Access to the institute's network is possible via the ssh gateway
You can log in to the gateway using your public key, but not with username/password. Therefore, you must provide your public key to the gateway via sFTP. This is the only time where user/password login is allowed. The keys have to be put into a file called authorized_keys, which has to reside in the subfolder keys.
Prepare your public key
If you know your public key - great. Copy or append it to a file named authorized_keys and proceed to copy that file to the gateway.
If not, go to your /home/<username>/.ssh/ directory and look for a file named id_rsa.pub and copy it to a new file named authorized_keys.
If there is no id_rsa.pub, you may need to create a public key by entering:
You can accept the default values, the private and public keys will be stored in your ~/.ssh/ directory. It must be named authorized_keys, so copy your public key:
cat id_rsa.pub >> authorized_keys
This way you can also append keys to authoriezed_keys if it already exists. You can now proceed to copy that key file to the gateway.
Copy Public Key file using FileZilla
An easy way to copy your puplic key(s) to the gateway is to use the open source ftp client FileZilla. Enter the following values:
Username: <your Uni-Mainz ID>
Password: <your password>
In the left hand pane you can browse your files. Select your prepared authorized_keys file and drag it to the remote keys folder. Please be advised that this will override any current authorized keys. If you wish to add more than one public key to the gateway, please copy the remote file first, append your new public key and copy the file back to the gateway.
Copy Public Key using the command line
Go to the directoy containing your public key in a file called authorized_keys. You can copy your local authorized_keys file to the remote destination keys/authorized_keys using:
sftp -P 22022 <userid>@gw.him.uni-mainz.de <<< "put authorized_keys keys/authorized_keys"
The authorized keys file should contain all public keys, one key per line.
In order to add a key one can first fetch the keys file via
sftp -P 22022 <userid>@gw.him.uni-mainz.de <<< "get keys/authorized_keys"
then add the new key
cat id_rsa.pub >> authorized_keys
and reupload the file using the put command above.
Add a new Key using the command line
Go to your user directory and make sure your id_rsa.pub is in ~/.ssh/. Then exchange <user ID> with your ZDV user ID and enter the follwing in your terminal of choice:
cd ~ && sftp -P 22022 <user ID>@gw.him.uni-mainz.de <<< "get keys/authorized_keys" && cat ~/.ssh/id_rsa.pub >> authorized_keys && sftp -P 22022 <user UD>@gw.him.uni-mainz.de <<< "put authorized_keys keys/authorized_keys" && rm authorized_keys
You need to enter your password twice, once for downloading your authorized keys and once for uploading the new authorizd keys. Congratulations, your new key was added to the gateway.
Setup the Gateway as Jump Host
You don't need to manually enter the remote hostname each time you want to log in to your desktop, but instead configure your ssh config file to use the gateway as jump host. Look inside your ~/.ssh/ directory for a file called config. If it's not already there, create it:
And add entries for two hosts, which we will call work (your workstation) and gate (the gateway). Your config should look like this:
User <Uni-Mainz ID>
HostName <hostname>.him.uni-mainz.de OR <IP>
User <user name on that machine>
ProxyCommand ssh -X gate nc %h 22
The ProxyCommand is crucial here. ssh -X enables X forwarding, gate is the gateway and "nc %h 22" is the actual login to your workstation. Do not enable compression should it already be in your config file, as it will reduce your transfer speeds significantly.
Please note that your public key must also be on your workstation in ~/.ssh/authorized_keys. Place them there in whatever way you prefer or refer to your OS man pages. If that is set up correctly, you can ssh into your workstation at HIM by using
Without any further credentials.
You will receive an email upon any change to the keys file, i.e. if you receive an email from the gateway system, without having modified your keys an attacker is possibly trying to use your account. In such a case please contact firstname.lastname@example.org immediately.
The gateway is regularly rebooted every Monday morning at 5 am.
An easy way to use the gateway as a "jump host" is to setup your client's config file, i.e. ~/.ssh/config, where the syntax is
ProxyCommand ssh <uid>@gw.him.uni-mainz.de nc <destination host> 22
Alternatively you can ssh into the gateway directly and interactively specify the host to login to.