SSH Gateway
Restricted ssh Access From Internet to ARI
Restricted SSH access from the Internet to ARI hosts
Updated July 2024
Changes
- SSH port changed to port 4000 instead of port 22
- Public key necessary
- Provided more comprehensive config example
For security reasons, access to ARI computers from outside the ZAH network is restricted and only possible via a gateway computer named:
entry.ari.uni-heidelberg.de
Note that this is also true if you are connected via the university VPN.
Getting an account
To use the gateway, you will need an active ARI account, If you don’t have one, please contact the admins at admin(at)zah.uni-heidelberg.de and we will advise you on how to proceed.
SSH Key
Beside the active account, you will also need to have an SSH keypair, where the public key part is placed in the ~/.ssh/authorized_keys file of your ARI account. If you have supplied a key during the account creation process, this will already be the case.
Access will temporarily work without this key in the following conditions to give you the opportunity to place the key yourself:
- Connected from the University network (including VPN and Eduroam): Until August 14th, 2024.
- Connected via wire from within the ARI: Until August 28th, 2024.
If you can't meet this conditions, please contact us.
Generating an SSH key pair
If you don't have an SSH key pair yet, you can create it from a terminal like this:
ssh-keygen -t ed25519
It will ask you for a location for this key and a passphrase for the private key. It is strongly recommeded to use a good, long passphrase for this and unlock it with an SSH key agent (which is integrated with your OS and unlocked upon login on most modern OSes) and will generate two files (by default named ~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub). The id_ed25519 file is your private key and must never shared with anyone. The id_ed25519.pub is your public key and can be shared or send by mail.
Placing your public key on the SSH gateway from Linux and MacOS
These steps will not work from outside the university network at all and not work from outside the ARI network after August 14th, 2024.
You can copy the public key to your ARI account's ~/.ssh/authorized_keys file like so:
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@entry.ari.uni-heidelberg.de -p 4000
Please adapt to your username and the location of your public key file.
Placing your public key on the SSH gateway from Windows
While Windows offers OpenSSH on Windows 10 and later, unfortunately the ssh-copy-id tool is not present there and you have to do this process manually.
As with MacOS and Linux, these steps will not work from outside the university network at all and not work from outside the ITA network after August 14th, 2024.
-
Copy your SSH public key to the gateway host:
scp ~/.ssh/id_ed25519.pub username@entry.ari.uni-heidelberg.de:id_ed25519.pub -P 4000
This will copy the file to your home directory on the welcome server. -
Log into the gateway:
ssh username@entry.ari.uni-heidelberg.de -p 4000 - Use ssh-copy-id to place the public key you just copied to the correct place:
ssh-copy-id -f -i ~/id_ed25519.pub username@entry.ari.uni-heidelberg.de
We usessh-copy-idto copy the key on the welcome server itself because it creates the necessary files and directories if they are not present and ensures the correct permissions are set.
Simple usage of the gateway
First, use
ssh -Y username@entry.ari.uni-heidelberg.de -p 4000
to connect to the gateway host and there use
ssh -Y username@hostname.ari.uni-heidelberg.de
to connect further to an ARI Linux host.
Convenient usage of the gateway
Note: in the following you may have to replace the ~ by the full path of your ssh config file! (e.g. /home/xxx/.ssh/config ), where xxx is your local path to the home dir on your home computer (or ARI desktop computer).
Configuration
Edit the ~/.ssh/config file (create it if not already there) on your home/desktop computer. It should contain the lines:
## Set special rules for the gateway machine
Host entry.ari.uni-heidelberg.de
# set the port to connect to
Port 4000
# Replace with your actual ARI username
User <ariusername>
# Replace with the name of your actual private key file if different (e.g. id_ed25519)
IdentityFile ~/.ssh/id_rsa
ForwardAgent yes
AddKeysToAgent yes
# Uncomment this line on MacOS to integrate your SSH agent with the systemwide keychain.
# This only works on MacOS and will generate an error elsewhere.
#UseKeychain yes
# Set rules for all ari/zah.uni-heidelberg.de machines except the SSH gateway
Host !entry.ari.uni-heidelberg.de *.ari.uni-heidelberg.de *.zah.uni-heidelberg.de
ProxyCommand ssh -q -a -x entry.ari.uni-heidelberg.de -W %h:%p
IdentityFile ~/.ssh/id_rsa
ForwardAgent yes
AddKeysToAgent yes
# Uncomment this line on MacOS to integrate your SSH agent with the systemwide keychain.
# This only works on MacOS and will generate an error elsewhere.
#UseKeychain yes
Convenient login
ssh -X username@hostname.ari.uni-heidelberg.de
Please substitute username with your ITA username, and hostname with the computer of your choice, e.g. your desktop machin (NB: Some ITA machines have local users with different usernames. Use this where applicable).
After that, you are logged in through the gateway in one transparent step, and X-forwarding works, i.e. you can start an xterm and it will open on your home computer.
Acesssing your files
Most ARI file systems are also mounted on the machine
entry.ari.uni-heidelberg.de
and you can copy yor files directly to and from it with either scp or rsync.
After configuring the ~/.ssh/config, you can also directly use scp from your home computer to ARI, e.g. via
scp localfile entry.ari.uni-heidelberg.de:targetpath
How to use GUI applications
Most CLI applications that make internal use of SSH (as e.g. scp, rsync or git) will use the SSH config file as prepared above and implicitly use the SSH gateway. The same is true for some graphical programs and IDEs.
Others can be configured to use a tunnel themselve if they don't rely on the system SSH client or to at least import the system SSH config. How this is done varies wildly and is best looked up in your tools documentation.
But unfortunately, there exists a number of mostly graphical tools that can't be configured to use an SSH tunnel and that would not work in our environment out of the box. However, there is an easy way around this. SSH has a feature called tunneling, where you make a network service only available behind an SSH connection to appear locally on your machine.
If you want to access machine example.ari.uni-heidelberg.de from such a program, you would first establish a tunnel in a shell like so:
ssh entry.ari.uni-heidelberg.de -L 2022:example.ari.uni-heidelberg.de:22
This makes the SSH service that is listening on port 22 on example.ari.uni-heidelberg.de available on port 2022 on your local machine and while this connection is open, you can configure your tool to connect to port 2022 on localhost instead of example.ari.uni-heidelberg.de.
SSH on Windows
Windows 10 and 11 have OpenSSH available and this is the preferred and only supported version of SSH on Windows at ZAH. It mostly is working like OpenSSH on Linux and MacOS.
Alternatively, you can use the newest version of Putty (at the very least 0.80 at the time of writing this), but this works very different than OpenSSH. Especially the format of public and private keys is different and you have to take care to convert the keys yourself. Please note that we can offer only very limited support for Putty.
However, using any SSH client (including Putty) on any Windows version earlier than Windows 10 (e.g. WinXP, Win Vista, Win 7 or Win8.x) to connect to ZAH systems is not allowed. Like with Linux and MacOS, you are required to use a supported OS version with current updates in order to access our systems from externally.
