Connection remotely can be done in two ways:
- Directly when using the CA VPN (or Eduroam wifi in the campus)
- Via a jump server when not using VPN
Note: the connection to the new gateway (bava jump server) is different from the connection to the old one. Please follow the new instructions.
Choose the tab that fit your connection for directions:
(On Linux or Mac - open a terminal, on windows - open PowerShell)
ssh -l <user> <host>.cs.huji.ac.il
or
ssh <user>@<host>.cs.huji.ac.il
¶ X11-Forwarding - For running graphic programs
If the host you are connecting from supports the X11 protocol (most *nix system, special programs on Windows) it is possible to start graphical programs on the server and see their windows on your machine.
Please note that this requires high connection speeds to work at a usable speed. For example home DSL connections are usually not enough for a smooth experience, however speeds like the links between HUJI campuses are.
- On Mac OS X, you first need to run X11 (install Xquartz from https://www.xquartz.org/ and run it).
- On Windows you may use Xming or MobaXterm as described in the MobaXterm client tab.
To allow X forwarding add '-X' or '-Y' to the connection command:
ssh -CX <user>@<host>.cs.huji.ac.il
On Windows shell you'll have to set the DISPLAY environment variable (after running Xserver application) and then connect with '-Y' switch:
Using CMD.exe:
set DISPLAY=127.0.0.1:0
Using PowerShell:
$env:DISPLAY="127.0.0.1:0"
Using bash:
export DISPLAY=127.0.0.1:0
The ssh command:
ssh -CY <user>@<host>.cs.huji.ac.il
¶ Tunnels - To access some more advanced services of HUJI
To allow access to more advanced services inside of HUJI it may sometimes be useful to create a Tunnel, allowing a connection directly from the users machine to whatever internal service they are seeking running over the encrypted channel created by SSH.
A nice graphical display of what happens when tunneling can be found here:
As an example we will deal with SSH/SFTP, if a user wants to create a tunnel from port 22222 on their station to SSH on **river** their connect command would look like this:
ssh -CL 22222:localhost:22 river.cs.huji.ac.il
'-C' adds compression to the tunnel which is advisable if the user is connected using a not-so-fast connection.
Now connecting to localhost:22222 will actually be connecting to river:22.
On our Huji CES network, the river public network is actually the name of three machines: river-01 pond and rory. In some cases, connecting using the name river-01 may connect to the river machine and in other cases - to the pond machine(or rory). This can be important when some software may require compatibility between the the software's host and the ssh host. So for that, please name the requested machine specifically. For example:
2222:river-01:22
or
8000:pond:8000
or
3000:rory:3000
Note that river also can be referred to as river-01, pond as river-02 and rory as river-03.
Finally, note that the target host of the tunnel and the target host for shell access do not have to be the same, as long as gw (the host that is creating the tunnel) has access to the host/port combination you can specify the forward. You can also specify multiple tunnels, for instance if we wanted to connect both to **river:SSH** and to a hypothetical MySQL server and a shell on river we'll call mysql, the command would look like this:
ssh -CL 22222:localhost:22 -L 3306:mysql:3306 <user>@river.cs.huji.ac.il
Note that the localport can be the same as the remote port, however here there is the limitation that portnumbers <= 1024 are only available to privileged accounts (root/Administrator) on most OSes.
¶ Socks Proxy
It is possible to route your internet traffic through whatever host you are connecting to. This is used to allow access to resources that would otherwise only be accessible from inside the HUJI/CSE networks (think of journal databases, internal websites). This is done by setting up a socks5 proxy and configuring your browser to use it.
A typical command could look like this:
ssh -CD 8080 <user>@<host>.cs.huji.ac.il
Connecting to host on CS network, river for example:
¶ Tunnels - To access some more advanced services of HUJI
To allow access to more advanced services inside of HUJI it may sometimes be useful to create a Tunnel, allowing a connection directly from the users machine to whatever internal service they are seeking running over the encrypted channel created by SSH.
