SSH Gateway

Access to the institute's network is possible via the ssh gateway

gw.him.uni-mainz.de

You can log in to the gateway using your public key, but not with username/password. Therefore, you must provide your public key to the gateway via sFTP. This is the only time where user/password login is allowed. The keys have to be put into a file called authorized_keys, which has to reside in the subfolder keys.

Prepare your public key

If you know your public key - great. Copy or append it to a file named authorized_keys and proceed to copy that file to the gateway.

If not, go to your /home/<username>/.ssh/ directory and look for a file named id_rsa.pub and copy it to a new file named authorized_keys.

If there is no id_rsa.pub, you may need to create a public key by entering:

ssh-keygen

 You can accept the default values, the private and public keys will be stored in your  ~/.ssh/ directory. It must be named authorized_keys, so copy your public key:

cat id_rsa.pub >> authorized_keys

This way you can also append keys to authoriezed_keys if it already exists. You can now proceed to copy that key file to the gateway.

Copy Public Key file using FileZilla

An easy way to copy your puplic key(s) to the gateway is to use the open source ftp client FileZilla. Enter the following values:

Host: sftp://gw.him.uni-mainz

Username: <your Uni-Mainz ID>

Password: <your password>

Port: 22022

 

In the left hand pane you can browse your files. Select your prepared authorized_keys file and drag it to the remote keys folder. Please be advised that this will override any current authorized keys. If you wish to add more than one public key to the gateway, please copy the remote file first, append your new public key and copy the file back to the gateway.

Add your authorized_keys file:

Your keys should now be stored on the gateway. You can check that by entering:

ssh <username>@gw.him.uni-mainz.de

You should be promted the message "Hello, <username>" and asked the hostname of the machine you want to connect to like this:

You can now enter your desired destination

<username>@<hostname>.<groupname>.him.uni-mainz.de

Please keep in mind that this username is the name on that specific machine and not neccessarily your zdv username. You need to enter your password for that machine as well.

A more elegant solution is to setup your .ssh/config file to use the gateway as a jump host and use public key authentication, see below. If set up correctly, you don't need to enter a password when connecting to your workstation.

If instead you are presented the message "Permission denied (publickey).", something went wrong and the has not been stored correctly on the gateway.

Copy Public Key using the command line

Alternatively, if you do not want to use FileZilla or any other sftp compatible program, you can use the built-in tools of most Linux systems.

Go to the directoy containing your public key in a file called authorized_keys. You can copy your local authorized_keys file to the remote destination keys/authorized_keys using:

sftp -P 22022 <userid>@gw.him.uni-mainz.de <<< "put authorized_keys keys/authorized_keys"

The authorized keys file should contain all public keys, one key per line.

In order to add a key one can first fetch the keys file via

sftp -P 22022 <userid>@gw.him.uni-mainz.de <<< "get keys/authorized_keys"

then add the new key

cat id_rsa.pub >> authorized_keys

and reupload the file using the put command above.

Add a new Key using the command line

Go to your user directory and make sure your id_rsa.pub is in ~/.ssh/. Then exchange <user ID> with your ZDV user ID and enter the follwing in your terminal of choice:

cd ~ && sftp -P 22022 <user ID>@gw.him.uni-mainz.de <<< "get keys/authorized_keys" && cat ~/.ssh/id_rsa.pub >> authorized_keys && sftp -P 22022 <user UD>@gw.him.uni-mainz.de <<< "put authorized_keys keys/authorized_keys" && rm authorized_keys

 

You need to enter your password twice, once for downloading your authorized keys and once for uploading the new authorizd keys. Congratulations, your new key was added to the gateway.

Setup the Gateway as Jump Host

You don't need to manually enter the remote hostname each time you want to log in to your desktop, but instead configure your ssh config file to use the gateway as jump host. Look inside your ~/.ssh/ directory for a file called config. If it's not already there, create it:

nano ~/.ssh/config

And add entries for two hosts, which we will call work (your workstation) and gate (the gateway). Your config should look like this:

Host gate
  HostName gw.him.uni-mainz.de
  User <Uni-Mainz ID>
  ServerAliveInterval 15
  ForwardX11Trusted yes

Host work
  HostName <hostname>.him.uni-mainz.de OR <IP>
  User <user name on that machine>
  ServerAliveInterval 5
  ProxyCommand ssh -X gate nc %h 22 

The ProxyCommand is crucial here. ssh -X enables X forwarding, gate is the gateway and "nc %h 22" is the actual login to your workstation. Do not enable compression should it already be in your config file, as it will reduce your transfer speeds significantly.

Please note that your public key must also be on your workstation in ~/.ssh/authorized_keys. Place them there in whatever way you prefer or refer to your OS man pages. If that is set up correctly, you can ssh into your workstation at HIM by using

ssh work

Without any further credentials.

Accessing HIMster

You can reach the HIMster just the same way. Add the following to your ".ssh/config":

Host gate
  HostName gw.him.uni-mainz.de
  User <Uni-Mainz ID>
  ServerAliveInterval 15
  ForwardX11Trusted yes

 

Host himster
  Hostname himster.him.uni-mainz.de
  User <username on himster/kph>  #this is probably NOT your ZDV name
  ServerAliveInterval 15
  ProxyCommand ssh -X gate nc %h 22

You can also reach the himster from within the HIM Network via the HIM Gateway. Copying files is faster than using the kph Gateway, so this might be interesting if you have lots of data to transmit. However, the gateway hostname differs if you try ro reach it from within the HIM Network. For any machine that is in the HIM Network, the .ssh/config should look like this:

Host gateIntern
  HostName gw.<group name>.him.uni-mainz.de
  User <username>
  ForwardX11Trusted yes
  ServerAliveInterval 15

 

Host himster
  Hostname himster.him.uni-mainz.de
  User <username on HIMster/kph>
  ServerAliveInterval 15
  ProxyCommand ssh -X gateIntern nc %h 22

 

Public key authentication works just the same.

Accessing Clover

You can reach the Clover just the same way. Add the following to your ".ssh/config":

Host gate
  HostName gw.him.uni-mainz.de
  User <Uni-Mainz ID>
  ServerAliveInterval 15
  ForwardX11Trusted yes

 

Host clover
  Hostname clover.thfl.him.uni-mainz.de
  User <username on himster/kph>  #this is probably NOT your ZDV name
  ServerAliveInterval 15
  ProxyCommand ssh -X gate nc %h 22

You can also reach clover from within the THFL subnet of the HIM Network directly.

Public key authentication works just the same.

Notes

You will receive an email upon any change to the keys file, i.e. if you receive an email from the gateway system, without having modified your keys an attacker is possibly trying to use your account. In such a case please contact it@him.uni-mainz.de immediately.


The gateway is regularly rebooted every Monday morning at 5 am.


An easy way to use the gateway as a "jump host" is to setup your client's config file, i.e. ~/.ssh/config, where the syntax is

Host him
        ProxyCommand ssh <uid>@gw.him.uni-mainz.de nc <destination host> 22

Alternatively you can ssh into the gateway directly and interactively specify the host to login to.