Ruprecht-Karls-Universität Heidelberg


SSH Gateway

Restricted ssh Access From Internet to ARI

The Gateway

For security reasons we have to restrict the Internet access from outside to ARI computers. An access to computers hosting your ARI-LAN account is possible only by ssh connections via the ARI gateway:

 

entry.ari.uni-heidelberg.de
alias gateway.ari.uni-heidelberg.de

 

The gateway is an ordinary Linux client which gives you access to all your files and applications.

Fingerprints

If you try to login the first time, you will be asked to accept the host key. Therefor the fingerprint of the host key is listed. It should be one of the these

 

f0:aa:46:f9:ff:dc:99:51:f3:14:f8:0a:c5:cf:46:04
e2:45:d5:42:0e:ab:c5:ea:04:a7:9d:7d:a6:d1:a2:38
c2:f9:84:41:f6:8b:cb:3a:74:98:d8:84:fc:eb:f1:4b
f5:6c:6c:f7:0c:82:67:82:74:9a:5f:2f:e6:a9:f1:b4

 

If the presented key is different, you are on a wrong or faked host and should not go on.

Knowlege

If you are not familiar with ssh, please read our ssh tutorial for Linux clients.

If your are a windows user, additionally find and read a tutorial about the KiTTY or the PuTTy client.

Getting access

You need a ssh key pair on your local host encrypted by  dsa, rsa, ecdsa, or ed25519.

You have to add your public ssh-key on your home directory at ARI to ~/.ssh/authorized_keys. E.g.:

 

cat id_rsa.pub >> ~/.ssh/authorized_keys

 

This file has to be readable to everybody:

 

chmod a+r ~/.ssh/authorized_keys

 

If you are a Windows-putty user please consider to use the OpenSSH format exporting the keys.

Operational mode

For security reasons and for reliability all processes are killed after 120 minutes CPU usage. There is also a regular reboot each Monday at 1 am CET/CEST.

Access to our internal web pages (advanced)

When you have a ssh-agent running you can initiate a ssh tunnel to our local web proxy.

 

ssh -2 -X -N -f -L 8080:intraproxy.ari.uni-heidelberg.de:3128 username@gateway.ari.uni-heidelberg.de

 

In your web browser you now have to configure the newly created local proxy: localhost: 8080. For Google Chrome, this is easily done from the command line.

 

google-chrome --proxy-server="127.0.0.1:8080"

 

Timeout Problems ?

If you suffer from timeouts in well established already running ssh conntections, please set in your ~./.ssh/config

 

TCP KeepAlive yes 
ServerAliveInterval 47
ServerAliveCountMax 2

 

See man ssh_config for more information.

If you have root access to your computer you also can add in /etc/ssh/sshd_config :

 

ClientAliveInterval 53

 

See man sshd_config for more information.

 

zum Seitenanfang/up