tadd post on ssh tunnels and delay commsenv post - adamsgaard.dk - my academic webpage
(HTM) git clone git://src.adamsgaard.dk/adamsgaard.dk
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit 65b18f20bc2ade25e39e73eba31e742ebb5931c6
(DIR) parent aee9726f65f6c76cba4af628da15b41f52344e69
(HTM) Author: Anders Damsgaard <anders@adamsgaard.dk>
Date: Fri, 11 Dec 2020 17:13:42 +0100
add post on ssh tunnels and delay commsenv post
Diffstat:
A pages/007-ssh-tunnels.cfg | 7 +++++++
A pages/007-ssh-tunnels.html | 144 +++++++++++++++++++++++++++++++
A pages/007-ssh-tunnels.txt | 136 +++++++++++++++++++++++++++++++
A pages/008-commsenv.cfg | 7 +++++++
A pages/008-commsenv.html | 72 +++++++++++++++++++++++++++++++
A pages/008-commsenv.txt | 70 +++++++++++++++++++++++++++++++
6 files changed, 436 insertions(+), 0 deletions(-)
---
(DIR) diff --git a/pages/007-ssh-tunnels.cfg b/pages/007-ssh-tunnels.cfg
t@@ -0,0 +1,7 @@
+filename=ssh-tunnels.html
+title=No VPN? No problem! Using SSH tunnels for remote access to closed networks
+description=Here I illustrate ssh-based solutions to various tasks requiring access to a remote network
+id=ssh-tunnels
+tags=ssh, vpn
+created=2020-12-11
+updated=2020-12-11
(DIR) diff --git a/pages/007-ssh-tunnels.html b/pages/007-ssh-tunnels.html
t@@ -0,0 +1,144 @@
+<h2>Rationale</h2>
+
+<p>Corporate and academic networks are closed by design, with routers
+and firewalls forwarding and filtering content going to and from
+the wider internet. For security reasons this is an absolute
+necessity, as the guardkeeping prevents unwanted incoming connections
+to the networked devices.</p>
+
+<p>However, it is often necessary to connect to internal devices or
+services from the outside. This could be the case if an employee
+needs to access a shared database on the company network, or a
+subscription website only allows full access from a certain range
+of IP addresses. Network administrators usually offer virtual
+private network (VPN) access to achieve such goals. Unfortunately,
+VPN access occasionally requires particular software that may not
+work on all operating systems. In other cases, the network
+administrators may enforce strict requirements to the remote systems
+before allowing VPN access.</p>
+
+<pre><code> ###### Closed Network ######
+ # #
+ # +----------+ +----------+ +----------+
+ # | Office | | Router/ | ? | Outside |
+ # | Computer |<~~~~>| Firewall | ? ? | Computer |
+ # +----------+ +----------+ +----------+
+ # #
+ ############################
+</code></pre>
+
+<p>So what do you do if you need outside access to a network, have no
+administrative rights over the router and firewall, and cannot (or
+don't want to) access via VPN? Fortunately, OpenSSH, the widely
+used secure shell (SSH) implementation, offers simple and secure
+solutions to this problem. Almost all Linux/BSD/UNIX/MacOS systems
+come with OpenSSH preinstalled, so you might already have it on
+your system.</p>
+
+<p>If you can access the closed network from the outside via SSH, this
+makes things straightforward as described in Scenario 1 below. If
+not, see Scenario 2.</p>
+
+
+<h2>Scenario 1: SSH access available from the outside</h2>
+
+<p>Some networks are configured to allow outsiders to connect to an
+internal SSH server through port forwarding on the network router:</p>
+
+<pre><code> ###### Closed Network ######
+ # #
+ # +----------+ +----------+ +----------+
+ # | Office | SSH | Router/ | SSH | Outside |
+ # | Computer |<~~~~~| Firewall |<~~~~~| Computer |
+ # +----------+ +----------+ +----------+
+ # #
+ ############################
+</code></pre>
+
+<p>For the purposes described here, this is an ideal situation since
+it is easy to create a tunnel that connects the outside computer
+with the internal network via SSH. The following command creates
+the tunnel:</p>
+
+<pre><code>ssh -D 1337 -C -N company-domain.com
+</code></pre>
+
+<p>Note that the port number specified with the -D option should be
+greater than 1000 when running as an unpriviledged (non-root) user.
