SSH access to ITA systems
Restricted ssh Access From Internet to ITA
Restricted SSH access from the Internet to ITA hosts
Updated November 2024
Changes
- SSH port changed to port 4000 instead of port 22
- Public key necessary
- Provided more comprehensive config example
- All connections must go through the gateway computer.
For security reasons, access to ITA compute servers is restricted and only possible via a gateway computer named:
welcome.ita.uni-heidelberg.de
Note that this is also true if you are connected via the university VPN or inside the wired ZAH network.
Software Requirements
You need a current operating system that is not out of support and an installation of OpenSSH. Operating systems that are out of vendor suppport are not allowed to connect to the ZAH systems and no effort will be invested to get them working. To check if your OS release is supported, please see https://endoflife.date
Examples for EOL systems (as of October 2024):
- All versions of Windows before Windows 10 (and also some releases of Windows 10 and 11, see the link above).
- All versions of MacOS before Version 13 (Ventura)
- Debian 10 and earlier
- All versions of Ubuntu before 24.04 except the LTS releases 22.04 and 20.04
To connect to an interactive terminal session,you need a recent version of OpenSSH. Other SSH implementations might work but might require additional steps like key format conversions. Please see the documentation of the software. This is especially true for Putty, which used to be a popular SSH implementation on Windows that is no longer required as all supported Windows 10 versions offer the option to install OpenSSH instead.
To remotely copy/edit files, you will need an SFTP client that can work with SSH keys. Examples are Cyberduck on Windows and MacOS or Transmit on MacOS (most Linux desktops should have a file manager with SFTP features installed by default).
Getting an account
To use the gateway, you will need an active ITA account, If you don’t have one, please contact the admins at admin(at)zah.uni-heidelberg.de and we will advise you on how to proceed.
SSH Key
Beside the active account, you will also need to have an SSH keypair, where the public key part is placed in the ~/.ssh/authorized_keys file of your ITA account. If you have supplied a key during the account creation process, this will already be the case.
Access will temporarily work without this key in the following conditions to give you the opportunity to place the key yourself:
- Connected from the University network (including VPN and Eduroam): Until end of 2024.
If you can't meet this conditions, please contact us.
Generating an SSH key pair
If you don't have an SSH key pair yet, you can create it from a terminal like this:
ssh-keygen -t ed25519
It will ask you for a location for this key and a passphrase for the private key. It is strongly recommeded to use a good, long passphrase for this and unlock it with an SSH key agent (which is integrated with your OS and unlocked upon login on most modern OSes) and will generate two files (by default named ~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub). The id_ed25519 file is your private key and must never shared with anyone. The id_ed25519.pub is your public key and can be shared or send by mail.
Placing your public key on the SSH gateway from Linux and MacOS
These steps will not work from outside the university network at all. Until the end of 2024 this will work via the University VPN and Eduroam. In 2025, this will only work from within the wired ZAH (ARI/ITA) network.
You can copy the public key to your ITA account's ~/.ssh/authorized_keys file like so:
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@welcome.ita.uni-heidelberg.de -p 4000
Please adapt to your username and the location of your public key file.
Placing your public key on the SSH gateway from Windows
While Windows offers OpenSSH on Windows 10 and later, unfortunately the ssh-copy-id tool is not present there and you have to do this process manually.
As with MacOS and Linux, these steps will not work from outside the university network at all and not work from outside the wired ZAH (ITA/ARI) network starting in 2025.
-
Copy your SSH public key to the gateway host:
scp ~/.ssh/id_ed25519.pub username@welcome.ita.uni-heidelberg.de:id_ed25519.pub -P 4000
This will copy the file to your home directory on the welcome server. -
Log into the gateway:
ssh username@welcome.ita.uni-heidelberg.de -p 4000 - Use ssh-copy-id to place the public key you just copied to the correct place:
ssh-copy-id -f -i ~/id_ed25519.pub username@welcome.ita.uni-heidelberg.de
We usessh-copy-idto copy the key on the gateway server itself because it creates the necessary files and directories if they are not present and ensures the correct permissions are set.
