Remote Access

Remote access to systems in the LUH network is regulated by the teleworking concept, among other things. Due to the current Corona situation and the home office regulation, special regulations apply and access to systems in the LUH network is enabled, allowing employees to work from home. It should be emphasised that this describes a temporary special form of "mobile working", is not a regular operation and should be distinguished from "teleworking".

If you have any questions, please contact your responsible system administrator / IT representative or support@luis.uni-hannover.de. Further information can be found here:


REMOTE ACCESS TO WINDOWS WITH REMOTE DESKTOP (RDP)

The server and client component of Remote Desktop is part of Windows, for other operating systems freerdp can be used.

Notes on configuration can be found in the telework documentation. For access from the university's VPN, Remote-Desktop tcp/3389 must be allowed in the network protection firewalls (if present).


SSH (SECURE SHELL)

In particular, the possibility of tunnelling, use as a SOCKS5 proxy and automatic connection to other devices make the use of OpenSSH attractive. For remote access, it is recommended to limit the external login to the service to the use of PubKeys. OpenSSH is also available for Windows. Alternative clients for Windows

  • PuTTY: Is a free SSH terminal program with GUI for configuration. File transfer is also possible, but only via command line without GUI.
  • WinSCP: GUI client for file transfer via scp/ssh; fits well with PuTTY as it can access the Putty SSH agent (when using ssh public/private keys).
  • FileZilla: File transfer programme that supports ftp and ftps (ftp via ssl) as well as sftp (ssh file transfer).

/etc/ssh/sshd_config

To restrict password-based login, prohibit it generally and then allow it for trusted networks in /etc/ssh/sshd_config.


PasswordAuthentication no

PubkeyAuthentication no


# und am Ende der Datei
# Universitaet intern
Match Address 130.75.0.0/16,10.0.0.0/8
PasswordAuthentication yes
PubkeyAuthentication yes

# Alle
Match All
PubkeyAuthentication yes

 

PubKey

To use SSH with PubKeys, keys must be created and inserted on the target systems. The comment is used to identify the key in the ~/.ssh/authorised_keys on the target system.

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_zb -C "ein kommentar"
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ~/.ssh/id_rsa_zb
Your public key has been saved in ~/.ssh/id_rsa_zb.pub
The key fingerprint is:
SHA256:o6IkV/HHF1z2y2bHLYDZ3enO/lkjFYlxOWN24bjwAnQ ein kommentar
The key's randomart image is:
+---[RSA 4096]----+
|         . Eo. oo|
|        ...* o*B+|
|    .    .=.oo===|
|     o .  ..ooooo|
|    . . S .. o*o+|
|   .   o o  .o+o |
|. o . .      . +.|
| + . .        o +|
|  .            oo|
+----[SHA256]-----+

The password can be stored in KeepassXC together with the generated key.

Insert into the target system:

ssh-copy-id -i ~/.ssh/id_rsa_zb me@target

Use of the key:

ssh -i ~/.ssh/id_rsa_zb me@target

or when using an SSH Config in ~/.ssh/config:

Host target
	User me
	HostName target.ifzb.uni-hannover.de 
	IdentityFile ~/.ssh/id_rsa_zb

via

ssh target

File Transfer

Not unmentioned is the possibility to transfer files and also folders with SSH.

ProxyJump

Besides the possibility of specifying the jump host as part of the ssh call:

$ ssh -J me@jump.ifzb.uni-hannover.de me@target.ifzb.uni-hannover.de

this can also be done in the ~/.ssh/config:

Host target
	User me
	HostName target.ifzb.uni-hannover.de
	ProxyJump me@jump.ifzb.uni-hannover.de

SOCKS5 Proxy

As part of the SSH call

$ ssh 8080 -f -C -q -N me@target.ifzb.uni-hannover.de

or ~/.ssh/config:

Host target
	User me
	HostName target.ifzb.uni-hannover.de
	DynamicForward 8080

the SOCKS5 proxy can then be integrated with FoxyProxy under Firefox for patterns of the domains that are to run via the proxy.

Instructions for Firefox addon FoxyProxy

Tunnel

Tunnels can provide remote services locally or pass through local services on the SSH server.

Host jump
	User me
	HostName jump.ifzb.uni-hannover.de
	LocalForward 33891 130.75.47.11:3389
	RemoteForward 12345 localhost:12345
	ExitOnForwardFailure yes

Here, the remote desktop service of 130.75.47.11:3389 is passed through to the local port 33891 and the local service on tcp/12345 is also available on the SSH access server on port 12345. If the tunnels cannot be created, the SSH connection is terminated.

CONTACT

IT Security
Security team
IT Security
Security team