SSH Secure Shell

SSH is used to get a secure terminal-connection to a login server. All Linux loginservers can be reached with SSH client software, not only on the standard port 22, but also on ports 80 and 443.

NB: as of December 2022, not all science logins are allowed to login on the login servers anymore. Should you have trouble logging in on our loginservers, please contact postmaster.

  • Windows:
    • MobaXterm. From the MobaXterm website: “MobaXterm is an enhanced terminal for Windows with an X11 server, a tabbed SSH client and several other network tools for remote computing (VNC, RDP, telnet, rlogin). MobaXterm brings all the essential Unix commands to Windows desktop, in a single portable exe file which works out of the box.” The support of OpenGL could also be a reason to start using MobaXterm. If you use it professionally, you should consider subscribing to MobaXterm Professional Edition. MobaXterm is available on the S-disc.
    • Mosh (mobile Shell) when roaming and intermittent connections.
    • PuTTY.
    • The OpenSSH client provided by Cygwin.
  • Linux: Your computer should have ssh installed by default. Otherwise, install the openssh-client package. Install Mosh (mobile Shell) when roaming or having intermittent connections.
  • OS X: the ssh client should be available on your Mac. For graphical/X11 functionality one can install XQuartz. Install Mosh (mobile Shell) when roaming or having intermittent connections.
  • Android: JuiceSSH or ConnectBot. Install Mosh (mobile Shell) when roaming or having intermittent connections.

SSH settings and tips

To avoid warnings about possibly changed ssh keys and prevent messages with ‘unkown host’ the first time you connect to a host in the domain, we have signed the public keys of all our servers. If you add the following lines to the file ‘config’ in the .ssh directory in your (local) home directory (maybe this file has to be created)

CanonicalizeFallbackLocal no
CanonicalizeHostname yes

and the following line to .ssh/known_hosts

@cert-authority * ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHpJveyOrLKFRDsbiW/29OadbCbkmUaIXnWbhVwtytbpftAc7Stj2RYa8yBmgfdm82T/UBVu1tLbeeCYQI8UlCvbAALMx+I60ux+iEGVdDBgIOjeu6LuY12pksVlXy/nKc59+m3AdMXfGHA8cI/O8eFosQLJ+dck7SBcvTT4lPhEcSQxg==

then C&CZ-signed ssh keys of hosts will be automatically accepted. The change to the ‘config’ file ensures that

ssh lilo7

will match with and the line in known_hosts ensures that only for hostnames matching with * ssh will check whether the public key of the host is signed by C&CZ and if that is indeed the case will accept the host key. If you do not want to change the config file then you will always have to use the fully qualified hostname

Ssh can be used for:

  • port forwarding on another host
  • proxying for example web traffic
  • almost complete vpn functionality

Please consult this article for some excellent tips on how to use and configure your ssh client.

Preventing disconnects

In case you experience connectivity issues using ssh, use the following settings for your ssh-client. This can be done by adding the following lines to the config file .ssh/config (or /etc/ssh/ssh_config):

TCPKeepAlive no
ServerAliveInterval 60
ServerAliveCountMax 10