+The -C option turns on compression, which is useful for slow network
+connections at the cost of little CPU overhead.</p>
+
+<p>With the SSH tunnel in place, you can make most webbrowsers and
+other network programs on the outside computer use the tunnel for
+all their network traffic by pointing them to the SOCKSv5 proxy
+"socks://localhost:1337". This allows access from programs on the
+outside computer to any device within the closed network. Connections
+to the wider internet utilizing the tunnel will originate from an
+IP address associated with the closed network, achieving the
+objectives stated above.</p>
+
+
+<h2>Scenario 2: SSH access unavailable from the outside</h2>
+
+<p>Unfortunately, outside SSH access to corporate networks is becoming
+increasingly rare. However, the OpenSSH toolset again offers a
+solution if you have a persistent SSH server outside of the network
+at your disposal:</p>
+
+<pre><code> ###### Closed Network ######
+ # #
+ # +----------+ +----------+ +---------+ +---------+
+ # | Office | SSH | Router/ | SSH | Outside | SSH | Outside |
+ # | Computer |<~~~~>| Firewall |<~~~~>| Server |<~~~~~| Laptop |
+ # +----------+ +----------+ +---------+ +---------+
+ # #
+ ############################
+</code></pre>
+
+<p>As long as you can initiate *outgoing* SSH connections from inside
+the closed network to your outside SSH server, you can create a
+reverse ssh tunnel and utilize it in a similar manner as in the
+previous scenario. On the office computer, create a reverse tunnel
+to the outside server:</p>
+
+<pre><code>ssh -f -N -R 10022:localhost:22 outside-server.com
+</code></pre>
+
+<p>As long as the above command runs, you can initiate new SSH connections
+from the outside server to the office computer with the command
+`ssh -p 10022 localhost`. If you're working from an outside laptop,
+you can utilize this reverse tunnel to connect to the office computer
+and network. Add the following configuration to `~/.ssh/config`
+on the outside laptop:</p>
+
+<pre><code>Host office_computer
+ ProxyCommand ssh -q outside-server.com nc localhost 10022
+</code></pre>
+
+<p>With the above configuration, it is very easy to establish a SSH
+connection from the outside laptop to the office computer:</p>
+
+<pre><code>ssh office_computer
+</code></pre>
+
+<p>As in the previous exapmle, you can use this setup to create a SSH
+tunnel all the way from outside laptop to the office computer:</p>
+
+<pre><code>ssh -D 1337 -C -N office_computer
+</code></pre>
+
+<p>Again, this creates a SOCKSv5 proxy that you can use for tunneling
+network traffic from the outside laptop to the closed network. It
+is useful to automatically monitor the tunnel status using pgrep(1),
+and reinitialize it if the ssh command unexpectedly quits.</p>
+
+
+<h2>References</h2>
+
+<ul>
+<li>OpenSSH: <a href="https://www.openssh.com/">https://www.openssh.com/</a></li>
+<li>ssh(1) manual page: <a href="https://man.openbsd.org/ssh">https://man.openbsd.org/ssh</a></li>
+<li>gramscii(1), used for drawings in this post: git://bitreich.org/gramscii</li>
+</ul>
+
+<p>Thanks to KatolaZ for feedback on this post.</p>
(DIR) diff --git a/pages/007-ssh-tunnels.txt b/pages/007-ssh-tunnels.txt
t@@ -0,0 +1,136 @@
+# NO VPN? NO PROBLEM! USING SSH TUNNELS FOR REMOTE ACCESS TO CLOSED NETWORKS
+
+## Rationale
+
+Corporate and academic networks are closed by design, with routers
+and firewalls forwarding and filtering content going to and from
+the wider internet. For security reasons this is an absolute
+necessity, as the guardkeeping prevents unwanted incoming connections
+to the networked devices.