A nice graphical display of what happens when tunneling can be found here.
In the sidebar go to Connection > SSH > Tunnels.
For source port choose whatever number you like above 1024 and below 65535.
For destination enter the target host:port (for example, if you use "river", it will look like: river:22). Click Add.
Now the window should look like this:
To enable compression go to Connection > SSH and enable compression.
To not have to re-enter these settings every time you open putty it is wise to save this as a session:
Now next time you open putty you can either Load the previous session and possibly modify some settings before opening the connection or just double click it and open a connection with all the right settings:
Once the shell is open you can now use whichever client is needed to connect to the tunnel you created, in our case we can use a SFTP client to connect to **localhost:22222** and we'll be connected to **huji-cs-host:22** as long as you leave the shell open.
¶ X11-Forwarding - For running graphic programs
If the host you are connecting from supports the X11 protocol (most *nix system, special programs on Windows) it is possible to start graphical programs on the server and see their windows on your machine.
You'll have to run Xserver on your computer before enabling X forwarding in putty. You may use Xming for it, or use MobaXterm as described in the MobaXterm client tab.
Please note that this requires high connection speeds to work at a usable speed. For example home DSL connections are usually not enough for a smooth experience, however speeds like the links between HUJI campuses are.
Enabling ssh compression is recommended.
Mobaxterm is an application that runs Xserver and let you connect using ssh and run remote GUI-based applications.
- Download and install [Mobaxterm] (http://mobaxterm.mobatek.net/download.html).
- Launch Mobaxterm
- In the Session category, choose SSH
- Enter the cs hostname for remote host, check Specify Username box and enter your cs login name.
4. At this point press OK to save the session.
You will see the saved session on the left panel of Mobaxterm.
5. Double click it and enter your regular UNIX password.
After following the above steps you can start your X application on the CSE host.
The gateway name is bava.cs.huji.ac.il and it is a jump server to the internal CS hosts (like river or the cluster gateway).
Connection to a host on the cs network may look like this:
ssh -l <user> -J <user>@bava.cs.huji.ac.il <host>
or
ssh -J <user>@bava.cs.huji.ac.il <user>@<host>
In order to proceed the connection, an OTP is required. Learn about the ways to get a valid one here.
After entering the valid OTP, enter your cs account password, and you are in.
In case that the '-J' option doesn't work on Windows command line (CMD or PowerShell) you may use the below command:
ssh -l csuser -o ProxyCommand="C:\Windows\System32\OpenSSH\ssh.exe -W %h:%p csuser@bava.cs.huji.ac.il" cshost
(replace csuser with your username and cshost with the target host)
¶ Tunnels - To access some more advanced services of HUJI
To allow access to more advanced services inside of HUJI it may sometimes be useful to create a Tunnel, allowing a connection directly from the users machine to whatever internal service they are seeking running over the encrypted channel created by SSH.
A nice graphical display of what happens when tunneling can be found here.
As an example we will deal with SSH/SFTP, if a user wants to create a tunnel from port 22222 on their station to SSH on **river** their connect command would look like this:
ssh -CL 22222:localhost:22 -J <user>@bava.cs.huji.ac.il river
'-C' adds compression to the tunnel which is advisable if the user is connected using a not-so-fast connection.
Now connecting to localhost:22222 will actually be connecting to river:22.
On our Huji CES network, the river public network is actually the name of three machines: river-01 pond and rory. In some cases, connecting using the name river-01 may connect to the river machine and in other cases - to the pond machine(or rory). This can be important when some software may require compatibility between the the software's host and the ssh host. So for that, please name the requested machine specifically. For example:
2222:river-01:22
or
8000:pond:8000
or
3000:rory:3000
Note that river also can be referred to as river-01, pond as river-02 and rory as river-03.
