IT Service: SSH Jump Hosts (lxlogin.gsi.de)
Quick guide
Jump hosts are machines dedicated to forwarding network traffic between different security zones. Hosts of this service forward SSH traffic.
At GSI these hosts enable all users with a Linux account to access internal networks from the internet. They have a minimal setup to reduce security risks and improve performance.
Service description
Jump hosts can be used in the following ways (with examples). For more information about SSH connections see Remote Access to Linux Machines.
- As minimal login node:
ssh lxlogin.gsi.de
- As jump host, to reach an internal machine:
ssh -J lxlogin.gsi.de target.gsi.de
(Eg. forlx-pool.gsi.de
:ssh -J lxlogin.gsi.de lx-pool.gsi.de
) - For local port forwarding:
ssh -L 8080:target.gsi.de:80 lxlogin.gsi.de
- As simple VPN with sshuttle:
sshuttle -r lxlogin.gsi.de target.gsi.de
- For file access via SSHFS sshfs:
sshfs -o ProxyJump=lxlogin.gsi.de target.gsi.de:/path mountpoint
(Eg. for mounting Lustre to~/lustre
:files.hpc.gsi.de:/lustre
:sshfs -o ProxyJump=lxlogin.gsi.de files.hpc.gsi.de:/lustre ~/lustre
)
When you connect for the first time, you will be asked to accept the SSH fingerprint. Please lookup the correct value at Linux Pool Machines.
Hosts in this service provide a minimal setup for a restricted purpose. Therefore only a minimal set of software is installed. There is no graphical user interface available. Moreover they do not have access to central home directories (/u/$account
). When you login you get a new directory which will be removed when the session is closed.
Use your GSI-Linux-Account to log in to these servers. You can use SSH keys instead of your password even tough the hosts do not mount the central home directories. They are collected every half hour from all central home directories (.ssh/authorized_keys
) and are made available to the jump hosts.
The pool is highly available. This means that you can reconnect almost instantly when losing a SSH connections due to a faulty machine. Please see the instructions at Remote Access to Linux Machines to see how this process can be automated.
All machines in the pool are rebooted sequentially every Monday at 1 am. During this time connections will be lost, but the pool will stay available.
Availability and support
- On-call duty: covered
- Support email: linux-service @ gsi.de