+
+However, it is often necessary to connect to internal devices or
+services from the outside. This could be the case if an employee
+needs to access a shared database on the company network, or a
+subscription website only allows full access from a certain range
+of IP addresses. Network administrators usually offer virtual
+private network (VPN) access to achieve such goals. Unfortunately,
+VPN access occasionally requires particular software that may not
+work on all operating systems. In other cases, the network
+administrators may enforce strict requirements to the remote systems
+before allowing VPN access.
+
+ ###### Closed Network ######
+ # #
+ # +----------+ +----------+ +----------+
+ # | Office | | Router/ | ? | Outside |
+ # | Computer |<~~~~>| Firewall | ? ? | Computer |
+ # +----------+ +----------+ +----------+
+ # #
+ ############################
+
+So what do you do if you need outside access to a network, have no
+administrative rights over the router and firewall, and cannot (or
+don't want to) access via VPN? Fortunately, OpenSSH, the widely
+used secure shell (SSH) implementation, offers simple and secure
+solutions to this problem. Almost all Linux/BSD/UNIX/MacOS systems
+come with OpenSSH preinstalled, so you might already have it on
+your system.
+
+If you can access the closed network from the outside via SSH, this
+makes things straightforward as described in Scenario 1 below. If
+not, see Scenario 2.
+
+
+## Scenario 1: SSH access available from the outside
+
+Some networks are configured to allow outsiders to connect to an
+internal SSH server through port forwarding on the network router:
+
+ ###### Closed Network ######
+ # #
+ # +----------+ +----------+ +----------+
+ # | Office | SSH | Router/ | SSH | Outside |
+ # | Computer |<~~~~~| Firewall |<~~~~~| Computer |
+ # +----------+ +----------+ +----------+
+ # #
+ ############################
+
+For the purposes described here, this is an ideal situation since
+it is easy to create a tunnel that connects the outside computer
+with the internal network via SSH. The following command creates
+the tunnel:
+
+ ssh -D 1337 -C -N company-domain.com
+
+Note that the port number specified with the -D option should be
+greater than 1000 when running as an unpriviledged (non-root) user.
+The -C option turns on compression, which is useful for slow network
+connections at the cost of little CPU overhead.
+
+With the SSH tunnel in place, you can make most webbrowsers and
+other network programs on the outside computer use the tunnel for
+all their network traffic by pointing them to the SOCKSv5 proxy
+"socks://localhost:1337". This allows access from programs on the
+outside computer to any device within the closed network. Connections
+to the wider internet utilizing the tunnel will originate from an
+IP address associated with the closed network, achieving the
+objectives stated above.
+
+
+## Scenario 2: SSH access unavailable from the outside
+
+Unfortunately, outside SSH access to corporate networks is becoming
+increasingly rare. However, the OpenSSH toolset again offers a
+solution if you have a persistent SSH server outside of the network
+at your disposal:
+
+ ###### Closed Network ######
+ # #
+ # +----------+ +----------+ +---------+ +---------+
+ # | Office | SSH | Router/ | SSH | Outside | SSH | Outside |
+ # | Computer |<~~~~>| Firewall |<~~~~>| Server |<~~~~~| Laptop |
+ # +----------+ +----------+ +---------+ +---------+
+ # #
+ ############################
+
+As long as you can initiate *outgoing* SSH connections from inside
+the closed network to your outside SSH server, you can create a
+reverse ssh tunnel and utilize it in a similar manner as in the
+previous scenario. On the office computer, create a reverse tunnel
+to the outside server:
+
+ ssh -f -N -R 10022:localhost:22 outside-server.com
+
+As long as the above command runs, you can initiate new SSH connections
+from the outside server to the office computer with the command
+`ssh -p 10022 localhost`. If you're working from an outside laptop,
+you can utilize this reverse tunnel to connect to the office computer
+and network. Add the following configuration to `~/.ssh/config`
+on the outside laptop:
+
+ Host office_computer
+ ProxyCommand ssh -q outside-server.com nc localhost 10022
+
+With the above configuration, it is very easy to establish a SSH
+connection from the outside laptop to the office computer:
+
+ ssh office_computer
+
+As in the previous exapmle, you can use this setup to create a SSH
+tunnel all the way from outside laptop to the office computer:
+
+ ssh -D 1337 -C -N office_computer
+
+Again, this creates a SOCKSv5 proxy that you can use for tunneling
+network traffic from the outside laptop to the closed network. It
+is useful to automatically monitor the tunnel status using pgrep(1),
+and reinitialize it if the ssh command unexpectedly quits.
