	Department of Engineering

University of Cambridge > Engineering Department > computing help

Remote access to the Engineering Department machines

Note: This page is long because it deals with many scenarios. For any particular user/situation the procedure isn't too tricky, though depending on your machine you may initially need to install and configure some free software

When making our machines available to users beyond our walls we need to balance ease of use against security considerations. Several options exist. Your choice of method to use depends on what you want to access the machines for, how far away you are, and the type of machine you have. You may well have to install extra software on your machine. In particular you're likely to need programs that are "ssh-enabled" - "ssh" being short for "secure shell", a mechanism that provides the extra security needed nowadays.

Once you've installed and configured the software it's possible to use our machine as easily remotely as locally for most purposes, though speed may be an issue for graphics-intensive programs.

Note that the range of methods may change at short notice in response to security alerts.

Machines
Making a connection
Avoiding logins - Mail, copying files, Matlab, MDP disk
WWW Access
Logging in - Mac, Windows, Linux
Starting Lab Sessions
General Troubleshooting
Troubleshooting VNC
Technical Information - X, VNC, VPN, Networks/Security, Screen Management
Certificates and keys for secure connections
Advanced/Specialist features

Machines

Most of our machines are hidden from the outside world. If you want to access the Teaching System from outside the University you're currently restricted to getting in using gate - our "gateway" machine. Note that gate doesn't have many programs installed, so you might want to use slogin to access a linux server from gate.

If you want to access the Teaching System from within CUED you can use

ts-access - a generic name for several of our linux servers (which are also visible)
x-access - a machine configured for Xwin32 (see the X-Win32 page for details) and XMing users.

Making a connection

Somehow you'll have to connect your machine to the internet. You can use a standard phone line (see Accessing CUED and the Internet via modem for options) or broadband if your machine isn't already networked.

If you're local, and you have problems with commercial broadband or domestic networks, see Robin Walker's Cable Modem Troubleshooting Tips.

Avoiding logins

Mail

You needn't log in to our machines to read mail, even if your mail's stored at CUED. See our Using Mail User Agents page for details.

Copying files

There are several ways to get files in and out of the Teaching System without having to log in. The method you use depends on the size and number of files to be copied, where the other machine is (some methods only work inside CUED), and who else will have access to the files.

scp - part of the ssh suite. If user abc123 was using a Mac or linux machine in Australia and wanted to copy their work folder and everything under it from their home folder on CUED's Unix Teaching System, they could do
scp -r abc123@gate.eng.cam.ac.uk:work .
(the final dot matters!). More info is on the ssh page.
ftp - It's possible to create a storage area in the Engineering Department so that you (and others) can copy files from it using ftp. See our ftp page for details.
WWW - If you've put your files on the WWW, you (and others) can copy them from anywhere. See How to put files on the Web

Matlab and Abaqus

You can use the Departmental license server to run MATLAB or Abaqus on your computer in college or in a private (non-college) residence. See

MDP disk

If you want to run programs like Octave or would like to practice C++ on your own PC you can get a set-up that's much like the one in the DPO by getting the Multidisciplinary Design Project (MDP) disk

Accessing files on the WWW

We have thousands of files on the WWW. Most of them are visible to everyone, but a few resources are protected. They're protected in one of 2 ways

Some facilities are only available if the browser is running on a machine within eng.cam.ac.uk or cam.ac.uk. To access such pages you need to log into an Engineering Department machine using one of the methods described below
Some facilities are Password-protected, either by a PIN, or a University-wide Raven password.

Logging in

The programs mentioned below are those most commonly used by students from college rooms, etc. They can be customised to make remote login a matter of pressing a button or two (rather than typing the command lines mentioned below), but you might first need to configure your set-up.

Text only

If you're happy to work just with text, use

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. You can use PuTTY to forward X graphics requests.
slogin - part of the ssh suite. User abc123 can log into gate using
slogin abc123@gate.eng.cam.ac.uk

If you're going to run a CPU-intensive program, you should login from gate to one of our Linux Servers.

Graphics

There are several ways to remotely access our machines. The situation's further complicated by the range of user machines and by various security issues. If the instructions below don't work for you, read the Troubleshooting and Technical Information sections. The latter presents some of the issues you'll need to be aware of if something goes wrong.

Mac OSX

These work for user abc123 on an old Mac running MacOS X10.3 from outside cam.ac.uk.

