Remote SSH Access to ASC Services (SSH Jump Host)

Overview

Remote access to College of Arts & Sciences services requires two-factor authentication. One method of achieving this is through the VPN. However, this requires using the Cisco AnyConnect software, and can at times have drawbacks, such as reduced throughput. Or, it may simply not be a convenient method for you.

The SSH jump host is the other option. SSH is a powerful tool with many options, but here we will cover setting up your connection to the jump host, basic SSH interactive use, and file transfer via SSH tunneling.

Neither the VPN nor jump host are suitable for automation of remote connections – if you have a specific need for this, please work with ASCTech personnel for solutions. Without a special exception, OSU requires all remote access to be verified via two-factor authentication. The two factor options for SSH are password and Duo, or SSH key and Duo.

The jump host itself should not be used as a remote workstation. Application use is extremely limited, and you will be disconnected after 5 minutes of inactivity. Please only use it for connecting to other services within the College.

To be granted access to the jump host, please submit a SSH Jump Host Access service request. Note: you can request with a key or without. If you want to add/change your public key later, just submit another request. Though you can mail the public key, using the service is recommended for file integrity.

Hostname: jump.asc.ohio-state.edu

Contents

Authentication

Password

2fa login

Password authentication with your OSU credentials and Duo two-factor verification is supported. This will work in many cases, but key-based authentication is recommended for security and simplicity. Key-based authentication may also become necessary in some tunneling scenarios. If you're having trouble with your password-based session, try a key-based session.

Password authentication supports all of the Duo two-factor options, while key authentication only supports the "Duo Push" option. It will use your first push device by default.

The most basic form is...

ssh name.#@jump.asc.ohio-state.edu

...or, jump.asc.ohio-state.edu with the default port in PuTTY on Windows. The name.# and @ is optional – SSH applies the current username by default, so if you're logged in to a workstation with your OSU account, it is not necessary to add.

Then, use that login session to jump to another SSH service within the College. You can also use a password-authenticated session to forward connections, but for brevity the examples here will assume you are in a key-authenticated session.

Key-Pair

Creating a public key is optional.

Public-key cryptography is a complex subject, but here we will cover submission of a public key, creation of a public-private key-pair, basic key management, and key-based authentication to the jump host.

macOS & Linux

Creation

The ssh-keygen tool is used to create your public-private key pair. The keys are placed in ~/.ssh/. This process will create your private key, id_rsa, and the matching public key, id_rsa.pub. The keys use asymmetric cryptography, meaning that anyone with the public key can encrypt a message, but only the holder of the private key can decrypt it. Therefore, you may share your public key with anyone who wishes to verify your identity, but should never share your private key.

ssh-keygen -b 4096 -t rsa -C name.#@jump.asc.ohio-state.edu

This tells ssh-keygen to create a new key-pair using the RSA algorithm and 4096-bit key length. If your application is very high-bandwidth, it is acceptable to use a 2048-bit RSA key, or to use Ed25519 keys, though 4096-bit RSA is recommended as a compromise between speed, security, and compatibility.

The -C is an optional comment to help you and the jump host administrator remember who the key belongs to, and for what purpose.

If you do not have an RSA key already, accept the default file name; otherwise pick a name like id_rsa_jump. Enter a passphrase to encrypt your private key, so that it cannot be easily used if stolen. You can change the passphrase of your private key at any time by doing:

ssh-keygen -f ~/.ssh/id_rsa -p
Management

Frequent SSH users may want to load their decrypted private keys into memory while logged in to their workstation; otherwise, each new SSH session (or scp, sftp, etc) will require decrypting the key again. Something like:

ssh-add ~/.ssh/id_rsa

...will load your decrypted key into ssh-agent, which is used automatically by ssh. This can be automated for other programs, and tied to your workstation user account in various ways, which will not be covered here.

Authentication
ssh name.#@jump.asc.ohio-state.edu -p 2200

Key-based authentication is enabled for port 2200. The above command will initiate the session, and you should immediately receive a Duo Push two-factor prompt on your mobile device.

Windows

The PuTTY suite of programs is used for most SSH operations on Windows.

Creation

puttygen

PuTTYgen is a utility included with the PuTTY suite. Please enter a comment to help you and the jump host administrator remember who the key is from and what it's for. Enter a passphrase to encrypt the key, so it cannot be easily used if stolen. It is recommended to change the RSA bit length to 4096.

Important: Before closing the key generation window, copy and paste the public key from the screen above for submitting to ASCTech; it is difficult to get the proper format from PuTTY after saving and closing. (Avoid the "Save public key" button, as this creates a format that is not immediately uploadable to our system.)

Be sure to save both the public and private keys in a safe place. The public key can be submitted as-is, but the private key is in a format specific to PuTTY. To convert it to an OpenSSH (macOS & Linux) key, open PuTTYgen, and from the Actions section, select Load. Then, go to Conversions in the top menu, and select Export OpenSSH key. You can also use the Conversions menu to Import an OpenSSH key and save it in PuTTY format.

