- 1 Introduction
- 2 Quick and basic access
- 3 Basic access via VPN
- 4 Background(How does it work?)
- 5 Tunnels- To access some more advanced services of HUJI
- 6 X11-Forwarding - For running graphic programs
- 7 Socks Proxy
- 8 Security
- 9 See also
HUJI/CSE allows remote access using Secure SHell connections(SSH), here we will describe how to access different resources.
Please note that remote connections are only enabled for servers/clusters and not for workstations, aquarium computers or other lab machines.
Quick and basic access
In all the following methods when connecting to our servers, you must choose a host to connect to. Usually you'd choose a public server such as river.
A typical connection command for a user wishing to connect to a host would look like this:
where <user> should be replaced with your cs account and login name, and <host> should be replaced with the chosen host, such as river or hm-gw.
Alternatively you can also define the username and hostname separately for instance connecting to
ssh -l user%hm-gw gw.huji.ac.il
An example of connecting to the host
- Note as stated above, you need to replace "user" by your cs account's name.
Now, in order to proceed the connection, an OTP is required. Learn about the ways to get a valid one here.
After entering the valid OTP, enter your cs account password, and you are in.
Basic access via VPN
In addition to this quick access, the Computing Authority offers a VPN service for which usage instructions can be found here. By connecting to sambaVPN first, there is no need to authenticate using sms on Registrar. This option is recommended for those whom wish to connect from outside of Israel. For that, connect to Samba VPN and then connect via ssh (as explained above) directly to the computer(without using 'gate way'), so the command will be:
ssh -l <user> <host>.cs.huji.ac.il
- Note that you need to replace <user> by your cs account's name, and <host> by a host name.
Background(How does it work?)
All access runs through the gateway ("Shin Gimel"), direct access to hosts is always blocked by default, however the user also lacks access to the gateway machine itself, it only exists to allow connections through to a different machine.
Therefore when the user connects through the gateway they have to already tell the machine ahead of time to which host they will connect. If this is not done the system will attempt to drop into a shell on the gateway, discover that the user is not allowed to access it and close the connection.
- On most *nix systems (Linux, *BSD, macOS) the ssh command comes pre-installed, if not available use the method relevant to your OS/distribution to install it.
- Putty is a simple but powerful opensource and free SSH client for Windows.
- Mobaxterm is a free SSH client for windows with an easy to use graphical interface, some functionality is limited in the free version.
- Like the ssh command the sftp command should be available on most *nix systems by default.
- FileZilla is a free and opensource cross-platform graphical (S)FTP client.
- WinSCP is a free and opensource graphical (S)FTP client for Windows.
Tunnels- To access some more advanced services of HUJI
To allow access to more advanced services inside of HUJI it may sometimes be useful to create a Tunnel, allowing a connection directly from the users machine to whatever internal service they are seeking running over the encrypted channel created by SSH.
Creating tunnels from the cmd
As an example we will deal with SSH/SFTP, if a user wants to create a tunnel from port 22222 on their station to SSH on
river their connect command would look like this:
ssh -CL 22222:river:22 email@example.com
'-C' adds compression to the tunnel which is advisable if the user is connected using a not-so-fast connection.
Now connecting to
localhost:22222 will actually be connecting to
On our Huji CES network, the
river public network is actually the name of three machines:
rory. In some cases, connecting using the name
river may connect to the river machine and in other cases- to the
rory). This can be important when some software may require compatibility between the the software's host and the ssh host. So for that, please name the requested machine specifically. For example:
river also can be referred to as
Finally, note that the target host of the tunnel and the target host for shell access do not have to be the same, as long as gw (the host that is creating the tunnel) has access to the host/port combination you can specify the forward. You can also specify multiple tunnels, for instance if we wanted to connect both to
river:SSH and to a hypothetical MySQL server and a shell on river we'll call
mysql, the command would look like this:
ssh -CL 22222:river:22 -L 3306:mysql:3306 -l user%river gw.cs.huji.ac.il
Note that the localport can be the same as the remote port, however here there is the limitation that portnumbers <= 1024 are only available to privileged accounts (root/Administrator) on most OSes.