Convenient usage of the gateway
Note: in the following you may have to replace the ~ by the full path of your ssh config file! (e.g. /home/xxx/.ssh/config ), where xxx is your local path to the home dir on your home computer (or ITA desktop computer).
Configuration
Edit the ~/.ssh/config file (create it if not already there) on your home/desktop computer. It should contain the lines:
## Set special rules for the gateway machine
Host welcome.ita.uni-heidelberg.de
# set the port to connect to
Port 4000
# Replace with your actual ITA username
User <itausername>
# Replace with the name of your actual private key file if different (e.g. id_ed25519)
IdentityFile ~/.ssh/id_rsa
ForwardAgent yes
AddKeysToAgent yes
# Uncomment this line on MacOS to integrate your SSH agent with the systemwide keychain.
# This only works on MacOS and will generate an error elsewhere.
#UseKeychain yes
# Set rules for all ita/zah.uni-heidelberg.de machines except the SSH gateway
Host !welcome.ita.uni-heidelberg.de *.ita.uni-heidelberg.de *.zah.uni-heidelberg.de
ProxyCommand ssh -q -a -x welcome.ita.uni-heidelberg.de -W %h:%p
IdentityFile ~/.ssh/id_rsa
ForwardAgent yes
AddKeysToAgent yes
# Uncomment this line on MacOS to integrate your SSH agent with the systemwide keychain.
# This only works on MacOS and will generate an error elsewhere.
#UseKeychain yes
Convenient login
ssh -X username@hostname.ita.uni-heidelberg.de
Please substitute username with your ITA username, and hostname with the computer of your choice, e.g. your desktop machin (NB: Some ITA machines have local users with different usernames. Use this where applicable).
After that, you are logged in through the gateway in one transparent step, and X-forwarding works, i.e. you can start an xterm and it will open on your home computer.
Acesssing your files
Most ITA file systems are also mounted on the machine
welcome.ita.uni-heidelberg.de
and you can copy yor files directly to and from it with either scp or rsync.
After configuring the ~/.ssh/config, you can also directly use scp from your home computer to ITAI, e.g. via
scp localfile welcome.ita.uni-heidelberg.de:targetpath
How to use GUI applications
Most CLI applications that make internal use of SSH (as e.g. scp, rsync or git) will use the SSH config file as prepared above and implicitly use the SSH gateway. The same is true for some graphical programs and IDEs.
Others can be configured to use a tunnel themselve if they don't rely on the system SSH client or to at least import the system SSH config. How this is done varies wildly and is best looked up in your tools documentation.
But unfortunately, there exists a number of mostly graphical tools that can't be configured to use an SSH tunnel and that would not work in our environment out of the box. However, there is an easy way around this. SSH has a feature called tunneling, where you make a network service only available behind an SSH connection to appear locally on your machine.
If you want to access machine example.ita.uni-heidelberg.de from such a program, you would first establish a tunnel in a shell like so:
ssh welcome.ita.uni-heidelberg.de -L 2022:example.ita.uni-heidelberg.de:22
This makes the SSH service that is listening on port 22 on example.ari.uni-heidelberg.de available on port 2022 on your local machine and while this connection is open, you can configure your tool to connect to port 2022 on localhost instead of example.ita.uni-heidelberg.de.
SSH on Windows
Windows 10 and 11 have OpenSSH available and this is the preferred and only supported version of SSH on Windows at ZAH. It mostly is working like OpenSSH on Linux and MacOS.
Alternatively, you can use the newest version of Putty (at the very least 0.80 at the time of writing this), but this works very different than OpenSSH. Especially the format of public and private keys is different and you have to take care to convert the keys yourself. Please note that we can offer only very limited support for Putty.
However, using any SSH client (including Putty) on any Windows version earlier than Windows 10 (e.g. WinXP, Win Vista, Win 7 or Win8.x) to connect to ZAH systems is not allowed. Like with Linux and MacOS, you are required to use a supported OS version with current updates in order to access our systems from externally.