Management

The Pageant utility included with PuTTY will load your passphrase-protected private keys into memory, so you don't have to enter the passphrase every time you connect. Opening Pageant will put its icon in your system tray. Double-click the tray icon to open the Pageant Key List, and select Add Key to add a PuTTYgen .ppk file, decrypting it and storing it in memory for future SSH sessions. PuTTY will automatically use keys stored in Pageant during authentication.

Authentication

In PuTTY, enter jump.asc.ohio-state.edu as the host, using port 2200 for key-based authentication. PuTTY will automatically use keys loaded into Pageant, but you can also specify a private key in the New Session window by going to Connection > SSH > Auth and under Authentication parameters click Browse. After entering your username, you should immediately receive a Duo Push two-factor prompt on your mobile device.

Submission

If you already know what you're doing, or after you follow the steps below, you may submit only your public key using the  SSH Jump Host Access service request.

If the key is emailed as an attachment to any of our support email aliases it does not come through properly; it is also acceptable to copy-paste it into an email message.

Submission of the public key is required to use key authentication on the jump host.

The SSH key you use for the jump host should be separate from those you use for other services, as best-practice for security. (Key selection can be automated per-host – see IdentityFile.)

Interactive SSH

Now that we have established a basic connection to the jump host, we can see about making the "jump" to our destination a little easier.

macOS & Linux

ProxyCommand
ssh -o ProxyCommand='ssh name.#@jump.asc.ohio-state.edu -p 2200 -W %h:%p' name.#@[destination host]

...where name.# is optional if you are logged in to the current workstation with your OSU username, and [destination host] is the hostname of an ASC internal resource.

The -o initiates the ProxyCommand option, which executes arbitrary connection commands. Here, we proxy jump.asc, with the -W switch, to make our input and output at the destination transparent. %h and %p are tokens passed from the following "actual" host and port. The result is a nearly-transparent connection to the destination, aside from the Duo Push two-factor prompt.

ProxyCommand can be added to your ~/.ssh/config file as a host alias, e.g.:

host unity
  ProxyCommand ssh name.#@jump.asc.ohio-state.edu -p 2200 -W %h:%p
  Hostname unity.asc.ohio-state.edu

Then, ssh unity maps to the above command. Mastery of ssh_config can be used for many other such processes, including port forwarding and SOCKS proxy.

ProxyJump

In very recent versions of OpenSSH (>= v7.3), included in macOS 10.12, Ubuntu 16.10, Fedora 25, and others, jumping can be simplified somewhat by use of ProxyJump and the -J switch:

ssh -J name.#@jump.asc.ohio-state.edu:2200 name.#@unity.asc.ohio-state.edu

...completes the transparent jump as well. This also allows for easy chaining of jump hosts with comma-separation, if necessary.

Windows

PuTTY has the ability to transparently jump with the included plink.exe utility. To set this up, do the following:

  • With your jump host SSH key loaded into Pageant, open a PuTTY New Session window.
  • In the Session category, enter the Host Name and Port of the desired final destination.
  • Under the Connection category, select Data and enter the username of your final destination under Login details > Auto-login username
  • Under the Connection category, select Proxy, and under Proxy type select Local. (Do not worry about Proxy hostname or Port.)
  • On the same Proxy screen, delete any text under Telnet command, or local proxy command and enter the following:
plink.exe jump.asc.ohio-state.edu -P 2200 -l name.# -agent -nc %host:%port

...making sure to replace name.# with your OSU user name.

  • It is recommended to Save these settings in a new stored session under the Session category.

This should prompt you for your Duo Push, then log-in credentials at the destination, which can be further automated with a bit more plink.exe magic. For example if you're not using Pagent, you can replace the -agent with -i name_of_your_rsa_key.ppk.

Windows SSH from PowerShell or Command Window

The windows SSH command from PowerShell or CMD does work, but wants to use a deprecated MAC (type of encryption handshake).

We suggest using PuTTY, but you can connect with the built in SSH by specifing the MAC:

ssh -m hmac-sha2-512 name.#@jump.asc.ohio-state.edu

Port Forwarding (Tunneling)

Using port forwarding, also called tunneling, through the jump host, avoids the overhead of the VPN.

Many different protocols can be tunnelled though jump, we'll look at file transfer, Remote Desktop, and X Windows.

Remember, whether you use port 22 or 2200 depends on if you're using an SSH key or password. In both cases you must Duo.

Example: File Transfers: scp and rsync

Our efforts above will make file transfers through the jump host easy and transparent. Setting up SSH port forwarding for programs that do not respect SSH settings will also be covered.

macOS & Linux

Any settings we have in our ~/.ssh/config will be respected by scp and sftp. They also take the -o switch for ProxyCommand.

scp -o ProxyCommand='ssh name.#@jump.asc.ohio-state.edu -p 2200 -W %h:%p' [source_file] [destination_host]:[target_path]

Or an example with rsync:

rsync -ave "ssh -o ProxyCommand='ssh name.#@jump.asc.ohio-state.edu -p 2200 -W %h:%p'" [source_path] [destination_host]:[target_path]

Sometimes, though, we'll want to use a more friendly application. SSH supports forwarding ports, both directly, or through an intermediary, which is our current goal. SSH port forwarding can become complex, and in some cases break the security we're attempting to provide. Please use it only when needed.

