Elementary Particle Physics @ Birmingham

Home PC facilities

Document: homepc, L.S.Lowe, version 20120115. Part of Guide to the Local System.

Broadband ADSL or Cable

Broadband access via ADSL on your BT telephone wires can give you from around 512k to 8M bits/s download speed, or more, shared with up to 50 users. Look at BT's exchange check page to see if your BT exchange supports it. Also check the ADSL Guide web site for newly-added exchanges, and for broadband providers and prices.

Other useful web pages are the SamKnows ISP availability checker, and the Broadband speed checker.

Broadband access via your local cable provider (eg Virgin Media, previously Telewest) may also be available in your street and can be faster.

Ideally use a service that offers a static IP address, for reasons listed in the next section. This is not always available though.

Access to group computers from home

The servers generally available for you to contact from home are: eprexA.ph.bham.ac.uk on SL4 and eprexB.ph.bham.ac.uk on Fedora/SL4/SL5, and those can be used of course from CERN and similar locations.

As a matter of security policy, I limit the range of IP addresses of ISPs that can contact our group servers for logging in. Well-known ISPs are usually now included if the IP address range is not excessive. For example, Tesco-Net, Talk-Talk/Tiscali, and Virgin-Media/Telewest are I believe fully included, for local geographic address ranges. I'm happy to think about BT Internet, though their large address range is problematic.

If you can have your own static IP address, I can configure such an address for local access.

In some cases, even if your ISP does not strictly offer static addresses, you can hold on to a particular IP address for months on end if you do not turn off your broadband modem and the computer equipment that immediately connects to it. For example, if your home setup is front-ended by a firewall box or computer, then leaving the firewall switched on should preserve your DHCP address for as long as you like. I am happy to configure such addresses into local allow tables.

If you have a modem-NAT-firewall-router at home, then the IP address your PC sees is a private IP address like 192.168.1.73, different to your external IP address. If in doubt, note down this web page and try it from home: http://www.ep.ph.bham.ac.uk/cgi/whoami - and then tell me the results if you want that IP address configured-in.

Failing that, you may be able to access our computers by first accessing a less-restricted computer at RAL, CERN or DESY. If calling group computers is only a minor part of your home internet access, then this may not be too great an inconvenience. But it does mean less security than the one-hop call.

Accessing via ssh after validating your certificate

There is a way of accessing our computers from anywhere, including home, conferences, airports, and internet cafes, by copying your grid certificate into the home PC or laptop browser first, and then in the remote location using the Check your access link on our Facilities web page. Accessing that page with your Birmingham certificate presented by your browser is sufficient for that IP address to be allowed ssh access on our main interactive servers (like eprexB) for the rest of that day. (Access using other certificates like from CERN may be possible, by arrangement with your friendly system administrator, but is not automatic, unlike Birmingham-issued certificates).

Cygwin facilities from a Windows system

Cygwin can provide all the facilities you need for doing ssh and X11 windows on your home PC running MS Windows, and also give you a general Linux environment. See our cygwin page. However, I now almost always recommend using ssh on Putty, and VNC or Xming, instead (see below).

SSH facilities

For a login session from a PC at home running MS Windows, you can use a SSH-client like PuTTY, which is available from http://www.chiark.greenend.org.uk/~sgtatham/putty/. From that web page, go to the Downloads page, Binaries section, and I recommend choosing the version under the line A Windows installer for everything except PuTTYtel.

One thing to configure as a default setting with PuTTY is to set Windows / Translation / Received data character set to UTF-8 in place of ISO-8859-1, as UTF-8 is the default for Linux systems and characters outside the normal ASCII set will not be rendered correctly otherwise.

For access using ssh from say Linux at home, you could use the -C option so that data transfer each way is compressed (recommended by DGC). You can make Compression the default in your home PC linux ssh_config file, and in a Windows PuTTY configuration too. Try it and see if it makes any difference.

For ssh from Linux at home, remember that X-protocol tunnelling is available, and other protocols can be tunnelled through the same ssh path (for example, see VNC below). Basically this means that you can open X windows and have them displayed on your home PC. See next section. For file transfer to and from a Windows system, you are recommended to get WinSCP which is an excellent GUI file transfer program, using SSH (scp) protocols.

Time-out problem with one ISP

When using certain ISP(s) and/or router box(es), you may find that Putty or other SSH calls stall if you leave them inactive for 10 minutes or so. This feature is known to happen with Virgin Media and Netgear VMDG480. It may be possible to configure the router not to do this, if indeed it is the router and not the ISP that is applying a time-out. Alternatively, in Putty, in the Connections dialogue pane, look for Sending of null packets to keep session active, and set the interval to say 180 seconds. There is a similar option in WinSCP when you tick Advanced options. For Linux/MacOSX, use ssh option -o ServerAliveInterval=180, or put ServerAliveInterval 180 in a $HOME/.ssh/config file.

The downside of this is that if you are using wireless network around your house, and you move or put the laptop down in a place with no wireless reception, then Putty will close your connection after some small multiple of the time you set. So don't use this option unless you are regularly getting time-outs. (That's why it's not set at our server end for all ssh calls).

