Secure Shell (SSH)

Clients

on Linux and Mac, all tools are present. on Windows use one of these:

Bitvise SSH Client (for the SSH tunnel)
MobaXterm
Windows subsystem Linux (WSL), install, then install e.g. Ubuntu and install the openssh.
VSCode
Putty, Kitty, ...

Connect

How to connect from the Office or How to connect from abroad

Connect from the office by typing either of the following in a terminal. Replace [USERNAME] with your own.

ssh connections
ssh [USERNAME]@srvx1.img.univie.ac.at
ssh [USERNAME]@srvx8.img.univie.ac.at
ssh [USERNAME]@aurora.img.univie.ac.at
ssh [USERNAME]@jet01.img.univie.ac.at
ssh [USERNAME]@jet02.img.univie.ac.at

There are multiple options for the ssh client, please explore these by yourself if needed. This option is sometimes needed to forward a window to your local computer (Linux, or advanced windows users):

The -X option enables X11 forwarding via ssh, i.e., permits opening graphical windows. On Windows you need to enter these details to the ssh client.

Consider using a ~/.ssh/config configuration file to allow easier access like this:

./ssh/config
Host *
    User [USERNAME]
    ServerAliveInterval 60
    ServerAliveCountMax 2

Host srvx1
    HostName srvx1.img.univie.ac.at

Host srvx8
    HostName srvx8.img.univie.ac.at

Host jet
    HostName jet01.img.univie.ac.at

Host srvx2jet
    HostName jet01.img.univie.ac.at
    ProxyJump srvx1.img.univie.ac.at
Host login
    HostName login.univie.ac.at
    User [U:Account USERNAME]
Host ecaccess
    Host ecaccess.ecmwf.int
    HostKeyAlgorithms ssh-dss
    User [ECMWF USERNAME]
    KexAlgorithms diffie-hellman-group1-sha1
    Ciphers aes256-cbc
Host jump.ecmwf.int shell.ecmwf.int
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa*
    User [ECMWF USERNAME]
# For ecgate and Cray HPCF
Host ecg* cc*
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa*
    User [ECMWF USERNAME]
    ProxyJump shell.ecmwf.int
# For Atos HPCF
Host a?-* a??-* hpc-* hpc2020-* ecs-*
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa*
    User [ECMWF USERNAME]
    ProxyJump jump.ecmwf.int

and replacing [USERNAME] and [u:account USERNAME] with your usernames. Using such a file allows to connect like this ssh srvx1 using the correct server adress and specified username. Copy this file as well on login.univie.ac.at and you can use commands like this: ssh -t login ssh jet to connect directly to jet via the login gateway.

Please note the special algorithms for ecaccess and of course ECMWF uses teleport now.

From eduroam: You should be able to log in as above.

From the outer world: use the VPN or srvx1.img.univie.ac.at as jump host.

If you are a guest, you can apply for a guest u:account. This will give you access to eduroam and to the VPN. Your application needs to be endorsed by a staff member, who also determines the expiration date of the account. Please ask the sponsor first!

SSH Authentication with keys

If you want to use ssh-keys you can also use different keys in .ssh/config per server with IdentityFile ~/.ssh/id_enc_for_server.

Note: If you are having trouble with your ssh-key being accepted. You need to check the selinux security policy. Because we use non standard home directories, which are not accepted by default. Do that by running:

Bash
ls -ldZ ~/.ssh/
drwx------. 2 monkey users system_u:object_r:ssh_home_t:s0 4.0K Aug 18 21:24 .ssh/

ls -lZ ~/.ssh/
-rw-------. 1 monkey users unconfined_u:object_r:ssh_home_t:s0  1.3K Aug 17 10:58 authorized_keys

If you are not seeing ssh_home_t than you need to run restorecon -Rv ~/.ssh/ which should update the security policy and allow for the SSH-Daemon to accept your keys.

Please add your ssh-keys via IPA

Find a solution Questions - How to use ssh-key authentication? or Questions - How to use an ssh-agent?

Connect Script

If you are using a terminal (Mac, Linux, WSL, ...) you can use the script Download: connect2jet like this:

Bash
connect2jet -g [U:Account-Username]@login.univie.ac.at [Jet-Username]@jet01.img.univie.ac.at

connect2jet

Connect to Jet
#!/bin/bash
# By Michael Blaschek
# Date 18.01.2021
# CC BY 4.0 International
# University of Vienna, Austria

# Description:
# Connect to Jet via a gateway server

help() {
    cat <<EOF
$0 -g [gateway] -p [port] -r [remote-port] user@remote
Options:
  -h                Help
  -g [gateway]      gateway server, e.g. user@login.univie.ac.at
  -p [port]         port to forward from jet to local, e.g. VNC port
  -r [port]         remote port if not the same as port
  -d                debug

Example:
   $0 -g [U:Account-Username]@login.univie.ac.at [Jet-Username]@jet01.img.univie.ac.at