Using X graphics (note that the X in "X graphics" has nothing to do with the X in "MacOS X")
- Start X11 subsystem (not installed by default, but on the installation discs)
- Start xterm if not started already
- Type
  slogin -X abc123@gate.eng.cam.ac.uk
  (the '-X' enables X11 forwarding so that graphics are relayed to your machine from gate. With newer versions of ssh you may need to use '-Y' instead).
- Programs that you run from gate should now display their graphics on your mac. Try xclock for example. You can't run a complete remote desktop this way, only individual programs. Their windows are managed in the same way that the Mac's own windows are.
- If you get error messages like
```
  Gdk-ERROR **: BadWindow (invalid Window parameter)
     serial 1260 error_code 3 request_code 38 minor_code 0
  Gdk-ERROR **: BadAccess (attempt to access private resource denied)
     serial 1261 error_code 10 request_code 102 minor_code 0
```
  then upgrade to OSX10.5 if you can.
Using Chicken of the VNC
- From your home machine (assuming you're user abc123) type
```
  slogin abc123@gate.eng.cam.ac.uk
```
- From gate type
```
  slogin ts-access
```
- From ts-access type
```
  vncserver
```
  It will reply with something like
```
  New 'X' desktop is scimitar:4

  Starting applications specified in /users/s/abc123/.vnc/xstartup
  Log file is /users/s/abc123/.vnc/scimitar:4.log
```
- From your machine type
```
ssh -N -f -L 5904:scimitar.eng.cam.ac.uk:5904  abc123@gate.eng.cam.ac.uk
```
  (it's 5904 because the desktop is number 4)
- From your machine run Chicken of the VNC setting it up as follows, taking care to set the display correctly.
- Click on Connect to get a desktop running on ts-access.
This should start a desktop much like the one used in the DPO, but desktop icons and taskbars are missing. When you've finished, run
vncserver -kill :4
on ts-access to stop the vncserver program. When vncserver starts, it runs the commands in your ~/.vnc/xstartup file. You can customise this.

Windows/Vista

Use Xwin32 (30 day free license), XMing (free and optionally includes an enhanced PuTTY Link SSH client and a portable PuTTY replacement package), or VNC for graphical access.

If you want to want to login to the Teaching System from within CUED, you can use the Xwin version that that CUED's purchased and follow these instructions

Run PuTTY from the Windows Start Menu. If this is not installed on your machine, download PuTTY here. By default, this offers text-only access.
Enter the host name, x-access.eng.cam.ac.uk, and click on Open.
If this is the first time you have using PuTTY to login to x-access, PuTTY will put up a security alert. Click on Yes if the fingerprint matches 10:1d:e5:71:70:91:a0:2a:ab:8b:a6:75:9f:44:e2:5e or 25:a2:d6:df:c0:cb:51:14:04:da:c9:65:4c:41:79:f5.
Click here if the fingerprint does not match.
Login using your current password.

Linux

These instructions should work for user abc123 from outside cam.ac.uk.

Using X graphics
- Start a terminal window if you don't have one already
- Type
  slogin -X abc123@gate.eng.cam.ac.uk
  (the '-X' enables X11 forwarding so that graphics are relayed to your machine from gate). As an alternative to "slogin" you can use PuTTY with 'X11 forwarding' enabled.
- Programs that you run from gate should now display their graphics on your screen. Try xclock for example.
If you want to have your screen looking just like the DPO ones, you'll need to have a minimal set-up on your local machine. If you're running a version of linux like that used at CUED you can get one by trying the following
- Use the "Session" button on the login window to select the "Failsafe Terminal" option. When you login you'll have a terminal window with X running.
- Type slogin -X gate.eng.cam.ac.uk to access the CUED machines
- Once you're logged in, type /etc/opt/gnome/gdm/Xsession
With luck, the only differences between the session and working in the DPO is that you'll have an extra terminal window (which you shouldn't kill) and you can't log out using the usual "log out" button - you have to type exit in the original terminal window.
Using VNC
- Install a vnc viewer (vncviewer might already be installed)
- From your home machine type
```
  slogin abc123@gate.eng.cam.ac.uk
```
  (replace abc123 by your CRS ID)
- From gate type
```
  slogin ts-access
```
- From ts-access type
```
  vncserver
```
  If you're doing for the first time you'll be asked to choose a VNC password. It will reply with something like
```
  New 'X' desktop is scimitar:3

  Starting applications specified in /users/s/abc123/.vnc/xstartup
  Log file is /users/s/abc123/.vnc/scimitar:3.log
```
- From your machine type
```
    ssh -N -f -L 5903:ts-access.eng.cam.ac.uk:5903  abc123@gate.eng.cam.ac.uk
```
  (it's 5903 because the desktop is number 3)
- From your machine type
```
    vncviewer localhost:3
```
  (it's :3 because the desktop is number 3). A desktop should appear
- To close down, on ts-access type
```
    vncserver -kill :3
```
  (it's :3 because the desktop is number 3).
When vncserver starts, it runs the commands in your ~/.vnc/xstartup file. You can customise this.

Starting Lab Sessions

Lab sessions are often started by clicking on the icon in the taskbar. If this isn't available you can type start from a terminal window instead - you'll be shown a list of options.

General Troubleshooting

Failure or unreliabilty could be due to problems on your machine, on CUED machines, or anywhere between. Problems aren't always easy to diagnose, so if you report a problem to help, tell us the operating system you're using, the method of access you're using, which CUED machines you're using, when you had the problem, and what programs you were running.

