Access via SSH JUMPHOST
Access to the internal linux workstation is also available via a SSH Jump Host : jump.fbk.eu using key based authentication.
To be granted access to the jump host, send your public ssh key as file attachment to [email protected] specifying in the subject: "SSH via jump host access request". The key must be in openssh format and have file name: <fbk_login_name>.pub. The same key should be copied inside ~/.ssh/authorized_keys in the local computer to avoid any further password prompt. ssh-dss (DSA) keys are not supported as they are weak. For maximum compatibility use RSA keys.
Linux/Unix/Mac openssh
From Windows 10 1803 onward, openssh is installed by default. For versions prior to Windows 10 1803, it must be installed. The .ssh configuration directory is under $ENV:HOMEPATH/ for powershell or %HOMEPATH% for cmd. See config_jump_w10 as example of windows 10 ssh config file.
To access <hostname>.fbk.eu with your default ssh key (typically id_rsa.pub ) the ssh command is:
ssh -J <fbk_login_name>@jump.fbk.eu <fbk_login_nam>@<hostname>.fbk.eu
To use a different ssh key (jump_key) the ssh command is:
ssh -o ProxyCommand="ssh -i ~/.ssh/jump_key -W %h:22 <fbk_login_name>@jump.fbk.eu" -i ~/.ssh/jump_key <fbk_login_name>@<hostname>.fbk.eu
A more flexible solution is create a separate config file, config_jump:
#
# Define the jumphost
#
Host fbkjumphost
Hostname jump.fbk.eu
User <fbk_login_name>
#
# Specify a non default private key
#
IdentityFile ~/.ssh/private_key_file
#
# Match all host except jumphost
#
Host * !fbkjumphost
Hostname %h
#
# Force user name
#
User <fbk_login_name>
#
# Specify a non default private key
#
IdentityFile ~/.ssh/private_key_file
ProxyJump fbkjumphost
to be used in the ssh command:
ssh -F config_jump <hostname>.fbk.eu
NB: -J, -o, -F must precede any other option, the config_jump file can be in any directory
Linux/Unix/Mac/Windows10 scp
Secure copy with the default key:
scp -o ProxyJump=<fbk_login_name>@jump.fbk.eu local_patch <fbk_login_name>@<hostname>.fbk.eu:remote_path
Secure copy using a different key:
scp -o ProxyCommand="ssh -i ~/.ssh/jump_key -W %h:22 <fbk_login_name>@jump.fbk.eu" - i~/.ssh/jump_key local_path <fbk_login_name>@<hostname>.fbk.eu:remote_path local_path
Secure copy wIth config file config_jump:
scp -F config_jump local_path <fbk_login_name>@<hostname>.fbk.eu:remote_path
NB: -o, -F must precede any other option
Linux/Unix/Mac/Windows10 rsync
Remote sync with the default key, add to the rsync command:
--rsh "ssh -J <fbk_login_name>@jump.fbk.eu -l <fbk_login_name>"
Remote sync with different key, add to the rsync command:
--rsh "ssh -o ProxyCommand='ssh -i ~/.ssh/jump_key -W %h:22 <fbk_login_name>@jump.fbk.eu' - i ~/.ssh/jump_key -l <fbk_login_name>"
Remote sync with config file config_jump, add to the rsync command:
--rsh "ssh -F config_jump"
SSH Keys generation for Linux/Mac/Windows10
The process involves generating a pair of SSH key files containing a private key and a public key. The private key must be kept only into the user’s computer; the public key will be distributed to the remote servers. Users should pay particular attention not to not lose the private key. A lost private key cannot be replicated; therefore, the user cannot access the remote server until a new key pair is generated and the public key redistributed.
To create and save SSH key files from a shell or Terminal, issue the ssh-keygen command; see the example below:
test@demo:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):
Created directory '/home/test/.ssh'.
Enter passphrase (empty for no passphrase)
The keys save to the default location or, if one was specified, in a separate file. The public key has the extension .pub .
The passphrase is a local password to further protect the private key and it is never sent to the remote server. If a private key is stolen, it is useless without the passphrase. We strongly discourage users from leave phrasecose blank.
man ssh-keygen for more information
Other references
For more information please refer to Jump Hosts -- Passing Through a Gateway, check man ssh and man ssh_config for your distribution or just google "ssh jump host".
