Skip to Knowledge Base content

Remote SSH Access to ASC Services (SSH Jump Host)

Overview

Remote access to College of Arts & Sciences services requires two-factor authentication. One method of achieving this is through the VPN. However, this requires using the Cisco AnyConnect software, and can at times have drawbacks, such as reduced throughput. Or, it may simply not be a convenient method for you.

The SSH jump host is the other option. SSH is a powerful tool with many options, but here we will cover setting up your connection to the jump host, basic SSH interactive use, and file transfer via SSH tunneling.

Neither the VPN nor jump host are suitable for automation of remote connections – if you have a specific need for this, please work with ASCTech personnel for solutions. Without a special exception, OSU requires all remote access to be verified via two-factor authentication. The two factor options for SSH are password and Duo, or SSH key and Duo.

The jump host itself should not be used as a remote workstation. Application use is extremely limited, and you will be disconnected after 5 minutes of inactivity. Please only use it for connecting to other services within the College.

To be granted access to the jump host, please submit a SSH Jump Host Access service request. Note: you can request with a key or without. If you want to add/change your public key later, just submit another request. Though you can mail the public key, using the service is recommended for file integrity.

Hostname: jump.asc.ohio-state.edu

Contents

Authentication

Password

2fa login

Password authentication with your OSU credentials and Duo two-factor verification is supported. This will work in many cases, but key-based authentication is recommended for security and simplicity. Key-based authentication may also become necessary in some tunneling scenarios. If you're having trouble with your password-based session, try a key-based session.

Password authentication supports all of the Duo two-factor options, while key authentication only supports the "Duo Push" option. It will use your first push device by default.

The most basic form is...

ssh [name.#]@jump.asc.ohio-state.edu

...or, jump.asc.ohio-state.edu with the default port in PuTTY on Windows. The [name.#] is optional – SSH applies the current username by default, so if you're logged in to a workstation with your OSU account, it is not necessary to add.

Then, use that login session to jump to another SSH service within the College. You can also use a password-authenticated session to forward connections, but for brevity the examples here will assume you are in a key-authenticated session.

Key-Pair

Public-key cryptography is a complex subject, but here we will cover submission of a public key, creation of a public-private key-pair, basic key management, and key-based authentication to the jump host.

Submission

If you already know what you're doing, or after you follow the steps below, you may submit only your public key using the  SSH Jump Host Access service request.

If the key is emailed as an attachment to any of our support email aliases it does not come through properly; it is also acceptable to copy-paste it into an email message.

Submission of the public key is required to use key authentication on the jump host.

The SSH key you use for the jump host should be separate from those you use for other services, as best-practice for security. (Key selection can be automated per-host – see IdentityFile.)

macOS & Linux

Creation

The ssh-keygen tool is used to create your public-private key pair. The keys are placed in ~/.ssh/. This process will create your private key, id_rsa, and the matching public key, id_rsa.pub. The keys use asymmetric cryptography, meaning that anyone with the public key can encrypt a message, but only the holder of the private key can decrypt it. Therefore, you may share your public key with anyone who wishes to verify your identity, but should never share your private key.

ssh-keygen -b 4096 -t rsa -C name.#@jump.asc.ohio-state.edu

This tells ssh-keygen to create a new key-pair using the RSA algorithm and 4096-bit key length. If your application is very high-bandwidth, it is acceptable to use a 2048-bit RSA key, or to use Ed25519 keys, though 4096-bit RSA is recommended as a compromise between speed, security, and compatibility.

The -C is an optional comment to help you and the jump host administrator remember who the key belongs to, and for what purpose.

If you do not have an RSA key already, accept the default file name; otherwise pick a name like id_rsa_jump. Enter a passphrase to encrypt your private key, so that it cannot be easily used if stolen. You can change the passphrase of your private key at any time by doing:

ssh-keygen -f ~/.ssh/id_rsa -p
Management

Frequent SSH users may want to load their decrypted private keys into memory while logged in to their workstation; otherwise, each new SSH session (or scp, sftp, etc) will require decrypting the key again. Something like:

ssh-add ~/.ssh/id_rsa

...will load your decrypted key into ssh-agent, which is used automatically by ssh. This can be automated for other programs, and tied to your workstation user account in various ways, which will not be covered here.

Authentication
ssh [name.#]@jump.asc.ohio-state.edu -p 2200

Key-based authentication is enabled for port 2200. The above command will initiate the session, and you should immediately receive a Duo Push two-factor prompt on your mobile device.

Windows

The PuTTY suite of programs is used for most SSH operations on Windows.

Creation

puttygen

PuTTYgen is a utility included with the PuTTY suite. Please enter a comment to help you and the jump host administrator remember who the key is from and what it's for. Enter a passphrase to encrypt the key, so it cannot be easily used if stolen. It is recommended to change the RSA bit length to 4096.

Important: Before closing the key generation window, copy and paste the public key from the screen above for submitting to ASCTech; it is difficult to get the proper format from PuTTY after saving and closing.

Be sure to save both the public and private keys in a safe place. The public key can be submitted as-is, but the private key is in a format specific to PuTTY. To convert it to an OpenSSH (macOS & Linux) key, open PuTTYgen, and from the Actions section, select Load. Then, go to Conversions in the top menu, and select Export OpenSSH key. You can also use the Conversions menu to Import an OpenSSH key and save it in PuTTY format.