EOF
}

debug=''
while getopts "g:p:r:hd" flag; do
    case "${flag}" in
    g) gateway=${OPTARG} ;;
    p) port=${OPTARG} ;;
    r) rport=${OPTARG} ;;
    d) debug='-v';;
    h | *)
        help
        exit 0
        ;;
    esac
done
shift $((OPTIND - 1))
command=""
remote=$1
script=$(basename $0)

if [ "${remote}" == "" ]; then
    echo "Remote host required: [user]@[server]"
    help
    exit 1
fi

if [ -n "${port}" ]; then
    # -L local_port:destination_server_ip:remote_port
    if [ -n "${rport}" ]; then
        echo "Forwarding Port: $rport to $port"
        command="-L ${port}:localhost:${rport} "
    else
        echo "Forwarding Port: $port to $port"
        command="-L ${port}:localhost:${port} "
        rport=$port # make sure we use this
    fi

fi
# Override Term information to make sure we use the ones on the servers
# export TERM=xterm-256color
# Check if names are in .ssh/config
remote_status=false
gateway_status=false
if [ -e $HOME/.ssh/config ]; then
    # check if hosts are there
    cat $HOME/.ssh/config | grep -i 'Host ${remote}' >/dev/null
    if [ $? -eq 0 ]; then
        remote_status=true
    fi
    if [ -n ${gateway} ]; then
        cat $HOME/.ssh/config | grep -i 'Host ${gateway}' >/dev/null
        if [ $? -eq 0 ]; then
            gateway_status=true
        fi
    fi
fi

if [ -n "${gateway}" ]; then
    echo "$gateway" | grep '@' >/dev/null
    if [ $? -eq 1 ] && [ ! $gateway_status ]; then
        echo "Could fail if not: [user]@[server], trying: $gateway"
    fi
    if [ -n "${port}" ]; then
        echo "Using gateway: $gateway to $remote "
        midport=$(($RANDOM % 1000 + 20000))  # 20000 - 21000
        echo "Port Forwarding via the gateway: $port : $midport : $rport"
        ssh $debug -L ${port}:localhost:${midport} -t $gateway ssh -L ${midport}:localhost:${rport} ${remote}
        echo "$(date) | ssh -L ${port}:localhost:${midport} -t $gateway 'ssh -L ${midport}:localhost:${rport} ${remote}'" >>.${script}.log
    else
        echo "Using gateway: $gateway to $remote "
        ssh $debug $command -t $gateway ssh ${command} ${remote}
        echo "$(date) | ssh $command -t $gateway 'ssh ${command} ${remote}'" >>.${script}.log
    fi
else
    if [ ! $remote_status ]; then
        echo "Could fail if not: [user]@[server]"
    fi
    echo "Direct connection to: ${remote}"
    ssh $debug ${command} ${remote}
    echo "$(date) | ssh ${command} ${remote}" >>.${script}.log
fi
echo "Command Log in  .${script}.log"

There is also an option to forward a port, e.g. the VNC Port:

Bash
connect2jet -g [U:Account-Username]@login.univie.ac.at -p 5901 [Jet-Username]@jet01.img.univie.ac.at

which allows you to connect to localhost:5901 and view the VNC session. Other gateway servers can be srvx1.img.univie.ac.at

Tunneling

If you are connected to eduroam or you are on an external computer, you'll need to use an SSH tunnel. The instructions below refer to jet01, but you can do just the same with jet02.

On Linux, start Remmina, then:

Set "Server" to jet01.img.univie.ac.at:[DISPLAY] in the "Basic" tab
Move to the "SSH Tunnel" tab, checkout "Enable SSH Tunnel", "Same server at port 22" and specify your favourite SSH authentication method.
Save and connect.

On Windows, you can use Bitvise SSH Client (for the SSH tunnel) and the RealVNC VNC Viewer or MobaXterm.

Setup might be bit different for different clients, but all need these informationÖ

Option Bitvise SSH Client/MobaXterm and RealVNC:

Start the SSH client
Go to tab "C2S" or SSH tunnels (port forwarding)
Set "Listen Interface" to 127.0.0.1
Set "Listening Port" to 5900+[DISPLAY], e.g., 5905
Set "Destination Host" to jet01.img.univie.ac.at
Set "Destination Port" to 5900+[DISPLAY]
Now start VncViewer and connect to 127.0.0.1:5900+[DISPLAY]

SSHFS

It is possible to mount your home directory to your personal computer on Linux via sshfs or using of course a dedicated remote file browser like: Filezilla, Cyberduck, ...

on Linux you need to install fuse2 and sshfs, the names might vary between distributions, but are all in the default repos.

Bash
# connect to srvx1 using your home directory and a srvx1 directory on your local computer
# mountserver [host] [remotedir] [localdir]
mkdir -p $HOME/srvx1
mountserver [USER]@srvx1.img.univie.ac.at /users/staff/[USER] $HOME/srvx1

Note the directories might vary, depending on your membership (staff, external, students).

MOSH

Remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes.

Mosh is a replacement for interactive SSH terminals. It's more robust and responsive, especially over Wi-Fi, cellular, and long-distance links.

In order to use: - install on your client, instructions

Bash
$ mosh user@srvx1.img.univie.ac.at

If you login in to any of the IMGW Servers you will be greeted by a banner showing some information about the system. However, after some time you might not need that information anymore.

run the following and you will never see the banner again.

Bash
touch $HOME/.hushlogin

remove that file and you shall see it again.

Last update: February 29, 2024
Created: October 14, 2021