Remote access to trusted FBK networks

Learn how to access the trusted FBK network remotely. You can access FBK networks from outside with two different VPN systems using the methods described here.


Access to the internal linux workstation is also available via a  SSH Jump Host : using  key based  authentication.

To be granted access to the jump host, send your public ssh key as file attachment to specifying in the subject: "SSH via jump host access request".  The key must be in openssh format and have  file name: <fbk_login_name>.pub. The same key should be copied inside ~/.ssh/authorized_keys in the  local computer to avoid any further password prompt. ssh-dss (DSA) keys are not supported as they are weak.  For maximum compatibility use RSA keys.

Linux/Unix/Mac openssh

From Windows 10 1803 onward, openssh is installed by default. For versions prior to Windows 10 1803, it must be installed. The .ssh configuration directory is under  $ENV:HOMEPATH/ for powershell or %HOMEPATH% for cmd. See config_jump_w10  as example of windows 10 ssh config file.

To access <hostname>  with your default ssh key (typically ) the ssh command is:

                     ssh -J <fbk_login_name> <fbk_login_nam>@<hostname>

To use a different ssh key (jump_key)  the ssh command is:

                      ssh -o ProxyCommand="ssh -i  ~/.ssh/jump_key   -W %h:22 <fbk_login_name>" -i  ~/.ssh/jump_key <fbk_login_name>@<hostname>

A more flexible solution is  create a separate config file, config_jump:

# Define the jumphost
Host fbkjumphost
  User <fbk_login_name>
# Specify a non default private key
  IdentityFile ~/.ssh/private_key_file
# Match all host except jumphost
Host * !fbkjumphost
 Hostname %h
# Force user name
 User <fbk_login_name>
# Specify a non default private key
 IdentityFile ~/.ssh/private_key_file
 ProxyJump fbkjumphost


to be used in the ssh command:

                     ssh -F config_jump <hostname>

NB: -J, -o, -F must precede any other option, the config_jump file can be in any directory

Linux/Unix/Mac/Windows10 scp

Secure copy  with the default key:

                     scp -o ProxyJump=<fbk_login_name> local_patch  <fbk_login_name>@<hostname>


Secure copy using a different key:

                     scp -o ProxyCommand="ssh -i  ~/.ssh/jump_key   -W %h:22 <fbk_login_name>" - i~/.ssh/jump_key  local_path <fbk_login_name>@<hostname> local_path


Secure copy wIth config file config_jump:

                     scp -F config_jump local_path <fbk_login_name>@<hostname>

NB: -o, -F must precede any other option

Linux/Unix/Mac/Windows10 rsync

Remote sync with the default key, add to the rsync command:

                     --rsh "ssh -J <fbk_login_name> -l <fbk_login_name>"

Remote sync with  different key, add to the rsync command:

                       --rsh "ssh -o ProxyCommand='ssh -i  ~/.ssh/jump_key   -W %h:22 <fbk_login_name>'  - i ~/.ssh/jump_key -l <fbk_login_name>"


Remote sync with config file config_jump, add to the rsync command:

                       --rsh "ssh -F config_jump"

SSH Keys generation for Linux/Mac/Windows10

The process involves generating a pair of SSH key files containing a private key and a public key. The private key must be kept only into the user’s computer; the public key will be distributed to the remote servers.  Users should pay particular attention not to not lose the private key. A lost private key cannot be replicated; therefore, the user cannot access the remote server  until a new key pair is generated and the public key redistributed.

To create and save SSH key files from a shell or Terminal, issue the ssh-keygen command; see the example below:

test@demo:~$ ssh-keygen

  Generating public/private rsa key pair.

  Enter file in which to save the key (/home/test/.ssh/id_rsa):

  Created directory '/home/test/.ssh'.

  Enter passphrase (empty for no passphrase)

The keys save to the default location or, if one was specified, in a separate file. The public key has the extension .pub .

The passphrase is a local password to further protect the private key and it is never sent to the remote server. If a private key is stolen, it is useless without the passphrase. We strongly discourage users from leave phrasecose blank.

man ssh-keygen for more information

Other references

For more information please refer to Jump Hosts -- Passing Through a Gateway, check   man ssh  and man ssh_config for your distribution or just google "ssh jump host".

