navigation
Users Manual (Email, ssh, ftp, etc.)
 

Using SSH

last modified 04-10-2010 08:09

 

Ssh provides the same "remote terminal" feature than Telnet, but encrypts the session and thereby guarantees that passwords cannot be eavesdropped.

Caveats:

  • Ssh access is only supported for client computers correctly registered in the DNS
  • Ssh version 1 is not supported. On some client plaforms (e.g. Linux Suse 7.2), the "-2" option may be required.
  • External users must use a special port number (see below).

For the Windows-based personal computers, two programs are available for download, PuTTY and SSH:

  • Download PuTTY small, simple and directly executable ssh-client program
  • Download SSH full-featured ssh-client program from ssh.com, non-commercial use only, executable file which is an installer program
  • How to setup SSH (above client from ssh.com)

From the external side (external users having an user account on an internal system)

Users first connect to a "proxy" server running on the firewall computer, which will in turn automatically connect them to the destination system. To use the Ssh proxy, simply ssh to the firewall computer as if you wished to log into it, indicating the port number depending on the target Institute (-p option for a UNIX/Linux command, or selected in menus on a graphical interface):

  • port 5022 on firewall.esrf.fr: login ESRF (NICE cluster)
  • port 5023 on firewall.ill.fr: login ILL
  • port 5024 on firewall.embl-grenoble.fr: login EMBL-Grenoble

There will be a short pause, and you will be prompted with a password prompt directly on the internal Ssh server.

The external user must have a valid user account (identified by a username and a password) on this Ssh server. If the username on the remote server differs from the username on the local client computer, then do not forget to configure the remote username:

  • -l username option for ssh command on UNIX
  • username@firewall.xxx.fr is also possible
  • examples:
    • ssh -l smith -p 5023 firewall.ill.fr
    • ssh -p 5022 johnson@firewall.esrf.fr

On some client platforms (e.g. Linux Suse 7.2), the "-2" option may be required in order to force the use of Ssh version 2.

  • ssh -2 -p 5022 johnson@firewall.esrf.fr

Once logged into the Ssh server, Telnet/Ssh to any other internal host is permitted - this is referred to as "bouncing".
At the ESRF, a server belonging to the NICE cluster will be automatically selected when coming from outside. An example follows:



% ssh -p 5022 -l johnson firewall.esrf.fr 
Password: xxxxxxx
Please wait...checking for disk quotas 
(...etc.)  
indigo3% telnet another-host


 


 

From inside

Internal users should not cross the firewall for Ssh access, just ssh directly to the remote host. Note that outgoing Ssh is fully supported provided a Ssh client program is used internally (e.g. on the NICE cluster at the ESRF).



 


        


        

    
        
            
        
    


    
    


                    
                      
                 
    
        
    

                    

                  


                


              
            		
            

            
            
            
          

        
      

      

      


      


      

        

	

          
	  
European Synchrotron Radiation Facility