On macOS, Cyberduck is a frequently used FTP program. However, Cyberduck does not have any way to respect SSH settings or use an SSH proxy. We can still tunnel our connection through the jump host with port forwarding. First, open Terminal and forward a local port:

ssh -L 9000:[destination_host]:22 name.#@jump.asc.ohio-state.edu -p 2200

This tells ssh to forward local port 9000 to destination port 22, which is what we'll use for SFTP. Again, this will respect settings in ~/.ssh/config.

cyberduck

In Cyberduck, we'll set the server to localhost and the port of our local forward, 9000. The username and password (or key file) are whatever you use at the final destination, and not the jump host. Cyberduck will transparently connect to your destination through the jump host. This can be used for many things, including WebDAV (forward to port 443).

Windows

The Windows SFTP/SCP/WebDAV client, WinSCP, is tightly integrated with PuTTY and natively supports SSH proxy jumping.

In WinSCP, enter the desired destination hostname and credentials. If you have your keys loaded in Pageant, WinSCP will automatically detect this for both the destination and jump host.

Click Advanced... and then select Connection > Tunnel.

winscp

Fill out the SSH tunnel parameters and click OK. The connection will now be transparently tunneled through the jump host for any protocol WinSCP supports.

Passing Windows Remote Desktop Through Jump

One common example of using a tunnel is going through jump to get to a Windows Remote Desktop server.

macOS

For Mac OS you will first need to make sure you have Microsoft Remote Desktop installed which is obtainable from Self Service on ASC Mac's.  You will also need to download the attached zip file called tunnelRDP-Mac.zip from this page which has two scripts in it and extract it somewhere that is convenient, I put mine in my home folder so I can cd into the directory easily when I open a terminal.

Leave the perl script alone but the bash script you should rename to include the host you want to remote into and then open the file in text edit (or any text editor) and change the username and host inside the script.  Alternatively you can type the following command making the necessary edits to the host and username:

perl tunnelrdp.pl -C -l name.#@jump.asc.ohio-state.edu rdp://name.#@HOST.asc.ohio-state.edu

You will then be prompted for you password which when you type it it won't appear.  You will also be prompted for duo as seen below:

Microsoft Remote Desktop will open after a successful login to the jump server and you will be asked to confirm the SSL Cert from the host.  Click continue but don't safe the certificate because if you want to connect to a new host, the saved cert will be for "localhost" and will think it is the incorrect host.  The confirmation window looks like this:

Then you'll be asked for your password on the localhost for the user you specified in the original command/script.

Finally you'll be in your remote host and the traffic will be over SSH into jump.asc.ohio-state.edu:

 

Linux

For Linux you can use SSH like a VPN by issuing the following command:

ssh -L 13389:HOST.asc.ohio-state.edu:3389 jump.asc.ohio-state.edu -l name.# -N

Then you can follow the promopts on Linux that look like the following:

You will see the cursor at the end of your terminal window which is holding the connection open.  This can be closed when you're finished by pressing ctrl + c.

You should now be able to RDP into a host using any Linux RDP sofware.  I use Remmina, but xfreerdp and rdesktop may be present on ASL (ASC Standard Linux) machines:

 

Windows

In PuTTY create a new session to jump.asc.ohio-state.edu, then in Connection -> SSH -> Tunnels, add the host you want to go to (replacing HOST) then click Add:

(Remember to save your session for later use.)

Once connected to jump on the PC open up Remote Desktop Connection and put in localhost:3401 for the destination:

You may not see the user name - if not you'll be asked for credentials when you connect.

If you get disconnected from jump, you can reopen and reconnect to the remote Windows host where you left off.

Windows - connection to another linux host with a tunnel via jump

This is a more esoteric example. Say you want to connect to the linux login server and at the same time do an RDP tunnel to a Windows machine.

Create a session to linux.asc.ohio-state.edu:

Then under Connection in the Proxy options, add:

plink.exe jump.asc.ohio-state.edu -L 3401:HOST.asc.ohio-state.edu:3389 -P 2200 -l name.# -i c:\Users\name.#\Documents\\rsa_jump.ppk -nc %host:%port

replacing HOST with the Windows host you want to go to, name.# with your username, and the private key path with the path to your pivate key. (Note, the \\ before the key file and do not change %host:%port !)

Here's a screenshot of the proxy screen:

Print Article

Related Articles (6)

Connecting to Linux Home and Group Directories: From on ASC's network, off network, and from Linux machines.
A basic guide for connecting to the ASC VPN using NetworkManager and OpenConnect on Linux.
DUO is OSU's two factor authentication service. It's also known as BuckeyePass.
Gateway.asc.ohio-state.edu allows Remote Desktop to OSU machines from off campus with Duo two factor authentication.

Related Services / Offerings (1)

Request access to ASC's SSH jump host.