Remote Access















Services: Remote Access

Remote Access SSH-GATE

    Description of the Service

    Since March 2022, direct connections via SSH from the external networks to the JINR internal network servers has been prohibited. To provide this type of access, the ssh-gate service has been introduced. When ssh-gate is used, the connection string to the ssh-server in the JINR network looks as follows:

    ssh -J ‹sso_login›@ssh-gate.jinr.ru ‹user_login›@servername

    First, a communication session is established with the transit server ssh-gate.jinr.ru, for authentication at which the SSO-account of the user is used.

    Then, in case of successful authentication, a connection session is automatically established with sshgate to the internal server servername requested by the user, and the user’s login account on the server servername is already used.

    Thus, a user must have two accounts:

    Registration

    JINR employees obtain an SSO account from their laboratory administrators or from the JINR Networking Services https://noc.jinr.ru/ru/about-us/lit-200.php.

    Employees of other scientific and educational organizations, who perform calculations on JINR resources, receive SSO-accounts only through scientific supervisors or coordinators on scientific activities, who are JINR employees.

    Accounts on the destination ssh-servers (e.g., Hibrilit, Govorun, NCX, LXPUB clusters) are issued by separate registration, every cluster has its own procedure.

    Client program

    Under Windows and Linux, access via sshgate is ideal with the system ssh client with the -J switch

    Also under Windows, you can use the Putty ssh client, starting from the preliminary version 0.77 below is a screenshot

    Q: The machine is running Linux, but there is no -J option in ssh
    A: Most likely, the installed version of the OS, update access to the version. Or install the openssh package version 8.

    Connection options for old ssh clients, no key "-J"

    Option 1, via options:

    $ ssh -o ProxyJump=‹sso_login›@ssh-gate.jinr.ru ‹user_login›@servername.jinr.ru
    $ scp -o ProxyJump=‹sso_login›@ssh-gate.jinr.ru /tmp/my_file.dat ‹user_login›@servername.jinr.ru:/tmp/

    Option 2, config + options:

    $ cat .ssh/config
    Host ssh-jinr

      Hostname ssh-gate.jinr.ru
      PreferredAuthentications "keyboard-interactive"
      User ‹sso_login›

    $ ssh -o ProxyJump=ssh-jinr ‹user_login›@servername.jinr.ru
    $ scp -o ProxyJump=ssh-jinr /tmp/my_file.dat ‹user_login›@servername.jinr.ru:/tmp/

    Q: Password verification was successful, the connection is established, but if there is no activity for XX minutes, the connection should be disconnected.
    A: There are no inactivity timeouts set on sshgate. Most likely, the gap is initiated by the end server (check with the server admins if there is a timeout for disconnection) or the user's home router (on-demand Internet mode is enabled, internet-on-demand).

    Please send your questions and requests to the JINR Networking Services - noc@jinr.ru