SSH provides the same 'remote terminal' feature as Telnet, but encrypts the session and thereby guarantees that passwords cannot be eavesdropped.

Caveats:

  • SSH access is only supported for client computers correctly registered in the DNS
  • SSH version 1 is not supported. On some very old client platforms (e.g. Linux Suse 7.2), the "-2" option may be required.
  • External users must use a non-standard port number (see below).

For Windows-based personal computers, two programs are available for download, PuTTY and WinSCP:

From the external side (external users having an user account on an internal system)

Users first connect to a 'proxy' server running on the firewall computer, which will in turn automatically connect them to the destination system. To use the SSH proxy, simply SSH to the firewall computer as if you want to log into it, indicating the port number depending on the target institute (-p option for a UNIX/Linux command, or selected in menus on a graphical interface):

  • port 5022 on firewall.esrf.fr: login ESRF (NICE cluster)
  • port 5023 on firewall.ill.fr: login ILL
  • port 5024 on firewall.embl-grenoble.fr: login EMBL-Grenoble

There will be a short pause, and you will be prompted with a password prompt directly on the internal SSH server.

The external user must have a valid user account (identified by a username and a password) on this SSH server. If the username on the remote server differs from the username on the local client computer, then do not forget to configure the remote username:

  • -l username option for SSH command on UNIX
  • username@firewall.xxx.fr is also possible
  • examples:
    • ssh -l smith -p 5023 firewall.ill.fr
    • ssh -p 5022 johnson@firewall.esrf.fr

On some client platforms (e.g. Linux Suse 7.2), the '-2' option may be required in order to force the use of SSHh version 2.

  • ssh -2 -p 5022 johnson@firewall.esrf.fr

Once logged into the SSH server, Telnet/SSH to any other internal host is permitted - this is referred to as 'bouncing'.
At the ESRF, a server belonging to the NICE cluster will be automatically selected when coming from outside. Example:

% ssh -p 5022 -l johnson firewall.esrf.fr Password: xxxxxxx Please wait...checking for disk quotas (...etc.)  indigo3% telnet another-host

From inside

Internal users should not cross the firewall for SSH access, just SSH directly to the remote host. Note that outgoing SSH is fully supported provided a SSH client program is used internally (e.g. on the NICE cluster at the ESRF).