Transparent multi-hop SSH

Connecting from outside/home via a proxy server a.k.a. jump host

Our servers can only be accessed from certain UMCG/RUG subnets.
To connect from outside you can use a proxy server. This requires port 22 to be open on all machines between your computer and our server.
List of current proxy servers:

Server name Key fingerprints (in various formats) SHA256: j3Zihz6gJkl7o5qyu3Ug74zi5/wSc5iXzNB6r7s8hxQ
MD5: ad:d4:a6:d6:f8:9a:5d:97:a6:30:0e:56:54:ef:82:d6 SHA256: j3Zihz6gJkl7o5qyu3Ug74zi5/wSc5iXzNB6r7s8hxQ
MD5: ad:d4:a6:d6:f8:9a:5d:97:a6:30:0e:56:54:ef:82:d6

Users on Linux / Unix / Mac OS X

To setup transparent multi-hop SSH:

  • On the machine from which you want to connect
    • Make sure you have a ~/.ssh folder with generated SSH keys linked to your account. See RequestAccount for instructions.
    • Create a ~/.ssh/tmp folder. Open a terminal and type the following command:
      mkdir -p ~/.ssh/tmp
    • Create a ~/.ssh/config file if it does not exist yet.
    • Add to your ~/.ssh/config something like the following:
      # Generic stuff: only for MacOS clients.
      IgnoreUnknown UseKeychain
      	UseKeychain yes
      IgnoreUnknown AddKeysToAgent
      	AddKeysToAgent yes
      # Generic stuff: prevent timeouts 
      Host *
      	ServerAliveInterval 60
      	ServerAliveCountMax 5
      # Generic stuff: share existing connections to reduce lag when logging into the same host in a second shell
      ControlMaster auto
      ControlPath ~/.ssh/tmp/%h_%p_%r
      # UMCG HPC hosts.
      Host lobby foyer *calculon *umcg *cher-ami *boxy !*
      	User prefix-youraccount
      # RUG HPC hosts.
      Host *peregrine !*
      	User prefix-youraccount
      # GCC Hosts.
      Host *flexo *bender *zinc-finger *leucine-zipper *gaf *gattaca* !*
      	User prefix-youraccount
      Host *golden *backup *molgenis* !*
      Host *gbic !*
      	User prefix-youraccount
      # UMCG proxy settings.
      Host *+*+*
              ProxyCommand ssh -X -q $(echo %h | sed 's/+[^+]*$//') -W $(echo %h | sed 's/^[^+]*+[^+]*+//'):%p
      Host lobby+*
      	ProxyCommand ssh -X -q -W $(echo %h | sed 's/^lobby[^+]*+//'):%p
      Host foyer+*
      	ProxyCommand ssh -X -q -W $(echo %h | sed 's/^foyer[^+]*+//'):%p
      # Sometimes port 22 for the SSH protocol is blocked by firewalls; in that case you can try to use SSH on port 80 as fall-back.
      # Do not use port 80 by default for SSH as it officially assigned to HTTP traffic and some firewalls will cause problems when trying to route SSH over port 80.
      Host lobby80+*
      	ProxyCommand ssh -X -q -W $(echo %h | sed 's/^lobby[^+]*+//'):%p -p 80
      Host foyer80+*
      	ProxyCommand ssh -X -q -W $(echo %h | sed 's/^foyer[^+]*+//'):%p -p 80
      # Use the syntax below if your private key is not in the default location.
      # The default location is:
      #  ~/.ssh/id_rsa for keys generated with the RSA algorithm.
      #  ~/.ssh/id_dsa for keys generated with the DSA algorithm
      # In that case please note that you must also specify the path to your key file on the commandline.
      # For example:
      #  $> ssh -i ~/.ssh/some_other_key.file prefix-youraccount@lobby+calculon
      #Host lobby+*
      #	ProxyCommand ssh -X -q -i ~/.ssh/some_other_key.file -W $(echo %h | sed 's/^lobby[^+]*+//'):%p
      #Host foyer+*
      #	ProxyCommand ssh -X -q -i ~/.ssh/some_other_key.file -W $(echo %h | sed 's/^foyer[^+]*+//'):%p
      Replace all occurences of prefix-youraccount with:
      prefix = based on your organization. Usually either umcg or lifelines
      youraccount = your account on = your account on = etc.

