This is an edited version of:
https://extranet.gfdl.noaa.gov/~vb/connecting.html

How to set up your home machine for access to internal webpages on a browser. This also works for shell access to internal workstations, provided you're on a unix-like environment at home.

You must have an ssh client available. These instructions are for openssh on a unix-like OS. For this environment, its config file is stored in ~/.ssh/config. Configure your ssh client to tunnel through the GFDL firewall machine daisy. The tunnel as show provides shell access to an internal machine of choice (public.gfdl.noaa.gov in the example) and also to the web proxy. The web proxy will allow you access to cobweb, as well as any paid-for journals and sites to which GFDL has a site subscription.

Configuration

Here are the lines in ~/.ssh/config:

Host daisy
  Hostname daisy.gfdl.noaa.gov
  User vb
  LocalForward 1322 public.gfdl.noaa.gov:22
# web proxy: use automatic http://www.gfdl.noaa.gov/www-proxy.pac
  LocalForward 3128 mayflower.gfdl.noaa.gov:3128
Host public
# requires daisy to be forwarding a local port
  Hostname localhost
  Port 1322
  User vb
  StrictHostKeyChecking no
Host *
  ForwardX11 yes

Change vb to your userID.

Login to daisy

With these lines, you can open up a new shell, and type ssh daisy (see? no need to type your username or the full hostname...) to get a window where you can type in cryptocard password to be authenticated, on the GFDL firewall. What those lines say is that the host alias daisy will connect to daisy.gfdl.noaa.gov using username vb. The "local ports" 1322 and 3128 are forwarded to the respective "remote ports". The remote machines are "listening" on those ports for incoming traffic of a specific type: e.g public will accept ssh traffic on its port 22.

Shell access

Don't use the daisy shell prompt to get to an internal machine! That one session will allow you to pop open as many internal tunnels as you wish. Open another shell and type ssh public. That will log you in to public. You won't even get prompted for a password if you've set up ssh keypairs correctly.

For keypair-based access, generate a key with ssh-keygen -t dsa, copy the public key (usually ~/.ssh/id_dsa.pub, by default) over to your target machine (e.g public) and append it to the file ~/.ssh/authorized_keys.

You will find you can open as many windows as you want, and the whole thing goes much faster than VNC, which appears to be GFDL's recommended solution for home access to behind the firewall.

The port number (1322) for the shell in the example is any number you like... though of course it must match what you define for public below. If you want to open up ports to different machines inside the firewall, pick a different number for each. I pick xx22 usually, since 22 is the standard ssh port.

Browser access

Configure your browser to use the automatic proxy http://www.gfdl.noaa.gov/www-proxy.pac. Unlike the shell access port, which you set to whatever you like, this number must be set to 3128... that's where mayflower is listening.

Emacs over the tunnel

You can edit files in emacs over the tunnel as well, if the emacs package tramp is present. With tramp loaded, you can M-x find-file /public:/home/vb/.emacs, and you'll find yourself editing my file /home/vb/.emacs in your emacs window at home. More on emacs here.

Mirroring your home directories between home machine and GFDL

I essentially maintain a mirror of my /home/vb directory on my home machine. rsync is a very useful tool for maintaining mirrors across two systems, and will also work over the ssh tunnel (rsync -e ssh). It has a bewildering array of options, and I've written a small wrapper called ssync for doing the most obvious things in maintaining a home machine in sync with your /home directory. Ask me for a copy of ssync.