Management

The Pageant utility included with PuTTY will load your passphrase-protected private keys into memory, so you don't have to enter the passphrase every time you connect. Opening Pageant will put its icon in your system tray. Double-click the tray icon to open the Pageant Key List, and select Add Key to add a PuTTYgen .ppk file, decrypting it and storing it in memory for future SSH sessions. PuTTY will automatically use keys stored in Pageant during authentication.

Authentication

In PuTTY, enter jump.asc.ohio-state.edu as the host, using port 2200 for key-based authentication. PuTTY will automatically use keys loaded into Pageant, but you can also specify a private key in the New Session window by going to Connection > SSH > Auth and under Authentication parameters click Browse. After entering your username, you should immediately receive a Duo Push two-factor prompt on your mobile device.

Interactive SSH

Now that we have established a basic connection to the jump host, we can see about making the "jump" to our destination a little easier.

macOS & Linux

ProxyCommand
ssh -o ProxyCommand='ssh jump.asc.ohio-state.edu -p 2200 -W %h:%p' [name.#]@[destination]

...where [name.#] is optional if you are logged in to the current workstation with your OSU username, and [destination] is the hostname of an ASC internal resource.

The -o initiates the ProxyCommand option, which executes arbitrary connection commands. Here, we proxy jump.asc, with the -W switch, to make our input and output at the destination transparent. %h and %p are tokens passed from the following "actual" host and port. The result is a nearly-transparent connection to the destination, aside from the Duo Push two-factor prompt.

ProxyCommand can be added to your ~/.ssh/config file as a host alias, e.g.:

host unity
  ProxyCommand ssh jump.asc.ohio-state.edu -p 2200 -W %h:%p
  Hostname unity.asc.ohio-state.edu

Then, ssh unity maps to the above command. Mastery of ssh_config can be used for many other such processes, including port forwarding and SOCKS proxy.

ProxyJump

In very recent versions of OpenSSH (>= v7.3), included in macOS 10.12, Ubuntu 16.10, Fedora 25, and others, jumping can be simplified somewhat by use of ProxyJump and the -J switch:

ssh -J jump.asc.ohio-state.edu:2200 unity.asc.ohio-state.edu

...completes the transparent jump as well. This also allows for easy chaining of jump hosts with comma-separation, if necessary.

Windows

PuTTY has the ability to transparently jump with the included plink.exe utility. To set this up, do the following:

  • With your jump host SSH key loaded into Pageant, open a PuTTY New Session window.
  • In the Session category, enter the Host Name and Port of the desired final destination.
  • Under the Connection category, select Data and enter the username of your final destination under Login details > Auto-login username
  • Under the Connection category, select Proxy, and under Proxy type select Local. (Do not worry about Proxy hostname or Port.)
  • On the same Proxy screen, delete any text under Telnet command, or local proxy command and enter the following:
plink.exe jump.asc.ohio-state.edu -P 2200 -l [name.#] -agent -nc %host:%port

...making sure to replace [name.#] with your OSU user name.

  • It is recommended to Save these settings in a new stored session under the Session category.

This should prompt you for your Duo Push, then log-in credentials at the destination, which can be further automated with a bit more plink.exe magic. For example if you're not using Pagent, you can replace the -agent with -i name_of_your_rsa_key.ppk.

File Transfer & Port Forwarding

Our efforts above will make file transfers through the jump host easy and transparent. Setting up SSH port forwarding for programs that do not respect SSH settings will also be covered.

macOS & Linux

Any settings we have in our ~/.ssh/config will be respected by scp and sftp. They also take the -o switch for ProxyCommand. Simple!

scp -o ProxyCommand='ssh jump.asc.ohio-state.edu -p 2200 -W %h:%p' [destination_host] [source_file]:[target_path]

Or an example with rsync:

rsync -ave "ssh -o ProxyCommand='ssh jump.asc.ohio-state.edu -p 2200 -W %h:%p'" [source_path] [destination_host]:[target_path]

Sometimes, though, we'll want to use a more friendly application. SSH supports forwarding ports, both directly, or through an intermediary, which is our current goal. SSH port forwarding can become complex, and in some cases break the security we're attempting to provide. Please use it only when needed.

On macOS, Cyberduck is a frequently used FTP program. However, Cyberduck does not have any way to respect SSH settings or use an SSH proxy. We can still tunnel our connection through the jump host with port forwarding. First, open Terminal and forward a local port:

ssh -L 9000:[destination_host]:22 jump.asc.ohio-state.edu -p 2200

This tells ssh to forward local port 9000 to destination port 22, which is what we'll use for SFTP. Again, this will respect settings in ~/.ssh/config.

cyberduck

In Cyberduck, we'll set the server to localhost and the port of our local forward, 9000. The username and password (or key file) are whatever you use at the final destination, and not the jump host. Cyberduck will transparently connect to your destination through the jump host. This can be used for many things, including WebDAV (forward to port 443).

Windows

The Windows SFTP/SCP/WebDAV client, WinSCP, is tightly integrated with PuTTY and natively supports SSH proxy jumping.

In WinSCP, enter the desired destination hostname and credentials. If you have your keys loaded in Pageant, WinSCP will automatically detect this for both the destination and jump host.

Click Advanced... and then select Connection > Tunnel.

winscp

Fill out the SSH tunnel parameters and click OK. The connection will now be transparently tunneled through the jump host for any protocol WinSCP supports.