+
+
+References:
+
+- OpenSSH: https://www.openssh.com/
+- ssh(1) manual page: https://man.openbsd.org/ssh
+- gramscii(1), used for drawings in this post: git://bitreich.org/gramscii
+
+Thanks to KatolaZ for feedback on this post.
(DIR) diff --git a/pages/008-commsenv.cfg b/pages/008-commsenv.cfg
t@@ -0,0 +1,7 @@
+filename=commsenv.html
+title=New paper out on the coupled dynamics of ice, meltwater, and till
+description=A brief summary of my new paper published in Communications Earth & Environment
+id=commsenv
+tags=science, glaciology, ice sheet
+created=2020-12-09
+updated=2020-12-09
(DIR) diff --git a/pages/008-commsenv.html b/pages/008-commsenv.html
t@@ -0,0 +1,72 @@
+<p>The majority of glaciers and ice sheets flow on a bed of loose
+and thawed sediments. These sediments are weakened by pressurized
+glacial meltwater, and their lubrication accelerates the ice movement.
+In formerly-glaciated areas of the world, for example Northern
+Europe, North America, and in the forelands of the Alps, the landscape
+is reshaped and remolded by past ice moving the sediments along
+with its flow. The sediment movement is also observed under current
+glaciers, both the fast-moving ice streams of the Greenland and
+Antarctic ice sheets, as well as smaller glaciers in the mountainous
+areas of Alaska, northern Sweden, and elsewhere. The movement of
+sediment could be important for the past progression of glaciations,
+and how resilient marine-terminating ice streams are against sea-level
+rise.</p>
+
+<p>Today, the Nature-group journal <a
+href="https://www.nature.com/commsenv/">Communications Earth &
+Environment</a> published my paper on sediment beneath ice. Together
+with co-authors Liran Goren, University of the Negev (Israel), and
+Jenny Suckale, Stanford University (California, USA), we present a
+new computer model that simulates the coupled mechanical behavior
+of ice, sediment, and meltwater. We calibrate the model against
+real materials, and provide a way forward for including sediment
+transport in ice-flow models. We also show that water-pressure
+variations with the right frequency can create create very weak
+sections inside the bed, and this greatly enhances sediment transport.
+I designed the freely-available program <a
+href="https://src.adamsgaard.dk/cngf-pf">cngf-pf</a> for the
+simulations.</p>
+
+<h2>Abstract</h2>
+<blockquote>
+<b>Water pressure fluctuations control variability in sediment flux
+and slip dynamics beneath glaciers and ice streams</b>
+<br><br>
+Rapid ice loss is facilitated by sliding over beds consisting of
+reworked sediments and erosional products, commonly referred to as
+till. The dynamic interplay between ice and till reshapes the bed,
+creating landforms preserved from past glaciations. Leveraging the
+imprint left by past glaciations as constraints for projecting
+future deglaciation is hindered by our incomplete understanding of
+evolving basal slip. Here, we develop a continuum model of
+water-saturated, cohesive till to quantify the interplay between
+meltwater percolation and till mobilization that governs changes
+in the depth of basal slip under fast-moving ice. Our model explains
+the puzzling variability of observed slip depths by relating localized
+till deformation to perturbations in pore-water pressure. It
+demonstrates that variable slip depth is an inherent property of
+the ice-meltwater-till system, which could help understand why some
+paleo-landforms like grounding-zone wedges appear to have formed
+quickly relative to current till-transport rates.
