IT Service: SSH Jump Hosts (lxlogin.gsi.de)

Quick guide

Jump hosts are machines dedicated to forwarding network traffic between different security zones. Hosts of this service forward SSH traffic.

At GSI these hosts enable all users with a Linux account to access internal networks from the internet. They have a minimal setup to reduce security risks and improve performance.

Service description
Permanent configuration (Linux/MacOS)
Bitvise SSH Client
PuTTY
scp
sshfs
sshuttle
WinSCP
Availability and support

Service description

Jump hosts can be used in the following ways. For more information about SSH connections see Remote Access to Linux Machines.

As a minimal login node:
ssh account@lxlogin.gsi.de
As a jump host, to reach an internal machine:
ssh -J account@lxlogin.gsi.de account@target.gsi.de
E.g. ssh -J account@lxlogin.gsi.de account@lx-pool.gsi.de
For local port forwarding:
ssh -L 8080:target.gsi.de:80 account@lxlogin.gsi.de
For other use cases (e.g. file access) see the accordion sections below

When you connect for the first time, you will be asked to accept the SSH fingerprint. Please lookup the correct value at Linux Pool Machines.

Hosts in this service provide a minimal setup for a restricted purpose. Therefore only a minimal set of software is installed. There is no graphical user interface available. Moreover they do not have access to central home directories (/u/account). When you login you get a new directory which will be removed when the session is closed.

Use your GSI-Linux Account to log in to these servers. You can use SSH keys instead of your password even tough the hosts do not mount the central home directories. They are collected every half hour from all central home directories (.ssh/authorized_keys) and are made available to the jump hosts.

The pool is highly available. This means that you can reconnect almost instantly when losing a SSH connections due to a faulty machine. Please see the instructions at Remote Access to Linux Machines to see how this process can be automated.

All machines in the pool are rebooted sequentially every Monday at 1 am. Open connections will disconnected at that time, but the pool stays available continuously.

Permanent configuration (Linux/MacOS)

To permanently use lxlogin.gsi.de as a jump host without specifying it with every command the following settings can be added to the ~/.ssh/config on the connecting client.

Host lxlogin.gsi.de
  # required to prevent ProxyJump loops
  ProxyJump none  

Host *.gsi.de
  ProxyJump lxlogin.gsi.de
  User account # optional; replace account

The User option helps to keep ssh commands even shorter. With this configuration you would be able to connect to internal machines from the internet with only ssh %target%.gsi.de.

This setting should not be used on mobile computers that are regularly inside the GSI network or connected via VPN..

Bitvise SSH Client

A connection with Bitvise SSH Client using lxlogin.gsi.de is possible in two steps.

Create a profile with host "lxlogin.gsi.de" and your GSI Linux username. Under Proxy settings make sure, that Use proxy is deactivated. This should be the case when Use global proxy settings is activated. Save the profile, e.g. as "lxlogin.gsi.de.tlp".
Create a second profile with your target host, e.g. "lx-pool.gsi.de" and your GSI Linux username. Safe the profile, e.g. as "lx-pool.gsi.de.tlp". Under Proxy settings check Use profile proxy settings (only available when the profile had been saved) and activate Use proxy. Select SSH as the proxy type then click on Profile file. Search for the previously created profile (lxlogin.gsi.de.tlp). Save the profile again.

Now your second profile is using the first as a jump host and you should be able to connect from the internet.

PuTTY

If you want to connect to a Windows machine using RDP and lxlogin.gsi.de, see SSH tunnel for Windows.

Configure PuTTY as normal but then open the page Proxy. There set the Proxy type to "SSH to proxy and use port forwarding" (available since version 0.77), the Proxy hostname to "lxlogin.gsi.de" and the Port to "22". Optionally enter your GSI Linux account into Username.

scp

For scp you can set the SSH option ProxyJump (shortcut -J).

scp -J account@lxlogin.gsi.de account@target.gsi.de:source target
scp -o ProxyJump=account@lxlogin.gsi.de account@target.gsi.de:source target

sshfs

To mount a file system at GSI from outside you can use sshfs with the option ProxyJump.

sshfs -o ProxyJump=account@lxlogin.gsi.de account@target.gsi.de:source mountpoint

You could for example mount Lustre to ~/lustre:

sshfs -o ProxyJump=account@lxlogin.gsi.de account@files.hpc.gsi.de:/lustre ~/lustre

sshuttle

To redirect TCP traffic to internal machines from the internet (simple VPN) you can use sshuttle.

sshuttle -r account@lxlogin.gsi.de target.gsi.de

WinSCP

To use lxlogin.gsi.de to connect WinSCP to internal machines from the internet open the tunnel page. Enable Connect through SSH tunnel and enter "lxlogin.gsi.de" into the field Host name. Username and password are your GSI Linux credentials.

Availability and support

On-call duty: covered
Backup: no
Support email: linux-service @ gsi.de