You won't notice an inactivity time-out when just using the web because each web-page fetch is usually a new call, whereas an ssh session is a single call lasting possibly hours.

X sessions on the PC

SSH and putty give you text mode sessions. If you want GUI sessions via the X protocol on your home PC, then you have to run an X-server on the PC, such as Xming, or Exceed, or cygwin X server. You can configure putty to forward the X11 connections.

VNC sessions on the PC

An alternative to GUI sessions via X protocol, you can use VNC: see our VNC setup information. It has the disadvantage that setting the session up the first time is a bit time consuming, and that it gives you a full session when maybe all you needed was one or two application windows: in the latter case you should use Xming or Exceed. But VNC has the advantage over Xming/Exceed sessions that you can interrupt a session and then resume it later from any location from exactly where it was. And it can be a lot faster than using X protocol.

Screen sessions on the PC

This is a lightweight text-mode equivalent to VNC. You type in screen with or without a command operand, and can start doing stuff in text mode, like a command or pine or text-editing session. Then you can leave it and later view and continue it from another location by typing in screen -r or screen -dr after you log in. (The latter format forces an existing old view of the session to detach. Use the -rx options if you want old and new views of the session to co-exist). You can also specify a command to invoke, as an operand on the screen command.

For example, login using putty and type screen emacs fred.c to start an emacs session, or screen pine to start a pine session. If your network connection breaks, then just start a new putty session and then type screen -r to resume the application exactly where you were.

Accessing eJournals and university web pages from home

The recommended way of accessing eJournals is to visit the eLibrary web page. This directs all access to online Journals via a Shibboleth host (ezproxyd) which you have authenticated to using your university credentials.

The previous recommended way of accessing eJournals was to configure your browser to use a proxy server. See http://www.helpdesk.bham.ac.uk/proxy/ for how to configure this. Having configured this, every access to a web page is checked by the fetched proxy configuration script: all accesses to web services which are university-wide or correspond to known eJournals are routed through the university web proxy server, and therefore to the target web server appear to come from within the university campus; access to other web servers goes direct.

There should be no discernible performance hit in using this proxy configuration (despite warnings to the contrary in the IS documentation), but let me know if you find otherwise. Note that if your home PC ip address has been specially-configured to be recognised by our group web server in order to access group web pages, use of any proxy server will defeat this recognition. But it is easy enough to switch the proxy on and off within your browser, without having to retype the configuration every time.

The university Access service

To access university web pages from home, an alternative for those who cannot configure a proxy, is to use the http://www.access.bham.ac.uk web site. This web-site simply gives access to university-wide web-pages, and eJournals that the University has a site-licence for, and those that are free anyway. See the Access helpdesk page. You need a Birmingham ADF username and password.

Printing to group printers from home PC linux sessions

Here are some very terse notes on the subject of ssh-tunnelling a printer connection for Linux.

As an aside, there is no problem of course printing on group printers from a session when you are logged in to one of the group servers, and typing commands for printing within those windows. Also, when setting up for printing from a laptop (say) while its located within the group area, please use the information in our printing web page, section Printing from your Linux laptop.

This section deals instead with printing in a window from an application which is running on the home PC or laptop, like a firefox running on the home PC for example. Since in this case you are outside the group firewall, you can't expect the direct connections above to work, so you need to tunnel. In the following, it says user@eprexa, but it could equally say user@eprexb.

Using IPP protocol to any group printer (as ordinary user): First put export CUPS_SERVER=localhost:1631 in your environment, or, less flexibly, set-up /etc/cups/client.conf so that it says: ServerName localhost:1631; From an ordinary session on your home PC, enter:; ssh -L 1631:epcups:631 user@eprexa.ph.bham.ac.uk; Then you can rely on the client software (eg lpr or firefox) to discover all the remote printers via IPP and you don't need to define them on your home PC. For example, they will all appear in your local firefox application as available printers. (Note that use of port number 1631 is an arbitrary choice, while port 631 is fixed).

Using IPP protocol to any group printer (needs root): From a root-session on your home PC, enter:; ssh -L 631:epcups:631 user@eprexa.ph.bham.ac.uk; If you have no home printers and/or the CUPS daemon is off, then this method is a sensible possibility. Then you can rely on the client software (eg lpr) to discover all the remote printers via IPP and you don't need to define them on your home PC. For example, they will all appear in your local firefox application as available printers. This method requires you to be root (or to have appropriate capability) because it opens a port number < 1024.

Using IPP protocol to a specific printer

Start things off by typing the following into the home PC, from any local session:
ssh -L 1631:epcups:631 user@eprexa.ph.bham.ac.uk
Then leave that ssh session alone. From any other window, talking to the local PC, you can do the following
lpr -H localhost:1631 -P px [myfile]
to print on the px printer at work. The filename is not required from within an application like mozilla/firefox/acroread.

Using LPD protocol: From a root-session on your home PC, enter:; ssh -L 515:epps1:515 user@eprexa.ph.bham.ac.uk; This uses the LPD protocol, which avoids a clash with a local CUPS service. (We assume that you are not sufficiently retro to use lpd for your home printers!). Unlike with the IPP method, you need to define each group printer in your home PC system as a localhost lpd printer.

LSL.