Use of SSH-Gateway


At this moment this portal gives access to other Leiden University systems via SSH for students and staff. Authentication will be provided by ULCN.



localpc:/$ ssh <ulcn>
sshgw:~> ssh <ulcn>@<backend server>
or easier:
sshgw:~> ssh <backend server>
Or in one command:
localpc:/$ ssh -t <ulcn> ssh <backend server>


Public Key authentication

For explanation about passwordless authentication, public-private key-authentication see for instance here:

in short you can publish your public key as follows:
localpc:/$ cat ~/.ssh/
copy output
sshgw:~> vi ~/.ssh/authorized_keys
paste your public key and save
Now, when you log on, it's password-less:
localpc:/$ ssh <ulcn>
It is not necessary to put your private key on the ssh-gateway. It has key-forwarding, so the following command will password-less log you in to 'backend'.
localpc:/$ ssh -t -A <ulcn> ssh <backend server>

X forwarding

localpc:/$ ssh -t -A -X <ulcn> ssh -Y < backend server>
backend~:$ xclock

Public Key versus Home directoy

Your linux-homedirectory is kerberized. Authentication is always with a password. If you want to use a public-key it has to be on a non-kerberized place:
place your public key in:  ~/.ssh/authorized_keys.

kerberized path (access only possible with a ULCN password): sshgw:/vol/home/<ulcn> 

Either you logon without a public-key, or after public-key logon, issue kinit
localpc:/$ ssh <ulcn> -o PubKeyauthentication=no
sshgw:/$ ls /vol/home/<ulcn>
localpc:/$ vi ~/.ssh/authorized_keys
sshgw:~> ls homedir
sshgw:~> /bin/ls: cannot access homedir: Permission denied
sshgw:~> kinit
A prompt for your ULCN password appears
sshgw:~> ls homedir


Mounting homedir at endsystem via sshfs is easy:
localpc:/$ sshfs <ulcn> /mnt/linuxhomedir -o PubKeyauthentication=no
localpc:/$ fusermount -u /mnt/ linuxhomedir


You can make your ssh-commands implicit. Edit at your local station  ~/.ssh/config 

Host <backend server>GW
ProxyCommand ssh -q <ulcn>@sshgw netcat -w 3 <backend server> 22
ForwardAgent yes

and then
localpc:/$ ssh -X <ulcn>@<backend server>GW

Laatst Gewijzigd: 22-05-2015