The growth of fast, cheap access to the Internet has opened up the possibility of providing remote support to customers. However, the Internet is an open network, so a robust means of authenticating remote users and encrypting communications needs to be used to ensure security.
This functionality is normally provided by a Virtual Private Network (VPN). These are great when you need to function as if you were a full member of the network you are joining to, but they can be complicated to set up and often require dedicated hardware at the customerâs end, something you may have little influence over.
Often when supporting a FactoryPMI/SQL or Ignition installation, you only need to access a single machine on the customerâs network. If this is the case, you have another option available to you: Secure Shell access, or SSH. You can implement an SSH solution by installing SSH server software on the machine you want to access and SSH client software on the machine you are using to connect to it. The clientâs router or firewall is then configured to forward traffic on the correct port to the machine running the SSH server.
SSH servers
Coming as it does from the Linux world, there are a number of completely free SSH servers for both Linux and Windows. If running Linux on your server, simply install the OpenSSH server software. This is achieved in Ubuntu by selecting the âopenssh-serverâ package in the Synaptic Package Manager, or by entering apt-get install openssh-server in a terminal window. This defaults to running a server on port 22 (the standard SSH port). You will have to enter the username and password of a user on the Linux server to log on.
For Windows, I originally tried freeSSHd which seemed to work well, but Carl and I discovered that it suffers from a bug which causes it to fail whilst downloading large files, the very thing you do when you try to run a FactoryPMI/SQL or Ignition application remotely. The package doesnât seem to have been updated in over a year, so I reluctantly abandoned it.
It is actually possible to run the OpenSSH software on a Windows PC by installing Cygwin. This is an API compatibility layer which allows a collection of Unix-like tools to run in a terminal window on Windows. The downside of this is that it can be complicated to set up and the full Cygwin package weighs in at over 5GB. Fortunately there is a solution in the form of CopSSH. This is a package consisting of OpenSSH and just the parts of Cygwin required and is being actively maintained at http://www.itefix.no/i2/copssh. When the CopSSH installer is run, it asks for a username and password of the user account it will be run under â I specified an administrator account here.
Once it has installed, you must activate a user before you can connect to the server. This is done through a program accessed from the Start menu. Select the Windows account you wish to use to login to the server (I tend to use the one it is normally left logged into), leave the command shell set to '/bin/bash/ and leave all the options selected. You then have to enter a passphrase of at least 5 characters to protect the private key generated on the server. This will only be required if you want to connect remotely using public key authentication, which I wonât cover here. Once this step is finished, youâre done. The server is now running as a service and will start with Windows. If you want to stop it running, access it from Control Panel\Administrative Tools\Serviceswhere youâll find it listed as âOpenssh SSHDâ.
SSH clients
For both Linux and Windows there is one stand-out free SSH client â PuTTY. This can be installed in Ubuntu by selecting in from the Ubuntu Software Centre or the Synaptic Package Manager, or by entering apt-get install putty in a terminal window. On Windows, download the putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/ You can then save the file where you want and run it from there â thereâs no installation required.
When you run PuTTY, type the address of the server in the top box and ensure the port is set correctly (this will be 22 unless youâve changed it in the OpenSSH configuration file). Press the âOpenâ button at the bottom of the window and you should see a terminal window open. The first time you do this, you will probably receive a warning that the host key doesnât match the one in the cache (or something similar). As long as the serverâs IP address was entered correctly, you can proceed and accept the key. You should then be asked to login. If this doesnât happen, check that you have forwarded port 22 at the remote router to the machine running the server and also check that you have unblocked port 22 on any firewall running on the server.
If you enter the account username and password, you should be logged onto the server over an encrypted connection. Notice that unlike Telnet, both your username and password were also encrypted during the login process, making the whole process very secure. You should now see a terminal window from which you will be able to access the hard drive of the server machine.
At this point you may be thinking âIs that it â all that work for terminal access?!â Donât worry. SSH has the ability to tunnel other traffic over its encrypted connection. Close the terminal window by typing âexitâ, then run PuTTY again. Enter the IP address of the server as before, but before you open the connection, go to Connection/SSH/Tunnels. Here you tell PuTTY what ports to pass down the encrypted connection, and where to forward them once the traffic reaches the server. For example, suppose an Ignition web server was running on the server machine on port 8088. You would enter something like 8089 in the âSource portâ field, then enter â127.0.0.1:8088â on the Destination field. Donât forget to press the âAddâ button. You should see the tunnel added as L8089 | 127.0.0.1:8088. Itâs probably a good idea at this point to go back to the first page in PuTTY (âSessionâ) and enter a name for the session and save it.
Try connecting to the server again. This time once you connect, open a web browser and enter â127.0.0.1:8089â. (Notice that you use the localhost address and not the serverâs own IP address!) You should see the Ignition home page, with all the traffic between the 2 machines going over the encrypted connection.
Of course, this approach is not restricted to accessing web servers. You can tunnel any software that connects over a TCP/IP port, such as MySQL or VNC. By using VNC in this way you can gain full remote control of the PC securely over the Internet.
If this article has been useful or if you need further help at any point, please let me know.
