Use of SSH-Gateway

Introduction

At this moment this portal gives access to other Leiden University systems via SSH for students and staff. Authentication will be provided by ULCN.

 


SSH-connection

 
localpc:/$ ssh <ulcn>@sshgw.leidenuniv.nl
sshgw:~> ssh <ulcn>@<backend server>
 
or easier:
sshgw:~> ssh <backend server>
 
Or in one command:
localpc:/$ ssh -t <ulcn>@sshgw.leidenuniv.nl ssh <backend server>
 

 

Public Key authentication

For explanation about passwordless authentication, public-private key-authentication see for instance here: https://help.ubuntu.com/community/SSH/OpenSSH/Keys

in short you can publish your public key as follows:
localpc:/$ cat ~/.ssh/id_rsa.pub
copy output
 
sshgw:~> vi ~/.ssh/authorized_keys
paste your public key and save
Now, when you log on, it's password-less:
localpc:/$ ssh <ulcn>@sshgw.leidenuniv.nl
 
It is not necessary to put your private key on the ssh-gateway. It has key-forwarding, so the following command will password-less log you in to 'backend'.
localpc:/$ ssh -t -A <ulcn>@sshgw.leidenuniv.nl ssh <backend server>
 


X forwarding

 
localpc:/$ ssh -t -A -X <ulcn>@sshgw.leidenuniv.nl ssh -Y < backend server>
backend~:$ xclock
 


Public Key versus Home directoy

Your linux-homedirectory is kerberized. Authentication is always with a password. If you want to use a public-key it has to be on a non-kerberized place:
sshgw:/vol/ssh-home/<ulcn>   
place your public key in:  ~/.ssh/authorized_keys.

kerberized path (access only possible with a ULCN password): sshgw:/vol/home/<ulcn> 

Either you logon without a public-key, or after public-key logon, issue kinit
localpc:/$ ssh <ulcn>@sshgw.leidenuniv.nl -o PubKeyauthentication=no
sshgw:/$ ls /vol/home/<ulcn>
OR
localpc:/$ vi ~/.ssh/authorized_keys
sshgw:~> ls homedir
sshgw:~> /bin/ls: cannot access homedir: Permission denied
sshgw:~> kinit
A prompt for your ULCN password appears
sshgw:~> ls homedir
 


sshfs

Mounting homedir at endsystem via sshfs is easy:
localpc:/$ sshfs <ulcn>@sshgw.leidenuniv.nl /mnt/linuxhomedir -o PubKeyauthentication=no
 
unmounting:  
localpc:/$ fusermount -u /mnt/ linuxhomedir
 

seamingless

You can make your ssh-commands implicit. Edit at your local station  ~/.ssh/config 

Host <backend server>GW
ProxyCommand ssh -q <ulcn>@sshgw netcat -w 3 <backend server> 22
ForwardAgent yes


and then
localpc:/$ ssh -X <ulcn>@<backend server>GW

 
Last Modified: 22-05-2015