Windows openssh
From Windows 10 1803 onward, openssh is available as a command line. It can be started from cmd.exe or powershell.exe. We suggest installing the new terminal from Microsoft: https://github.com/microsoft/terminal available also from Microsoft Store.
Windows Putty
On Windows 10/11 we suggest using the integrated openssh client.
PuTTY has the ability to transparently jump with the included plink.exe utility. To set this up:
- Once from a CMD run plink.exe <fbk_login_name>@jump.fbk.eu, store the key; ignore the Fatal Error message.
- Load your jump host SSH key into Pageant.
Open a PuTTY New Session window. In the Session category, enter the Host Name (or IP address) (<hostname>.fbk.eu) and Port (22) of the desired final destination.
- Under the Connection category, select Proxy, and under Proxy type select Local. Add jump.fbk.eu as both Proxy Hostname and Exclude Hosts/IPS
delete any text under Telnet command, or local proxy command and enter the following:
plink.exe %user@%proxyhost -agent -nc %host:%port
- %user will be replaced by the Username field content, %proxyhost from Proxy Hostname content, %host from Host Name (or IP address) content.
For a complete introduction to putty see Putty.
SSH Keys Generation Putty
For putty ssh keys under windows see: Use SSH Keys With PuTTY On Windows or https://www.ssh.com/ssh/putty/windows/puttygen.
The public key used by the Jump Host must be in openssh format. In PuTTYgen, copy the contents of the "Public key to paste in the OpenSSH authorized keys file" field and save it on a file; this is the public key.
Windows WinSCP
WinSCP can import and use Putty configurations.
Any working JumpHost Putty configuration can be used to configure the secure copy via JumpHost with WinSCP.
As for Putty the jump host SSH key must first be loaded into Pageant.
The JumpHost configuration is under the site Advanced Site Settings tab, Connection->Proxy section
Windows MobaxTerm
On Windows10 we suggest using the integrated openssh client.
MobaXterm offers the capability to use a jump host to connect to a server.
Create a session as usual, in Basic SSH Settings insert <hostname>.fbk.eu as Remote host, check Specify Username and add <fbk_login_name>. in Advanced SSH Settings check Use private key and select the key file (openssh format).
Finally, in Network Settings define jump.fbk.eu as Gateway SSH server, specify <fbk_login_name> as User, check Use private key and select the key file (openssh format).
SSH Keys generation MobaxTerm
For the generation and use of ssh keys in MobaxTerm, please see to the official documentation: https://mobaxterm.mobatek.net/documentation.html#6_3_2
Error Messages
Common error messages are:
- <login_name>@jump.fbk.eu: Permission denied (publickey).
The private ssh key sent does not match the public key registered for the jump host - Received disconnect from 217.77.82.20 port 22:2: Too many authentication failures.
All the private ssh keys found under user $HOME/.ssh/ are sent to the server. To avoid key based attack , after 3 attempts the jump host will deny access.
Please use directives IdentitiesOnly and IdentityFile ( see man ssh_config) or the alternate config file described above. - Login prompt from internal host
The public ssh key registered for the jump host is missing inside $HOME/.ssh_authorized_keys on the internal server.
For different error messages, please notify [email protected].
BASTION
Remote access to internal workstations is available without the aid of any VPN via a browser by connecting to bastion.fbk.eu with your FBK credentials.
The supported protocol types are: SSH, VNC or RDP.
To access the service, send an e-mail to [email protected] with the subject "Add new connection on Bastion" and specifying the following information:
- Protocol type: VNC, SSH or RDP
- Name of the workstation you want to connect to
- Vncserver listening port previously configured by the user (Only for VNC connections)
Once the request has been processed, the connection to the workstation will be made available to the applicant: it will then be visible on bastion.fbk.eu
VPN connection request
The methods of accessing the FBK trusted network described above cover most of the needs of FBK users.
If the use of the VPN connection is necessary, the user must send an email to [email protected] with the subject "VPN enablement request", specifying:
- why to use the VPN connection
- whether the computer from which you open the connection is self-managed or managed by FBK
Frequently asked questions and concerns
F.A.Q.
How do I access the FBK network from home/ from the university?
To connect to the trusted FBK network, in most cases, you can use BASTION (RDP, SSH, VNC) and JUMPHOST (SSH). For special needs, please send an e-mail to [email protected].