Finally, note that the target host of the tunnel and the target host for shell access do not have to be the same, as long as gw (the host that is creating the tunnel) has access to the host/port combination you can specify the forward. You can also specify multiple tunnels, for instance if we wanted to connect both to **river:SSH** and to a hypothetical MySQL server and a shell on river we'll call mysql, the command would look like this:
ssh -CL 22222:localhost:22 -L 3306:mysql:3306 -J user@bava.cs.huji.ac.il user@river
Note that the localport can be the same as the remote port, however here there is the limitation that portnumbers <= 1024 are only available to privileged accounts (root/Administrator) on most OSes.
¶ X11-Forwarding - For running graphic programs
If the host you are connecting from supports the X11 protocol (most *nix system, special programs on Windows) it is possible to start graphical programs on the server and see their windows on your machine.
Please note that this requires high connection speeds to work at a usable speed. For example home DSL connections are usually not enough for a smooth experience, however speeds like the links between HUJI campuses are.
To allow X forwarding add '-X' or '-Y' to the connection command:
ssh -J user@bava.cs.huji.ac.il -CX user@hostname
- On Mac OS X, you first need to run X11 (install Xquartz from https://www.xquartz.org/ and run it).
- On Windows you can enable X forwarding in putty and use Xming or use MobaXterm as described in the next section.
¶ Socks Proxy
It is possible to route your internet traffic through whatever host you are connecting to. This is used to allow access to resources that would otherwise only be accessible from inside the HUJI/CSE networks (think of journal databases, internal websites). This is done by setting up a socks5 proxy and configuring your browser to use it.
You can use the jump server as proxy.
To use the jump server, Run the command without terminal (-T) and without remote command (-N), compress the traffic with -C:
ssh -D 8080 -CTN <csuser>@bava.cs.huji.ac.il
To run the proxy on specific host that you have access to, use bava.cs.huji.ac.il as jump server:
ssh -D 8080 -J <csuser>@bava.cs.huji.ac.il -CTN <csuser>@<cshost>
On linux you can use '-f' switch so the connection will remain in background.
On your client, setup SOCKS5 proxy to localhost and the high port you choose (8080 in the above example, but you can use any other number between 1024 and 65535).
This approach is a little complicated and is not recommended by default.
Use it only if you cannot use any other approach.
Connection using PuTTY need two steps in order to create a connection.
In the first step we connect to the jump serer (bava.cs.huji.ac.il) and create at least one tunnel to the CS host we want to access.
In the second step we connect to the tunneled host.
¶ Creating the tunnel on the gateway
Open PowerShell and run the command.
ssh -CTN -L <localport>:<cs host>:22 <csuser>@bava.cs.huji.ac.il
<localport> should be a number between 1024 and 65535.
<cs host> is a name of a computer that you have access to, usually river.
<cs user> is your CSE username.
For example:
ssh -CTN -L 2022:river:22 csuser@bava.cs.huji.ac.il
Enter your OTP. In case there is no error message and the command is not closed, the session is opend and you connect to localhost:<localport> as described on the next step.
Create a new session to bava.cs.huji.ac.il on port 22.
Go to SSH settings and check "Don't start shell or command at all"
Go to SSH > TTY settings and check the box "Don't allocate a pseudo-terminal"
In the sidebar go to Connection > SSH > Tunnels.
For source port choose whatever number you like above 1024 and below 65535.
For destination enter the target host:port (for example, if you use "river", it will look like: river:22).
Click Add, so the configuration will appear in the text box above the Add button
You may add any other host and port that you have access to and want to connect to.
To enable compression go to Connection > SSH and enable compression.
To not have to re-enter these settings every time you open putty it is wise to save this as a session:
Next time you open putty you can either Load the previous session and possibly modify some settings before opening the connection or just double click it and open a connection with all the right settings:
¶ Connecting to the tunnel
In order to create the actual connection to the host, create a new session (save it with another name).
In the host name type localhost and in the port enter the port you choose for the tunnel. In our example - 2022.
Save this connection under another name.
To create the actual connection, first open the gateway session (you would be asked for your OTP password) and after the connection is astablished you would be able to open the session to the desired host, authenticating with your CS password.
