User Tools

Site Tools


doku:vpn_ssh_access

Access to VSC

Since November 2013 access to VSC is restricted to IP addresses from the participating partner universities of the VSC project. If users wants to access VSC from IPs outside of these IP ranges, they have first to login to a machine or service to get access to their university network.

Common ways of connecting are either the use of a VPN or a SSH gateway provided by the university.

See also Login, and Connecting from windows.

VPN services

SSH Gateway

Users can connect first to any linux machine within a university and then connect further to VSC. Some universities provide a dedicated SSH gateway (contact your local IT services if you don't know how to connect):

Using SSH keys and SSH agent to connect to VSC

Check permissions of your local .ssh directory:

user@host:~$ ls -dl ~/.ssh
drwx------ 4 user user 4096 Dec  6 09:20 /home/user/.ssh

This directory should only be accessible for your user. If permissions are not as in the above example set them with:

user@host:~$ chmod 700 ~/.ssh

Generate ssh-key

ssh passphrase should be as strong as your password!:

user@host:~$ ssh-keygen -t rsa

If default options are used, the private and public key are saved into your $HOME/.ssh directory. 'id_rsa' is the private key file, this should not be lost or given to any other person. 'id_rsa.pub' is the public key file which is used for authenticating on remote machines. Again, check if the permissions of the generated files are correct. By default they should look like this:

user@host:~$ ls -la ~/.ssh/id_*
-rw------- 1 user user 1766 Dec  6 09:15 /home/user/.ssh/id_rsa
-rw-r--r-- 1 user user  394 Dec  6 09:15 /home/user/.ssh/id_rsa.pub

See also sshkeygen.

remote machine

  • Preparing the remote machine for logging in with your key: On the remote machine the contents of your 'id_rsa.pub' file have to be added to the 'authorized_keys' file in the '.ssh' directory. Login to the remote machine and use a text editor of your choice to do this. Afterwards check if the permissions of the 'authorized_keys' file are correct:
    user@remote_host:~$ ls -l .ssh/authorized_keys
    -rw------- 1 user user 1194 Dec  6 09:39 .ssh/authorized_keys

    Alternatively you can copy the key via the ssh-copy-id command:

    user@remote_host:~$ ssh-copy-id <username>@vsc3.vsc.ac.at
  • Logging in with ssh-keys: For using the ssh-keys,
    • they may be added to the so-called ssh-agent. Most window managers have a ssh-agent running by default and if a connection with an applicable key is opened you are asked to enter the passphrase. The ssh-agent will then store the passphrase and reuse it for further connection attempts with this private/public key pair.
    • Alternatively, the ssh-key may be given as parameter (-i) or
    • written to ~/.ssh/config (see below).

Connecting to VSC-2 or VSC-3 via ssh-key:

ssh -p 27 <username>@vsc2.vsc.ac.at     # or 
ssh -p 27 <username>@vsc3.vsc.ac.at

Forwarding the ssh-agent over multiple servers

If the machine to which one wants to login is reachable only over one or several hops in between, the ssh-agent of the local machine can be forwarded to the machines in between using the '-A' option of the 'ssh' command. Prerequisite is that on all remote hosts the public key has been added to the 'authorized_keys' file as described above. For example, a connection to VSC-3 over the 'login.univie.ac.at' machine would look like this :

user@host:~$ ssh -p27 -X -A -t <uni_username>@login.univie.ac.at ssh -p27 -X <vsc_username>@vsc3.vsc.ac.at

Parameters in .ssh/config

Parameters may be written, e.g. on a per-host basis, to ~/.ssh/config of the local machine (see also man ssh_config (agent and X11 forwarding may be enabled if permanently required):

Host vsc3.vsc.ac.at vsc3
  Port 27
#  ForwardAgent yes
  IdentityFile id_rsa
  IdentitiesOnly yes
#  ForwardX11 yes

Security issues

  • In theory it would be possible to create an ssh key without passphrase. However, the possession of this key would allow anyone from anywhere to open a connection.
  • Forwarding the ssh key as a standard procedure, e.g. by aliasing the 'ssh' command is not recommended, especially if you connect also to servers which are not perfectly reliable. An attacker with administrator access (using zero-day exploits?) could misuse the forwarded keys.
  • One of the worst security issues concerning ssh keys would be to create a passphrase-less ssh-key and copy the public key directly to the 'authorized_keys'-file on the same server. This might seem useful if several servers share nfs mounted home directories. However, as stated above, anyone who ever had read access to this account could access forever from anywhere again! If ever necessary, this has to be combined with host access restrictions, e.g. in .ssh/authorized_keys: from=“*.trusted.host.example.com” (see man sshd).
doku/vpn_ssh_access.txt · Last modified: 2017/09/01 15:41 by ir