SSH Gateway
Restricted ssh Access From Internet to ARI
The Gateway
For security reasons we have to restrict the Internet access from outside to ARI computers. An access to computers hosting your ARI-LAN account is possible only by ssh connections via the ARI gateway:
entry.ari.uni-heidelberg.de
alias gateway.ari.uni-heidelberg.de
The gateway is an ordinary Linux client which gives you access to all your files and applications.
Fingerprints
If you try to login the first time, you will be asked to accept the host key. Therefor the fingerprint of the host key is listed. It should be one of the these
f0:aa:46:f9:ff:dc:99:51:f3:14:f8:0a:c5:cf:46:04 e2:45:d5:42:0e:ab:c5:ea:04:a7:9d:7d:a6:d1:a2:38 c2:f9:84:41:f6:8b:cb:3a:74:98:d8:84:fc:eb:f1:4b f5:6c:6c:f7:0c:82:67:82:74:9a:5f:2f:e6:a9:f1:b4
If the presented key is different, you are on a wrong or faked host and should not go on.
Knowlege
If you are not familiar with ssh, please read our ssh tutorial for Linux clients.
If your are a windows user, additionally find and read a tutorial about the KiTTY or the PuTTy client.
Getting access
You need a ssh key pair on your local host encrypted by dsa, rsa, ecdsa, or ed25519.
You have to add your public ssh-key on your home directory at ARI to ~/.ssh/authorized_keys. E.g.:
cat id_rsa.pub >> ~/.ssh/authorized_keys
This file has to be readable to everybody:
chmod a+r ~/.ssh/authorized_keys
If you are a Windows-putty user please consider to use the OpenSSH format exporting the keys.
Operational mode
For security reasons and for reliability all processes are killed after 120 minutes CPU usage. There is also a regular reboot each Monday at 1 am CET/CEST.
Access to our internal web pages (advanced)
When you have a ssh-agent running you can initiate a ssh tunnel to our local web proxy.
ssh -2 -X -N -f -L 8080:intraproxy.ari.uni-heidelberg.de:3128 username@gateway.ari.uni-heidelberg.de
In your web browser you now have to configure the newly created local proxy: localhost: 8080. For Google Chrome, this is easily done from the command line.
google-chrome --proxy-server="127.0.0.1:8080"
Timeout Problems ?
If you suffer from timeouts in well established already running ssh conntections, please set in your ~./.ssh/config
TCP KeepAlive yes
ServerAliveInterval 47
ServerAliveCountMax 2
See man ssh_config
for more information.
If you have root access to your computer you also can add in /etc/ssh/sshd_config
:
ClientAliveInterval 53
See man sshd_config
for more information.