¶ X11-Forwarding - For running graphic programs
If the host you are connecting from supports the X11 protocol (most *nix system, special programs on Windows) it is possible to start graphical programs on the server and see their windows on your machine.
Please note that this requires high connection speeds to work at a usable speed. For example home DSL connections are usually not enough for a smooth experience, however speeds like the links between HUJI campuses are.
To allow X forwarding add in PuTTY, setup the tunneled connection using Connection > SSH > X11 and enable X11 forwarding
- To enable graphical windows to be opened on windows, you'll have to run Xserver. it can be done using Xming or with MobaXterm as described in the next section.
Mobaxterm is an application that runs Xserver and let you connect using ssh and run remote GUI-based applications.
- Download and install [Mobaxterm] (http://mobaxterm.mobatek.net/download.html).
- Launch Mobaxterm
- In the Session category, choose SSH
- Enter the cs hostname for remote host, check Specify Username box and enter your cs login name.
- Click on "Network Settings" and then on "SSH gateway (jump host)
- Enter the name of CS jump server
bava.cs.huji.ac.iland your CS username
and press OK. - At this point press OK again, to save the session.
You will see the saved session on the left panel of Mobaxterm. - When starting the connection, a popup windows will appear to ask you for the jump server's password. Insert an OTP password and press OK. Don't save that password (since it's One-Time Password and won't work later)
- The next password that you would be asked to enter is your regular UNIX password.
After following the above steps you can start your X application on the CS host, as well as command lines in the console.
WinSCP comes with a built in option to create a tunnel through which to connect to the target server.
When creating a connection enter only the target server as Host name (The target server can be any host you have access to on the CS network. in this example it is river.cs.huji.ac.il). Enter your username then click **Advanced**.
In the sidebar go to Connection > Tunnel:
In the Tunnel setup section enter:
Hostname to connect to: bava.cs.huji.ac.il
Username: your cs username
Leave the password field blank.
If you wish to use the tunnel for other things too, set the 'Local tunnel port' manually otherwise just leave it on 'Autoselect'.
Click OK. You can save the connection for farther use (usnig the Save button).
Press on "Login" to start the session, The first password you would be asked to enter is an OTP:
The second is your CS password:
¶ Security
It is highly recommended to make sure your client only connects using SSHv2, since there are Man-in-the-Middle attacks that downgrade the connection from the secure SSHv2 to SSHv1. Most modern clients are set by default to only use SSHv2, but if you are using an older version of a client or created an SSH configuration in the past it is wise to check that said file does not override the default of SSHv2 only.
Also always make sure that your SSH client is up to date.
¶ Known Issues
¶ client_input_hostkeys: received duplicated ssh-rsa host key
Bava and River are actually couple of different hosts with different IPs but the same rsh key.
To make SSH use the same entry for all Bava or River machines, do as follows:
- First, remove the entries for river or bava from your known hosts. Specifically, those with IP entry:
ssh-keygen -R bava.cs.huji.ac.il - Second, run the command:
ssh-keyscan -t rsa bava.cs.huji.ac.il
(for River replacebavawithriveron both commands) - Third, copy the resulting line to the known_hosts file, or you can append it to that file with the '>>' operator:
ssh-keyscan -t rsa bava.cs.huji.ac.il >> ~/.ssh/known_hosts
¶ Clients
¶ SSH
- On most *nix systems (Linux, *BSD, macOS) the ssh command comes pre-installed, if not available use the method relevant to your OS/distribution to install it.
- Putty is a simple but powerful opensource and free SSH client for Windows.
- Mobaxterm is a free SSH client for windows with an easy to use graphical interface, some functionality is limited in the free version.
¶ SFTP
- Like the ssh command the sftp command should be available on most *nix systems by default.
- FileZilla is a free and opensource cross-platform graphical (S)FTP client.
- WinSCP is a free and opensource graphical (S)FTP client for Windows.
¶ See also
- FTP on how to transfer files between your computer and the CS file system