab a copy of your information en route. This login could then be used not only to gain unauthorized access to your e-mail, but in many cases will also grant a shell account on your mail server!

To prevent this, you can use the tunneling capabilities of SSH. An SSH tunnel works like this: Rather than connecting to the mail server directly, we establish an SSH connection to the internal network that the mail server lives in (frequently, the mail server itself). Your SSH client software sets up a port forwarding mechanism, so that traffic that goes to your laptop's POP port magically gets forwarded over the encrypted tunnel and ends up at the mail server's POP port. You then point your e-mail client to your local POP port, and it thinks it is talking to the remote end (only this time, the entire session is encrypted.)

With the tunnel in place, anyone who tries to monitor the conversation between your laptop and the mail server will get something resembling line noise.


SSH Tunneling: Windows 95/98/ME/NT/2000/XP/Vista/7

Follow these step-by-step instructions to create an ssh tunnel with Windows. The last step then describes how to mount your CIMS home directory to your Windows machine. Step 2 shows how to create a tunnel with the program plink, which is puTTy's command-line to its backend.
  1. Go to My Network Places -> Properties -> Local Area Connection -> Properties and uninstall "File and Printer Sharing for Microsoft Networks".

    NOTE: You cannot just uncheck the box, you must uninstall it completely and restart your PC.

     

    To re-install the "File and Printer Sharing for Microsoft Networks" service go to the same window from which you uninstalled it (My Network Places -> Properties -> Local Area Connection -> Properties), press the "Install" button, select "Service" and press the "Add" button, select "File and Printer Sharing for Microsoft Networks" and press "OK".

  2. Now you can create a tunnel from your pc to the CIMS servers. Setup your ssh client to forward local tcp ports 139 and 445 to sam.cims.nyu.edu ports 139 and 445. The following gives an example of how to do this with plink (which you can download free using this link):

    To create an SSH Tunnel using Plink:

     

    • First start a DOS command line on your Windows platform

       

    • Then, either set the Windows Path variable so that DOS will know where to look for the plink program, or simply go to the directory that the plink.exe file is in.

       

    • Now type the following line (all on one line, make sure the "L" is capitol):
      plink -ssh -L 139:sam.cims.nyu.edu:139 -L 445:sam.cims.nyu.edu:445 USERNAME@access.cims.nyu.edu

       

    • Enter your login and password when prompted
  3. Now that you have created a tunnel, you can map a network drive in windows and your CIMS home directory should appear on your PC as a seperate drive. Right click on My Computer -> Map Network Drive, and enter \\127.0.0.1\USERNAME in the "Folder:" box as shown below:

    Uncheck the Reconnect at logon button. Then click "different user name" and enter your CIMS username and password.

     

  4. Finally, click OK and then Finish to connect.

** You cannot share file and/or printers to your LAN at the same time. Otherwise, port 139 will be used by the sharing service and will not be available for ssh. You need to uninstall the sharing service which you can easily install again later -- simply unchecking the box next to "File and Printer Sharing for Microsoft Networks" will not work.


SSH Tunneling: Mac OS X

  1. Go to "Sharing" in "System Preferences". Make sure "Windows Sharing" is off.
  2. Open a Terminal and execute the following commands:
    sudo ifconfig lo0 alias 127.0.0.2 up

    sudo ssh -f -N -L 127.0.0.2:139:sam.cims.nyu.edu:139 \
    -L 127.0.0.2:445:sam.cims.nyu.edu:445 \
    USERNAME@access.cims.nyu.edu
    You will be asked for your local (Mac) password and then your CIMS password. The former is for the sudo command; the latter is for the ssh authentication.
  3. Go to Finder -> Go -> Connect to Server and enter the following in the address field:
    smb://127.0.0.2/USERNAME
    A dialog will come up and ask for your Username and Password. Enter your CIMS username and password respectively. Your home directory will appear on your desktop as a network drive.

SSH Tunneling: Linux

  1. Open a Terminal and execute the following commands:
    ssh -f -N -L 9900:sam.cims.nyu.edu:139 \ USERNAME@access.cims.nyu.edu
    mount -t smbfs -o username=USERNAME,port=9900 \ //localhost/USERNAME /YOUR_LOCAL_MOUNT_POINT

    The second command needs to be run as root (via sudo or otherwise). You will be prompted for a password, which is your CIMS password. Of course you have to replace USERNAME with your CIMS username, YOUR_LOCAL_MOUNT_POINT is the directory location you want to mount your files.