      If you are not on a Mac or on a very old one you may have to comment the # Generic stuff: only for MacOS clients section at the top of example ~/.ssh/config

    • Make sure you are the only one who can access your ~/.ssh folder. Type the following command in a terminal:
      chmod -R go-rwx ~/.ssh
  • You can now for example connect to with the account as specified by User via for example proxy server using the alias lobby+calculon. Type the following command in a terminal:
    ssh lobby+calculon
    In order to override the accountname specified in your ~/.ssh/config you can use:
    ssh prefix-youraccount@lobby+calculon
    You can also transfer data with scp (secure copy) to copy files to your home dir on the cluster like this:
    scp some_file lobby+calculon:
    or even better use rsync to copy data to your home dir on the cluster like this:
    rsync -av some_directory lobby+calculon:
    Note the colon at the end of the scp and rsync commands. Without the colon you would copy to a local file named lobby+calculon. You can add additional proxy+* aliases for other User Interface (UI) servers and other proxy servers depending on your computing preferences or authorization. If you also added the Host *+*+* code block you can do tripple hops starting with a proxy like this:
    ssh proxy+intermediate_server+destination_server
    In case you are on a network where the default port for SSH (22) is blocked by a firewall you can try to setup SSH over port 80 using an alias like this:
    ssh lobby80+calculon

Frequent Asked Questions:

  • Q: Why do I get this error?

muxserver_listen bind(): No such file or directory.
A: You may have failed to create the ~/.ssh/tmp folder in the first step or the permissions on this folder are wrong.

ControlPath too long
A: The ControlPath ~/.ssh/tmp/%h_%p_%r line in your ~/.ssh/config file expands to a path that is too long. Change the ControlPath line in your ~/.ssh/config file to create a shorter path for the automagically created sockets. You can use for example ControlPath /tmp/%h_%p_%r to create sockets in /tmp.

Permission denied (publickey).
A: Either you are using the wrong account name or the wrong key file or the permissions on your home ~/.ssh/ dir and/or on its content are wrong or your account is misconfigured on our account server. Check your account name, key and permissions. If that did not resolve the issue get in touch with your GCC contact.

nc: getaddrinfo: Name or service not known. ssh_exchange_identification: Connection closed by remote host
A: This server does not exist (anymore); You have a typo in the name of the server you are trying to connect to. Check both the command you typed as well as your ~/.ssh/config for typos in server names

  • Q: Can I increase the verbosity to debug connection problems?
    A: Yes try adding -vvv like this

ssh -vvv prefix-youraccount@lobby+calculon

If that does not help to figure out what is wrong please send an email to the GCC helpdesk and include:

1 The command you used for your failed login attempt
2 The output of that failed login attempt with -vvv debugging enabled
3 A copy of your ~/.ssh/config file.

(Never ever send us your private key; It does not help to debug your connection problems, but will render the key useless as it is no longer private.)

Users on Windows

  • On the machine from which you want to connect
    1. Make sure you have generated SSH keys linked to your account. See RequestAccount for instructions.
    2. Download and install Putty. Make sure to also download the key manager Pageant.
    3. Start Pageant
    4. Load your private key into Pageant
    5. Start Putty
    6. Go to Connection -> Ssh -> Auth and select Allow agent forwarding
    7. Go to Connection -> Data and fill in your user name in the auto-login username option
  • You can now connect to for example via for example proxy server using a double hop like this
    • In Putty connect to (or choose another proxy from the list)
    • Once the connection is established type the following command in a terminal:
      Change the name of the destination host to connect to other User Interface (UI) servers.

On order to automate this double hop on Windows please have a look at these instructions:

Last modified 14 months ago Last modified on 2017-06-06T14:07:44+02:00