SSH is a 'remote terminal' protocol providing data encryption, so passwords cannot be eavesdropped.

Caveats:

  • SSH access is only supported for client computers correctly registered in the DNS
  • External users must use a non-standard port number (see below)
  • On very old client computers, there may be issues due to SSH version 1 (not supported at ESRF)

For Windows-based personal computers, an easy solution is provided by the PuTTY program. Small, simple, effective, and open-source. Please read on for important configuration instructions below.

From the external side (external users having an user account on an internal system)

Users first connect to a 'proxy' server running on the firewall computer, which will in turn automatically connect them to the destination system. To use the SSH proxy, simply SSH to the firewall computer as if you want to log into it, indicating the port number depending on the target institute (-p option for a UNIX/Linux command, or selected in menus on a graphical interface):

  • port 5022 on firewall.esrf.fr: login ESRF (NICE cluster)
  • port 5023 on firewall.ill.fr: login ILL
  • both EMBL and IBS use a different architecture

There will be a short pause, and you will be prompted with a password prompt directly on the internal SSH server.

The external user must have a valid user account (identified by a username and a password) on this SSH server. If the username on the remote server differs from the username on the local client computer, then do not forget to configure the remote username:

  • -l username option for SSH command on UNIX
  • username@firewall.xxx.fr is also possible
  • examples:
    • ssh -l smith -p 5023 firewall.ill.fr
    • ssh -p 5022 johnson@firewall.esrf.fr

On some client platforms (e.g. Linux Suse 7.2), the '-2' option may be required in order to force the use of SSH version 2.

  • ssh -2 -p 5022 johnson@firewall.esrf.fr

Once logged into the SSH server, SSH to any other internal host is permitted - this is referred to as 'bouncing'.
At the ESRF, a server belonging to the NICE cluster will be automatically selected when coming from outside. Example:

% ssh -p 5022 -l johnson firewall.esrf.fr Password: xxxxxxx Please wait...checking for disk quotas (...etc.)  sshgw% wortk on NICE or ssh to another-host

From inside ESRF

Internal users should not cross the firewall for SSH access, just SSH directly to the remote host. Note that outgoing SSH is fully supported provided a SSH client program is used internally (e.g. on the NICE cluster at the ESRF).