skip to main content NIST Center for Neutron Research NIST Center for Neutron Research National Institute of Standards and Technology
Home Access Instruments UserProposal Experiments SiteMap

Firewall instructions

The problems:

NCNR users have been accustomed to using computing facilities at the NCNR to reduce, analyze, and/or retrieve their data. They have done this using either previously established guest accounts or accounts created for them individually. One could then telnet into the NCNR from a home institution and run data reduction tools remotely. This became more complicated when the NCNR went behind the NIST sitewide firewall on September 7, 1999.

Since the NCNR is behind the NIST firewall it is not possible to login as before, but there are two different ways that it is still possible to login to the NCNR computers from outside the firewall.

Transferring files from the NCNR to the user's home institution is a separate problem. The solution to this is described at the end of this document.

Solution one, SSH (Secure Shell) Login:

SSH is a login protocol where all of the traffic, from the initial username to the final logout is encrypted. It can be thought of as an encrypted telnet program. SSH traffic will be allowed through the firewall, so we have set up a machine at NCNR called to serve as a sort of doorway to NCNR through the firewall for the NCNR users. We plan to issue accounts on this machine on request to current, registered NCNR collaborators with site access privileges. These accounts would then expire (unless renewed) after a period of six months. To request an account, contact us via e-mail.

To use the doorway through the firewall the user would need to establish an SSH connection to and from there telnet to whichever of the NCNR instrument computers (e.g., etc) desired. An SSH connection is established with an SSH client. There are various free clients available from third parties. The following is a list of sites that do have the software for downloading, and they should list the restrictions to be followed in acquiring this software.


NIST does not endorse these products, and disclaims any role or responsibility beyond providing these links for your convenience.

Free SSH clients:

  • Windows 95, 98, ME, NT, 2k, XP
    • PuTTY is a free SSH2 capable client written by Simon Tatham. If you want to do X11 forwarding you should download one of the development releases.
  • Macintosh
  • Unix
    • OpenSSH is available free of charge for most major UNIX flavors.

Note that with the Macintosh and Windows clients, the default connection mode is telnet, rather than ssh. So please be sure to configure your client to use ssh before attempting to log on to If you get a prompt for a RADIUS password, you're probably using telnet rather than ssh

Commercial SSH clients:

In addition to the free software there are commercial SSH clients. For instance, there is a product from Data Fellows which is available for all platforms. A trial version is available for download from Data Fellows, and the cost ranges from $50 for educational user to around $100 for others.

We do not recommend SSH connections started by using telnet to connect to a machine that has an SSH client installed on it, and using that to establish an SSH connection through the firewall. This is not a good method to connect to NCNR because it defeats the purpose of SSH which is to have your password encrypted during its entire journey from your desktop to the destination machine. In this case the connection between your desktop and the computer with the SSH client on it is unencrypted, and the password is vulnerable over that link.

Solution two, One time authentication login:

One time authentication uses a challenge issued by the firewall and a password generation device to log in to a computer behind the firewall. The traffic is not encrypted, but since the password is only used once it provides protection from malicious parties acquiring the password. The password generation device exists in hardware (a small device like a calculator) or software form (for Win95/98/NT, Mac, or Solaris).

These authenticators cost $90 for the hardware form and $60 for the software, and can only be issued by the Central Computing Facility at NIST. There may be cases where these will be issued to NCNR users, but the recommended solution is SSH.

Anonymous FTP server:

The firewall can be thought of as an information diode: it allows data coming from NIST to reach the outside internet freely, but it greatly limits the type of data that can go from the outside internet into NIST. In order to transfer files from NCNR to your home institution it will be necessary to originate the FTP connection from inside the NIST firewall. Since traffic from NIST to the outside world is not affected by the firewall, all FTP sessions which are started on NCNR computers should be able to communicate freely with outside computers. The easiest way to do this is to have FTP server software running on your local machine. Free FTP servers exist for both Windows and Mac operating systems, and all flavors of UNIX come with an FTP daemon. It is outside the scope of this document to explain how to install and run an FTP server, but a quick search on the internet will turn up many of them as well as a lot of documentation on how to set them up.

For those users not running a local FTP server, anonymous FTP has been enabled on Files older than one day will be automatically deleted from this directory every morning, so this should not be considered a place for indefinite storage of user files. Computers inside the domain have read and write permissions on this server and computers outside have only read permissions. To transfer files to their home institution a user would first transfer files to the /pub/incoming directory of from the computer at NCNR and then use whatever client they prefer from their local computer to retrieve the files from this directory (WS_FTP, Netscape). The following is a sample session for performing this transfer from, the 30m SANS instrument on NG7. User input is in red in this example.

Attempting to connect to host
220 FTP server (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:
53 EDT 1999) ready.
FTP> user anonymous
331 Guest login ok, send your complete e-mail address as password.
Password: Enter your sans username here.
230-This is a United States (NIST) computer system, which may be accessed and
230-used only for official Government business by authorized personnel.
230-Unauthorized access or use of this computer system may subject violators to
230-criminal, civil, and/or administrative action.
230-All information on this computer system may be intercepted, recorded, read,
230-copied, and disclosed by and to authorized personnel for official purposes,
230-including criminal investigations.  Access or use of this computer system
230-by any person whether authorized or unauthorized, constitutes consent to
230-these terms.
230 Guest login ok, access restrictions apply.
FTP> cd pub/incoming
250 CWD command successful.
FTP> mput p123m0*.abs
Sending file $DISK3:[NG7SANS29.ALAN]P123M010.ABS;1 to P123M010.ABS
200 PORT command successful.
150 Opening ASCII mode data connection for P123M010.ABS.
226 Transfer complete.
Transferred 4615 bytes in 00:00:00.21 = 21976 bytes/Second
Sending file $DISK3:[NG7SANS29.ALAN]P123M010_M.ABS;1 to P123M010_M.ABS
200 PORT command successful.
150 Opening ASCII mode data connection for P123M010_M.ABS.
226 Transfer complete.
Transferred 9981 bytes in 00:00:00.30 = 33270 bytes/Second
Sending file $DISK3:[NG7SANS29.ALAN]P123M011.ABS;1 to P123M011.ABS
200 PORT command successful.
150 Opening ASCII mode data connection for P123M011.ABS.
226 Transfer complete.
Transferred 4615 bytes in 00:00:00.19 = 24289 bytes/Second
Sending file $DISK3:[NG7SANS29.ALAN]P123M011_M.ABS;1 to P123M011_M.ABS
200 PORT command successful.
150 Opening ASCII mode data connection for P123M011_M.ABS.
226 Transfer complete.
Transferred 9981 bytes in 00:00:00.30 = 33270 bytes/Second
Sending file $DISK3:[NG7SANS29.ALAN]P123M012.ABS;1 to P123M012.ABS
200 PORT command successful.
226 Transfer complete.
FTP> quit
221-You have transferred 28606 bytes in 4 files.
221-Total traffic for this session was 30385 bytes in 4 transfers.
221-Thank you for using the FTP service on
221 Goodbye.
Connection Closing

You can get help on how to use the VAX FTP client (not the easiest in the world to use, or the most functional) by typing help at any of the FTP> prompts.

Please contact Nick Maliszewskyj <>, (301)975-3171, or Przemek Klosowski <>, (301)975-6249 for additional clarification on specific firewall related issues, and Alan Munter <> to obtain an account on the SSH server.

Report errors or make inquiries about this page to Alan Munter, <>

Last modified 02-April-2002 by website owner: NCNR (attn: Jeff Krzywon)