SSH Access

SSH offers you a secure encrypted connection to remote computers. Eg. if you want to connect to your Linux PC at work from home you can use any ssh client program to connect. However when accessing PSI from outside the campus, you must first access the gateway balrog.psi.ch with SSH and login using your PSI account to get access to the PSI network. Once you have done this, keep the session open and login as normal to the destination system with SSH in a new session window. All applications which use SSH must first get bypass acceptance by the gateway before logging in. The authentication is only valid for the system, from which the first session originated.

You must have a PSI account to login, so this access method is only available to PSI employees. For well defined exceptions extermal persons can also apply for a remote access account.

SSH from Unix Systems

First, you must authenticate yourself against the gateway machine:
$ ssh <user>@balrog.psi.ch 
$ Password: <password>


linux login fw.png

After a successful authentification on the gateway you keep this window open and start a ssh session as usual in a new window.
$ ssh <user>@<host>


linux login llc.png

SSH from Windows with PuTTY

First, you must connect to the gateway machine. For this start PuTTY (no installation needed on PSI Standard Systems!), type in balrog.psi.ch as a host and click OK: putty fw.png

then authenticate

windows login fw.png

After succesful authentication you see:

windows fw.png

This session must be kept open. It is your gateway to PSI. And now you start putty in an new window again and connect to the desired host :

putty llc.png

Authentication e.g. for the Linux Login Cluster:

windows login llc.png

After succesfull authentication

windows llc.png

Access a Windows Machine via Remote Desktop through a tunnel

Once you have an open connection to Balrog, you can establish a tunnel which allows you to connect to a Windows System via Remote Desktop. (Of course you can connect to many other services, Remote Desktop is just an example that is often needed. Note that other serives require different ports to be opened).

First of all, crete a new Putty session, the host is called llc.psi.ch (in fact, any available Linux machine would do): ssh-rdp-tunnel1.png

Then, you neet to establish the tunnel to Port 3398 (this is the remote desktop protocol) on the target machine (here PC4711): ssh-rdp-tunnel2.png

Finally connect to the other end of the tunnel (here we chose port 9000): ssh-rdp-tunnel3.png

Note that port 3389 is specific to Remote Desktop Connections. Other useful ports:
Port Number Used for
3389 Remote Desktop
5900 VNC
445 Windows File Server (insted of a PC name, you need to use a server name like fs00, fs01 or fs02)

NX Nomachine client

The NX client is the recommended toolto remotely access to a graphical user session to a Linux machine. It is much faster than standard remote access X windows, especiallly over wide area network connections.

The first step of the login proocedure is identical to the description above for ssh clients. After having opened the connection via the gateway machine you can start the NX client as usual and connect to the target system (which must of course be prepared for NX sessions, i.e. the NSX server software must be installed on the target machine).

Batch jobs

Add the following lines to the start of your bash script, before any calls to ssh/scp take place
  USERNAME=gsell                                                                (1)
  KRB5KTABNAME=~/.krb5/keytab                                                   (2)
  MYUID=$( id -u ) || exit 1                                                    (3)
  export KRB5CCNAME=$( mktemp /tmp/krb5cc_${MYUID}_XXXXXX ) || exit 1           (4)
  kinit -k -t ${KRB5KTABNAME} ${USERNAME}@D.PSI.CH || exit 1                    (5)
  ssh -o "GSSAPIAuthentication yes"  -N ${USERNAME}@balrog.psi.ch  &            (6)
  ssh_pid=$!                                                                    (7)
  sleep 1                                                                       (8)
(1) "Unified Logon" user Name.
(2) Path to keytab files
(3) The numerical user ID is needed in the next line
(4) Kerberos stores its credentials in a cache. With mktemp we create a new cache and reassign a new name to the variable KRB5CCNAME . This environment variable is used by kinit und ssh.
(5) This commands fetches a Kerberos5 ticket. Instead of deriving the key from the password it is read from the keytab file.
(6) Authentication to the gateway.The option "-N" must be specified. The option "GSSAPIAuthentication yes" does not need to be specified, if it is included in the configration settings of the ssh client.
(7) Keep track of the process ID of the ssh client process, in order to allow to kill it at the end of the script.
(8) The gateway needs up to one second to open the connection.
At the end of the script the connection to the gateway machine must be terminated and the kerberos credential cache be cleaned
  kill $ssh_pid                                                             (1)
  rm -rf ${KRB5CCNAME}                                                      (2)


The same functionlaity with (t)csh instead of bash scripts would look like:
  setenv USERNAME gsell
  setenv KRB5KTABNAME ~/.krb5/keytab
  setenv MYUID `id -u`
  setenv KRB5CCNAME `mktemp /tmp/krb5cc_${MYUID}_XXXXXX`
  ./kinit -k -t ${KRB5KTABNAME} ${USERNAME}@D.PSI.CH
  ssh -o "GSSAPIAuthentication yes"  -N ${USERNAME}@balrog.psi.ch  &
  setenv ssh_pid $!
  sleep 1


and in the end of the script
  kill $ssh_pid
  rm -f ${KRB5CCNAME}         

Tipps & Tricks

note.png You must keep alive the session to the gateway machine, until all other connections are closed.
note.png You can have multiple ssh connections to different target systems simultaneously. However the login to the gateway machine is only needed once.
note.png You can login to local accounts after the initial connection
note.png Opening the connections on the gateway can take up to one second. Resetting the firewall rules on the gateway is also finished after one second
note.png If you have accidentally terminated the session to the gateway machine while other connections are stilll active this is usually no problem. Usually it is sufficient to simply reconnect to the gateway again.
note.png The ssh server on the gateway checks regularly for connectivity to the client. If the connection is interrupted the rules on the firewall are reset. These keep alive tests are done several times per minute. This can lead to unwanted interruptions if you have a low quality connection.

Kerberos configuration

For advanced users you can also use Single-Sign-On functionality (SSO) using the KerberosAuthenticationEN . In addition to the above general configuration you have to apply the following configurations for openssh clients

Add the following line
GSSAPIAuthentication yes


in either /etc/ssh/ssh_config or in the file ~/.ssh/ssh_config . You can also specify the option diretly on the command line:
  ssh -o 'GSSAPIAuthentication yes' <user>@balrog.psi.ch