A nice graphical display of what happens when tunneling can be found here: 
Creating a tunnel in Putty
In the sidebar go to Connection > SSH > Tunnels.
For source port choose whatever number you like above 1024 and below 65535.
For destination enter the target host:port (for example, if you use "river", it will look like: river:22).
Now the window should look like this:
To enable compression go to Connection > SSH and enable compression.
To not have to re-enter these settings every time you open putty it is wise to save this as a session:
Now next time you open putty you can either Load the previous session and possibly modify some settings before opening the connection or just double click it and open a connection with all the right settings:
Once the shell is open you can now use whichever client is needed to connect to the tunnel you created, in our case we can use a SFTP client to connect to
localhost:22222 and we'll be connected to
river:22 as long as you leave the shell open.
Using WinSCP to transfer Files
WinSCP comes with a built in option to create a tunnel through which to connect to the target server.
When creating a connection enter only the target server as Host name and your username then click
In the sidebar go to
Connection > Tunnel:
In the Tunnel setup section enter
gw.cs.huji.ac.il as the host name to connect to. For username enter
<user>%<host>, leave the password field in both windows blank.
If you wish to use the tunnel for other things too set the 'Local tunnel port' manually otherwise just leave it on 'Autoselect'.
X11-Forwarding - For running graphic programs
If the host you are connecting from supports the X11 protocol (most *nix system, special programs on Windows) it is possible to start graphical programs on the server and see their windows on your machine.
Please note that this requires high connection speeds to work at a usable speed. For example home DSL connections are usually not enough for a smooth experience, however speeds like the links between HUJI campuses are.
To allow X forwarding add '-X' to the connection command:
ssh -CX <user>%<host>@gw.cs.huji.ac.il
- On Mac OS X, you first need to run X11 (usually under /Applications/Utilities/X11). Then, from the open xterm, run
ssh -CX <user>%<host>@gw.cs.huji.ac.ilas in Linux.
- On Windows you can enable X forwarding in putty and use Xming or use MobaXterm as described in the next section.
Using MobaXterm for X11 on Windows
Using this connection type you can run applications which normally use a graphical user interface (GUI), such as emacs. For this to work you need to run an X server on your computer. The applications you run on the remote CSE machines connect to the X server in order to display windows on your own computer.
- On Windows, you need to install and run a Mobaxterm client. Following are instructions for setting up and connecting using Mobaxterm:
- Download and install Mobaxterm.
- Launch Mobaxterm
- In the Session category, choose SSH
enter gw.cs.huji.ac.il for remote host, check Specify Username box and enter <username>@<csmachine>. <username> is your cs login and <csmachine> is the server you wish to connect, like river:
- At this point press OK to save the session.
- You will see the saved session on the left panel of Mobaxterm.
- Double click it and enter your OTP when prompted. Next you'll be asked to enter your regular UNIX password.
After following the above steps you can start your X application on the CSE host.
It is possible to route your internet traffic through whatever host you are connecting to. This is used to allow access to resources that would otherwise only be accessible from inside the HUJI/CSE networks (think of journal databases, internal websites). This is done by setting up a socks5 proxy and configuring your browser to use it.
A typical command could look like this:
ssh -CD 8080 <user>%<huji-cs-host>@gw.cs.huji.ac.il
It is highly recommended to make sure your client only connects using SSHv2, since there are Man-in-the-Middle attacks that downgrade the connection from the secure SSHv2 to SSHv1. Most modern clients are set by default to only use SSHv2, but if you are using an older version of a client or created an SSH configuration in the past it is wise to check that said file does not override the default of SSHv2 only.
Also always make sure that your SSH client is up to date.
- FTP on how to transfer files between your computer and the CS file system