wiki/ documentation/ Services

Services

In addition to the computers we provide for your use, several additional services are available to you.

Service Passwords

Services that require you to authenticate ask for you password. For some of those services like OpenVPN and email it is very common to use the save password function of your VPN or email client. This can be a security risk since very often that software uses weak or no encryption and a compromised password not only allows acces to that one service but to all of your files and services.

Therefore we strongly recommend setting separate passwords for those services:

In all those cases you will be asked for your main account password before any access or change is made. When a service password is set, access to that service is possible via your main account password and the service password for that service. If you should lose a password, please remember that changing your main account password does not change any service passwords. You will need to change or remove them separately.

Windows Virtual Machines

Since all our machines are running Linux, we offer Windows Virtual Machines incase you need it to run your software. It no longer requires a separate password. You can start the virtual machine on a Linux host with the command cip-windows-vm. You can also find it in the application menu:

windows start menu

Your files in the virtual machine (VM) will appear in C:\Users\cip-user. Don't be confused by that. The VM is configured to use a Roaming Profile. This means your files are synchronized to the VM at logon and back out of the VM at logoff. Therefore copying files from the Linux host to ~/WINDOWS will not work once the VM is running and logged in. If you still want to share files without shutting down the VM you can use ~/WIN_LIVE_SYNC from Linux. You will find a desktop icon in the VM called CIP Live Sync which brings you to this folder. Use this to share files between Linux and Windows without shutting down.

To exit fullscreen of the VM display, press Shift+F11.

Remote Login

All our machines have SSH enabled. You can login from Linux with the command ssh yourloginname@hostname. To login from a Windows system you'll need to install a SSH-Client, e.g. Putty.

putty login window

On some hosts (faui00a, faui00h, faui06a, faui06h, faui06, faui0sr0, ircbox) SSH additionally listens on port 443 in order to make connecting from networks with restrictive firewalls easier.

The hosts faui00*, faui04*, faui06* and all the terminal servers (faui0sr0, faui06, ircbox) are always online, all others are shut down during the nights (20:00 - 08:00), on weekends, and during the term holidays.

It is possible to run graphical applications remotely via tools such as xpra.

Authenticating hosts

There is a list of all SSH host keys to verify the authenticity of the connection.

Alternatively, if you're using OpenSSH (you probably are unless you're on Windows), you can trust our SSH certificate authority by adding the following (quite long) line to your ~/.ssh/known_hosts file:

@cert-authority faui0*.cs.fau.de,faui0*.informatik.uni-erlangen.de,ircbox.cs.fau.de,ircbox.informatik.uni-erlangen.de ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDKVGAWUYpKjaqGyzhcixy8f7wEK8T9gbqOPHmqFiYheGe4Ie0Yf5KWVLCKjcFxAZwxkHceeFjBOkymZB9mH8tvZ9KSacg69kc2oa7vPILbpMfIdJ8lka11jL8iSC+U4MhWgBdyOVHtVXUBFZOwC4eBo47llhYDow6TlNB6Y0hda79Bz3wZM+mvc0XFNCAwy+SKRjb7ySkPd8tIt2cIINC9+V5fZzPE3NB/LmvWyQFZNN4ijHm38zm7YHFViRlCKyhecxx0bqyMvYoBmGLGT33jUgml125cidBvrWnDNuhK59YYQ2oun/SRYqfJD0ub/G7BEp3SrmZXiWCbp07Q9ytmvxfl4WDFHBVXjWcJe55MsGO5usg6z18fkAp/6Pb4QYpbd1vNgdlVeYCtYB3xzNcb8GPwFiplg14zsK2tdcr36+k0CBQh/68ujv2RpKdrddKGDfqQrz9r6S1yg7sBdkjvBHxTu+M6iKtnryY9wlC/vSGS45fbl2JkNQRX7PUsZ2vGc9GXmJWbie3Fy0NES1IRXo4f/AuMsSPe6S/PdCvXof6bnEj8pjAK//ZdYeLhZ8QKFb7lCxJ8IClYeKcmDHEfkQ5UZv47K4j5Q7dvPyPhnK27i7qrkfm77NS7OOdrmOvDN3okzyc5+C7n0suZG3kbXvLZkL/TdaZrj+fRfEjL1w== problems@cip.cs.fau.de

Since all our host keys are signed by this CA, you then shouldn't ever have to verify one of our hosts again.

We also publish fingerprints in SSHFP DNS records. Trusting these is only secure if have a trustworthy DNSSEC-validating DNS resolver and the network between you and said resolver is equally trustworthy. Usually this means you're running your own local resolver. Telling your ssh client to trust these records is left as an exercise in reading man pages.

GitLab

We offer a local instance of the git-based collaboration platform GitLab.

gitweb is also still available, but should not be used for new projects.

OpenVPN

An OpenVPN tunnel gateway is provided for encrypted remote access to the university network. OpenVPN client software is available for all common operating systems like Linux (available in the software repository of all major distributions), MacOS X (Tunnelblick) and Windows.

To use OpenVPN, download the following configuration file and save it into the configuration directory of OpenVPN, usually located in /etc/openvpn. If you are using a graphical user interface for OpenVPN, pass this file at the appropriate place instead.

Please set a separate service password for OpenVPN via cip-set-password -s vpn as described above.

Homepage

Files in the directory ~/.www/ are exported at the web address https://wwwcip.informatik.uni-erlangen.de/~yourloginname. For this to work the user www must have access to these file, which can be achieved by executing the command setfacl -m u:www:rx ~ ~/.www.

These pages are publicly available!

Commercial usage of any kind, such as advertisement for a company, endorsement of commercial software etc. is prohibited!

Mail

Every user has an email address <loginname>@cip.cs.fau.de.

You can forward incoming mail to another address by writing the desired destination into the file ~/.forward. The change is active immediately.

In order to access your mail via IMAP, first you have to run a command like mkdir -p ~/Maildir/{cur,new,tmp} && chmod 700 ~/Maildir/{,cur,new,tmp} to create and secure your maildir. Then write a line containing only the characters ~/Maildir into the file ~/.forward. This redirects incoming mail to the directory Maildir in your home, where the IMAP server is looking for it. Now you can point your mail client to port 993 on cippop.informatik.uni-erlangen.de. You can set a password using the commandcip-set-password -s mail or use your existing login password.