See net news for reports of University network trouble.

Access to CUED from certain colleges might be prone to problems because they use NAT-based firewalls. If you're trying to connect using ssh from Jesus for example, you may find that it helps to use

   ssh -o 'ServerAliveInterval 60' -X ...

or with newer vesions of ssh

   ssh -o 'ServerAliveInterval 60' -Y ...

Troubleshooting VNC

Lots can go wrong - the installed software can be faulty; the networking and firewalls can block communications; you might get mixed up with passwords; and it's easy to make typing errors. So first try the following simple scenario - it will check to see whether you're using the right passwords and show you what to expect when things do work.

Log into a DPO terminal
Open a terminal window
Type
vncpasswd
and choose a password (don't bother entering a 'view-only' password for now)
Type
slogin gate
and log into gate using your usual password. Note that gate is an alias for another machine whose name appears in the command-line prompt.
Run
vncserver
from the new window. It will say something like
```
      New 'X' desktop is harrier:4
```
Open another terminal window and view the new desktop. In this example that's done by typing
vncviewer harrier:4
(the name should match the one in the New 'X' desktop message). You'll be prompted for the password you chose earlier. You should now have a desktop within your original desktop.

Technical Information

X Windows System

X windows programs (like xclock and the programs on the Teaching System, etc) don't put graphics directly onto the screen. They need to have another program - an X server - running. Programs like xclock tell the X server what to do using commands that are part of the X protocol. These commands might be just a few bytes long, almost as simple as "draw a line from (10,10) to 30,10)". The X server interprets these commands, using the current settings of line-thickness, color, etc to produce graphics. Note that xclock and the X server needn't be on the same machine.

This approach is flexible network-wise, and remote working is simple, but the X server's quite a complicated program. The protocol messages might be compact for some actions, but bulky for others.

VNC

An alternative strategy is used by VNC, which essentially keeps copying screendumps over from a virtual screen on the remote machine to the screen you're sat at. It does this efficiently, so that only modified areas of the screen are copied over. An extra program needs to run on the distant machine and on the local machine, but these needn't be too complex. Because VNC only deals with the end product - the graphics - it doesn't care how the graphics are produced. Some kinds of graphics will produce more network traffic with X11 than with VNC, and some less.

VPN

VPN (Virtual Private Network) provides secure access over public telecommunications infrastructure. When you have successfully created a VPN connection to the department you should then be able to connect to internal local resources as if your machine were on the departmental network.

Networks and Security

Some of our machines are only available from within CUED. Some are only available within the cam.ac.uk domain. You need to be aware of these restrictions when trying to work remotely. Note also that gate is a general name for more than one machine - if you access gate twice you may be using 2 different machines.

Machines communicate by sending messages to numbered input 'sockets' (called 'ports'). VNC communicates on "TCP ports 5900-5906". These are often blocked by firewalls (firewalls are security programs that might be on your machine or might be run by the college). The trick is to use "ssh tunnelling". ssh encrypts information and uses port 22, which is rarely blocked, to "tunnel" through the firewall. This means that if you can use ssh to get into a machine, you can use VNC. The encryption involves an overhead. The less that's transmitted, the less that needs coding and decoding.

Both X11 and VNC approaches should only be used with encryption.

Screen Management

Do you want the remote machine's output to take over your whole screen, or should the remote screen be a window on the local desktop? Sometimes you have no choice. Both options have their problems.

It's good to have a local window manager - you don't want a time-delay when trying to move windows around.
Having one window manager working on the main desktop and another window manager working in an embedded desktop can be very confusing

Certificates and keys for secure connections

There may be situations where ssh/slogin has doubts about whether the machine claiming to be (say) gate.eng.cam.ac.uk really is that machine. The warning message might mention .ssh/known_hosts:line-number for example. There's usually an innocent reason for this. Removing the line in question should solve the problem but if you want to check on authenticity look at our Certificates and keys for secure connections page.

Advanced/Specialist features

Multidisciplinary Design Project (MDP) - a DVD of engineering programs that also offers a means of remotely logging in
Offsite access to internal web resources using web proxy forwarding - a way to access internal CUED WWW pages from the outside
Offsite access to Windows machines using Remote Desktop Protocol (RDP) forwarding
Offsite access to Windows machines using Virtual Network Computing (VNC) forwarding
Remote Access of another Terminal in the new System

See also Wikipedia's Comparison of remote desktop software

| computing help | Getting files in and out of the Teaching System | Teaching System overview | Teaching System Linux Servers | Remote 1AC++ Computing | ftp | VPN | VNC | ssh | PIN | Raven | Xwin32 |

© Cambridge University Engineering Dept
Information provided by Tim Love (tl136) (with some info provided by Patrick Gosling, Peter Benie, Arul Britto et al).
Last updated: September 2011