Windows openssh

From Windows 10  1803 onward, openssh is available as a command line. It can be started from cmd.exe or powershell.exe. We suggest installing the new terminal from Microsoft: available also from Microsoft Store.

Windows Putty

On Windows 10/11 we suggest using the integrated openssh client.

PuTTY has the ability to transparently jump with the included plink.exe utility. To set this up:

  • Once from a CMD run plink.exe <fbk_login_name>, store the key; ignore the Fatal Error message.
  • Load your jump host SSH key into Pageant.

Open a PuTTY New Session window. In the Session category, enter the Host Name (or IP address)  (<hostname> and Port (22) of the desired final destination.

    • Under the Connection category, select Proxy, and under Proxy type select Local. Add as both Proxy Hostname and Exclude Hosts/IPS
    On the same Proxy screen, add your <fbk_login_name> as Username field (Password field is ignored);
    delete any text under Telnet command, or local proxy command and enter the following:
                     plink.exe %user@%proxyhost -agent -nc %host:%port
  • %user will be replaced by the Username  field content, %proxyhost from Proxy Hostname content, %host from Host Name (or IP address) content.
In figura la configurazione di putty

For a complete introduction to  putty  see Putty

SSH Keys Generation Putty

For putty ssh keys  under windows see: Use SSH Keys With PuTTY On Windows or

The public key used by the Jump Host must be in openssh format. In PuTTYgen, copy the contents of the "Public key to paste in the OpenSSH authorized keys file" field and save it on a file; this is the public key.

Windows WinSCP

WinSCP can  import and use Putty configurations.

Any working JumpHost Putty configuration can be used to configure the secure copy via JumpHost with WinSCP. 

As for Putty the  jump host SSH key must first be loaded into Pageant.

The JumpHost configuration is under the site Advanced Site Settings tab, Connection->Proxy section

Windows MobaxTerm

On Windows10 we suggest using the integrated openssh client.

MobaXterm offers the capability to use a jump host to connect to a server.

Create a session as usual, in Basic SSH Settings insert <hostname> as Remote host, check Specify Username and add <fbk_login_name>. in Advanced SSH Settings check Use private key and select the  key file (openssh format).

FBK-Povo at night

Finally, in Network Settings define as Gateway SSH server, specify <fbk_login_name> as User,  check Use private key and select the key file (openssh format).

SSH Keys generation MobaxTerm

For the generation and use of ssh keys in MobaxTerm, please see to the official documentation: 

Error Messages

Common error messages are:

  • <login_name> Permission denied (publickey).  
    The private ssh key sent does not match the public key registered for the jump host
  • Received disconnect from port 22:2: Too many authentication failures.
    All the  private  ssh keys found  under  user $HOME/.ssh/ are sent to the server. To avoid key based attack , after 3 attempts the jump host will deny access.
    Please use directives IdentitiesOnly and IdentityFile ( see man ssh_config) or the alternate config file described above. 
  • Login prompt from internal host
    The public ssh key registered for the jump host is missing inside $HOME/.ssh_authorized_keys on the internal server.

For different error messages, please notify


Remote access to internal workstations is available without the aid of any VPN via a browser by connecting to with your FBK credentials.
The supported protocol types are: SSH, VNC or RDP.
To access the service, send an e-mail to with the subject "Add new connection on Bastion" and specifying the following information:
- Protocol type: VNC, SSH or RDP
- Name of the workstation you want to connect to
- Vncserver listening port previously configured by the user (Only for VNC connections)
Once the request has been processed, the connection to the workstation will be made available to the applicant: it will then be visible on

VPN connection request

The methods of accessing the FBK trusted network described above cover most of the needs of FBK users.

If the use of the VPN connection is necessary, the user must send an email to with the subject "VPN enablement request", specifying:

  • why to use the VPN connection
  • whether the computer from which you open the connection is self-managed or managed by FBK

Frequently asked questions and concerns


How do I access the FBK network from home/ from the university?

To connect to the trusted FBK network, in most cases, you can use BASTION (RDP, SSH, VNC) and JUMPHOST (SSH). For special needs, please send an e-mail to