+</blockquote>
+
+<h2>Metrics</h2>
+<p>It is a substantial task to prepare a scientific publication. The
+commit counts below mark the number of revisions done during
+preparation of this paper:</p>
+
+<ul>
+ <li>Main article text: 239 commits</li>
+ <li>Supplementary information text: 35 commits</li>
+ <li>Experiments and figures: 282 commits</li>
+ <li>Simulation software: 354 commits</li>
+</ul>
+
+<h2>Links and references:</h2>
+<ul>
+ <li><a href="">Publication on journal webpage</a></li>
+ <li><a href="">Article PDF</a> (?? MB)</li>
+ <li><a href="">Supplementary information PDF</a> (?? MB)</li>
+ <li><a href="https://src.adamsgaard.dk/cngf-pf-exp1">Source code for producing figures</a></li>
+ <li><a href="https://src.adamsgaard.dk/cngf-pf">Simulation software</a></li>
+</ul>
(DIR) diff --git a/pages/008-commsenv.txt b/pages/008-commsenv.txt
t@@ -0,0 +1,70 @@
+The majority of glaciers and ice sheets flow on a bed of loose and
+thawed sediments. These sediments are weakened by pressurized glacial
+meltwater, and their lubrication accelerates the ice movement. In
+formerly-glaciated areas of the world, for example Northern Europe,
+North America, and in the forelands of the Alps, the landscape is
+reshaped and remolded by past ice moving the sediments along with
+its flow. The sediment movement is also observed under current
+glaciers, both the fast-moving ice streams of the Greenland and
+Antarctic ice sheets, as well as smaller glaciers in the mountainous
+areas of Alaska, northern Sweden, and elsewhere. The movement of
+sediment could be important for the past progression of glaciations,
+and how resilient marine-terminating ice streams are against sea-level
+rise.
+
+Today, the Nature-group journal Communications Earth & Environment
+published my paper on sediment beneath ice. Together with co-authors
+Liran Goren, University of the Negev (Israel), and Jenny Suckale,
+Stanford University (California, USA), we present a new computer
+model that simulates the coupled mechanical behavior of ice, sediment,
+and meltwater. We calibrate the model against real materials, and
+provide a way forward for including sediment transport in ice-flow
+models. We also show that water-pressure variations with the right
+frequency can create create very weak sections inside the bed, and
+this greatly enhances sediment transport. I designed the freely-available
+program cngf-pf for the simulations.
+
+
+## Abstract
+
+ Water pressure fluctuations control variability in sediment
+ flux and slip dynamics beneath glaciers and ice streams
+
+ Rapid ice loss is facilitated by sliding over beds consisting
+ of reworked sediments and erosional products, commonly referred
+ to as till. The dynamic interplay between ice and till reshapes
+ the bed, creating landforms preserved from past glaciations.
+ Leveraging the imprint left by past glaciations as constraints
+ for projecting future deglaciation is hindered by our incomplete
+ understanding of evolving basal slip. Here, we develop a continuum
+ model of water-saturated, cohesive till to quantify the interplay
+ between meltwater percolation and till mobilization that governs
+ changes in the depth of basal slip under fast-moving ice. Our
+ model explains the puzzling variability of observed slip depths
+ by relating localized till deformation to perturbations in
+ pore-water pressure. It demonstrates that variable slip depth
+ is an inherent property of the ice-meltwater-till system, which
+ could help understand why some paleo-landforms like grounding-zone
+ wedges appear to have formed quickly relative to current
+ till-transport rates.
+
+
+## Metrics
+
+It is a substantial task to prepare a scientific publication. The
+commit counts below mark the number of revisions done during
+preparation of this paper:
+
+ - Main article text: 239 commits
+ - Supplementary information text: 35 commits
+ - Experiments and figures: 282 commits
+ - Simulation software: 354 commits
+
+
+## Links and references:
+
+ - Publication on journal webpage:
+ - Article PDF (?? MB):
+ - Supplementary information PDF (?? MB):
+ - Source code for producing figures: git://src.adamsgaard.dk/cngf-pf-exp1
+ - Simulation software: git://src.adamsgaard.dk/cngf-pf