Warning

All new desktops and group servers will be placed on the NAT network.

NAT FAQ

After careful consideration and new policies set forth by the Information Security Office (ISO), all desktops and servers on the public network will be moved to a private address network, or NAT (Network Address Translation) network. The result is that all hosts moved to the NAT network will no longer be directly accessible when off campus.

The ISO is asking units to reduce the number of systems exposing SSH by the beginning of April 2019. Thus, beginning in mid February, Sysnet will begin the process of migrating hosts over to the NAT network and expect the project to be completed by the end of March. Starting in April, the ISO will begin to quarantine systems that are exposing SSH on the public network.

Remote access to desktops and servers on the NAT network will still be available using the VPN service while off campus. The VPN will not be needed when using the campus wired or wireless network. The institute will provide a login server for external collaborators and oden users but users will be required to use public key authentication (SSH public/private keys).

We expect this to be only modestly disruptive and may cause issues with how you conduct business, primarily with external collaborators who do not have an active appointment with UT.

Please email rt@oden.utexas.edu with any questions or concerns you might have with the new policy. This FAQ tries to answer questions users may have.

How does this impact users

  • Users will no longer be able to directly access desktops or servers using ssh when off campus without going through UT’s VPN.

  • Any user, including collaborators, accessing login1.oden.utexas.edu whether on or off campus, will be required to use ssh public keys.

  • Institute users wanting to access to their desktop or server directly from off campus will need to install the VPN client on their laptop or home computer.

  • The use of the VPN client is not required when on the campus wired or wireless network.

  • The process of updating the network on a desktop or server will cause a brief outage. It will require a hard restart on the host.

  • At the conclusion of this project in April, we will move the SSH port back to port 22 on all hosts and servers.

How does this impacts external collaborators

  • Collaborators will no longer be able to ssh directly into servers or desktops on the oden domain.

  • Collaborators will be required to create ssh public keys.

  • Collaborators will have to use login1.oden.utexas.edu to access hosts on the oden domain.

What users should do to prepare for this change

  • Oden users should already be familiar with Duo.

  • Oden users should install and then test the VPN client from home or a remote location.

  • Oden groups or centers who have external collaborators are responsible for contacting them about the upcoming changes.

About login1.oden.utexas.edu

  • login1.oden.utexas.edu is available on the public network

  • Beginning April 1st, 2019, only users with ssh public keys will be allowed to authenticate

  • The module system will not be available on the host

What is NAT

NAT stands for Network Address Translation. In the context of this service, it provides a means to map a single public routed IP address to multiple private IP addresses (RFC1918).

What is SSH

A definitive technical guide and explanation of what SSH can be found here: https://www.ssh.com/ssh/protocol/

Who does this impact

This impacts users who are accessing desktops or servers using SSH from off campus.

What this does not impact

This does not impact your email access, access to Box, or any other service hosted by UT like Define. This is a specific tool used mostly by research staff, students, and faculty to access hosts on the oden domain.

How will I access my computer remotely

There will be two methods you can use to access your desktop or server remotely; through UT’s VPN service or through a login server, login1.oden.utexas.edu. Those accessing through the login server will be required to configure SSH public key authentication.

What if the VPN is not available

At this time it will be a single login node, login1.oden.utexas.edu. The user will be required to create SSH private/public keys, password authentication will be disabled.

A good explanation of SSH keys can be found here: https://linux-audit.com/using-ssh-keys-instead-of-passwords/

There is also documentation here: Accessing hosts

What SSH port will login1 be on

The ssh port on login1.oden.utexas.edu will be the default port ‘22’.

What about my project collaborators

It will be the responsibility of the group or center to communicate this change to their project collaborators who do not have official UT appointments. Project collaborators will be able to access the login node and will be required to use SSH public keys. Sysnet will provide support for users needing to setup their public keys.

Why are hosts being moved to NAT

The ISO is asking units to reduce the number of hosts exposing SSH globally on the network. Moving all hosts to a NAT network will be more secure going forward.

How does NAT protect us

Hosts using the NAT service are assigned a private IP address that is not routed over the Internet. All traffic to and from the Internet must traverse the NAT gateway, which implements a variation of full-cone NAT. The NAT gateway will only forward traffic from the Internet to the campus host if the campus host initiates the connection.

Are clusters impacted

No. All clusters are already on the NAT or a campus only network.

Is subversion impacted

Not at this time. Password authentication will continue to be used until there comes a time we are forced to require another mechanism of authentication such as SSH keys. Users who only have subversion access are not impacted.

Password/Passphrase defined

It is important to distinguish between the use of password and passphrase. In a typical scenario, SSH uses a passphrase to secure the ssh keys. When generating a SSH key, a passphrase is not required, but in general and best practice it is often advised to secure your ssh keys with a passphrase. More reading here: https://www.ssh.com/ssh/passphrase

Sysnet has a monolithic approach to authentication. We use OpenLDAP for authentication (password) and for directory service. Sysnet will continue to provide password mechanism for accessing hosts within oden domain with the exception of the public facing login host(s).

Note the passphrase prompt when accessing a host:

pebkac@suzerain $ ssh pebkac@baldy
Enter passphrase for key '/h2/pebkac/.ssh/id_rsa':

Note the password prompt when accessing a host:

pebkac@suzerain $ ssh pebkac@baldy
pebkac@baldy's password:

Why aren’t collaborators allowed to use the VPN

The VPN is only available to persons with the University who have official appointments.