IT Service: SSH Jump Hosts (lxlogin.gsi.de)

Quick guide

Jump hosts are machines dedicated to forwarding network traffic between different security zones. Hosts of this service forward SSH traffic.

At GSI these hosts enable all users with a Linux account to access internal networks from the internet. They have a minimal setup to reduce security risks and improve performance.

Service description
Bitvise SSH Client
WinSCP
Availability and support

Service description

Jump hosts can be used in the following ways (with examples). For more information about SSH connections see Remote Access to Linux Machines.

As minimal login node: ssh gsilinuxaccount@lxlogin.gsi.de
As jump host, to reach an internal machine: ssh -J gsilinuxaccount@lxlogin.gsi.de user@target.gsi.de
(Eg. for lx-pool.gsi.de: ssh -J gsilinuxaccount@lxlogin.gsi.de gsilinuxaccount@lx-pool.gsi.de)
For local port forwarding: ssh -L 8080:user@target.gsi.de:80 gsilinuxaccount@lxlogin.gsi.de
As simple VPN with sshuttle: sshuttle -r gsilinuxaccount@lxlogin.gsi.de target.gsi.de
For file access via SSHFS sshfs: sshfs -o ProxyJump=gsilinuxaccount@lxlogin.gsi.de user@target.gsi.de:/path mountpoint
(Eg. for mounting Lustre to ~/lustre: sshfs -o ProxyJump=gsilinuxaccount@lxlogin.gsi.de gsilinuxaccount@files.hpc.gsi.de:/lustre ~/lustre)

When you connect for the first time, you will be asked to accept the SSH fingerprint. Please lookup the correct value at Linux Pool Machines.

Hosts in this service provide a minimal setup for a restricted purpose. Therefore only a minimal set of software is installed. There is no graphical user interface available. Moreover they do not have access to central home directories (/u/$gsilinuxaccount). When you login you get a new directory which will be removed when the session is closed.

Use your GSI-Linux Account to log in to these servers. You can use SSH keys instead of your password even tough the hosts do not mount the central home directories. They are collected every half hour from all central home directories (.ssh/authorized_keys) and are made available to the jump hosts.

The pool is highly available. This means that you can reconnect almost instantly when losing a SSH connections due to a faulty machine. Please see the instructions at Remote Access to Linux Machines to see how this process can be automated.

All machines in the pool are rebooted sequentially every Monday at 1 am. During this time connections will be lost, but the pool will stay available.

Bitvise SSH Client

A connection with Bitvise SSH Client using lxlogin.gsi.de is possible in two steps.

Create a profile with host "lxlogin.gsi.de" and your GSI Linux username. Under Proxy settings make sure, that Use proxy is deactivated. This should be the case when Use global proxy settings is activated. Save the profile, e.g. as "lxlogin.gsi.de.tlp".
Create a second profile with your target host, e.g. "lx-pool.gsi.de" and your GSI Linux username. Safe the profile, e.g. as "lx-pool.gsi.de.tlp". Under Proxy settings check Use profile proxy settings (only available when the profile had been saved) and activate Use proxy. Select SSH as the proxy type then click on Profile file. Search for the previously created profile (lxlogin.gsi.de.tlp). Save the profile again.

Now your second profile is using the first as a jump host and you should be able to connect from the Internet.

WinSCP

To use lxlogin.gsi.de to connect WinSCP to internal machines from the Internet open the tunnel page. Enable Connect through SSH tunnel and enter "lxlogin.gsi.de" into the field Host name. Username and password are your GSI Linux credentials.

Availability and support

On-call duty: covered
Support email: linux-service @ gsi.de