The most recent version of this page is a draft.DiffThis version is outdated by a newer approved version.DiffThis version (2024/05/27 19:31) was approved by goldenberg.The Previously approved version (2024/02/16 11:39) is available.Diff

This is an old revision of the document!


Since November 2013 access to VSC is restricted to IP addresses from the participating partner universities of the VSC project. If users wants to access VSC from IPs outside of these IP ranges, they have first to login to a machine or service to get access to their university network.

Common ways of connecting are either the use of a VPN or a SSH gateway provided by the university.

See also Login and data transfer, and Connecting from windows.

VPN services

SSH Gateway

Users can connect first to any linux machine within a university and then connect further to VSC. Some universities provide a dedicated SSH gateway (contact your local IT services if you don't know how to connect).

Using SSH keys and SSH agent to connect to VSC

user@host:~$ ls -dl ~/.ssh
drwx------ 4 user user 4096 Dec  6 09:20 /home/user/.ssh

This directory should only be accessible for your user. If permissions are not as in the above example set them with:

user@host:~$ chmod 700 ~/.ssh

ssh passphrase should be as strong as your password!:

user@host:~$ ssh-keygen -t rsa

If default options are used, the private and public key are saved into your $HOME/.ssh directory. 'id_rsa' is the private key file, this should not be lost or given to any other person. 'id_rsa.pub' is the public key file which is used for authenticating on remote machines. Again, check if the permissions of the generated files are correct. By default they should look like this:

user@host:~$ ls -la ~/.ssh/id_*
-rw------- 1 user user 1766 Dec  6 09:15 /home/user/.ssh/id_rsa
-rw-r--r-- 1 user user  394 Dec  6 09:15 /home/user/.ssh/id_rsa.pub

See also sshkeygen.

  • Preparing the remote machine for logging in with your key: On the remote machine the contents of your 'id_rsa.pub' file have to be added to the 'authorized_keys' file in the '.ssh' directory. Login to the remote machine and use a text editor of your choice to do this. Afterwards check if the permissions of the 'authorized_keys' file are correct:
    user@remote_host:~$ ls -l .ssh/authorized_keys
    -rw------- 1 user user 1194 Dec  6 09:39 .ssh/authorized_keys

    Alternatively you can copy the key via the ssh-copy-id command:

    user@remote_host:~$ ssh-copy-id <username>@vsc3.vsc.ac.at
  • Logging in with ssh-keys: For using the ssh-keys,
    • they may be added to the so-called ssh-agent. Most window managers have a ssh-agent running by default and if a connection with an applicable key is opened you are asked to enter the passphrase. The ssh-agent will then store the passphrase and reuse it for further connection attempts with this private/public key pair.
    • Alternatively, the ssh-key may be given as parameter (-i) or
    • written to ~/.ssh/config (see below).
ssh -p 27 <username>@vsc4.vsc.ac.at     # or 
ssh -p 27 <username>@vsc5.vsc.ac.at

Using a jump host

It is also possible to use SSH keys if the machine to which one wants to login is reachable only over one or several hops in between. To do this, use the command -J to specify the jump host. Prerequisite is that on all remote hosts the public key has been added to the authorized_keys file as described above. For example, a connection to VSC-5 over the login.univie.ac.at machine would look like this :

user@host:~$ ssh -p27 -X -t -J <uni_username>@login.univie.ac.at <vsc_username>@vsc5.vsc.ac.at

Parameters may be written, e.g. on a per-host basis, to ~/.ssh/config of the local machine (see also man ssh_config (agent and X11 forwarding may be enabled if permanently required):

Host vsc5.vsc.ac.at vsc5
  Port 27
  User vsc_username
#  ForwardAgent yes
  IdentityFile id_rsa
  IdentitiesOnly yes
#  ForwardX11 yes

Using a jump host

A configuration for automatically using a jump host could look like this:

Host vsc5.vsc.ac.at vsc5
  User vsc_username
  ProxyJump login.univie.ac.at

Host login.univie.ac.at
  User uni_username
  • In theory it would be possible to create an ssh key without passphrase. However, the possession of this key would allow anyone from anywhere to open a connection.
  • Forwarding the ssh key as a standard procedure, e.g. by aliasing the 'ssh' command is not recommended, especially if you connect also to servers which are not perfectly reliable. An attacker with administrator access (using zero-day exploits?) could misuse the forwarded keys.
  • One of the worst security issues concerning ssh keys would be to create a passphrase-less ssh-key and copy the public key directly to the 'authorized_keys'-file on the same server. This might seem useful if several servers share nfs mounted home directories. However, as stated above, anyone who ever had read access to this account could access forever from anywhere again! If ever necessary, this has to be combined with host access restrictions, e.g. in .ssh/authorized_keys: from=“*.trusted.host.example.com” (see man sshd).
  • doku/vpn_ssh_access.1714643674.txt.gz
  • Last modified: 2024/10/24 10:21
  • (external edit)