Service: CIT operates a central SSH jumphost cluster. This offers the possibility to access University-internal systems via SSH from outside the university. Both IPv4 and IPv6 connections can be used.
Target Group: students, employees
Usage Costs: free of charge
Contact: Hotline
An SSH key pair must be generated to use the service. Requirements for the key are: Key type RSA with key length at least 3072 (better 4096) or key type Ed25519 or key type ECDSA with key length at least 256 (better 384 or 521). Not all types are supported by all software and hardware. We recommend ECDSA 384, alternatively RSA 4096.
Open the terminal and enter the following command to create the key pair with the recommended settings.
ssh-keygen -t ecdsa -b 384
or
ssh-keygen -t rsa -b 4096
Confirm this with Enter. Then, to protect your private key, please be sure to choose a good password (not your Uni or network access password).
The generated file is located in the hidden /.ssh folder in your user folder. Depending on the key type, the files are called 4096id_ecdsa or id_rsa or id_ed25519 If necessary, enable the display of hidden folders and files to make the folder visible.
The public part of the key just generated (the generated .pub file) must now be uploaded to the IT portal https://sso.uni-muenster.de/IT-Portal/# To do this, navigate to "Passwords and PINs" / "SSH Public Keys" and click Browse and select the .pub file. If you have enabled two-factor authentication, you will also need to enter the 6-digit code number that was just sent to you via SMS. Now press the button to deposit the public key.
Check if the SSH service is currently running on your device. To do this, enter the following command:
sudo systemctl status ssh
(Debian/Ubuntu) oder (CentOS/RHEL/Fedora)
sudo systemctl status sshd
The terminal should return Active, otherwise start the service with
sudo systemctl start ssh.service
(Debian/Ubuntu) oder (CentOS/RHEL/Fedora)
sudo systemctl start sshd.service
and check the status of the service again with the first command.
For the system that is to be reached via SSH, the following two addresses of the SSH jump hosts must be entered by means of an exception rule in the firewall of the target system for TCP port 22 (default port for SSH) and released in the network ACLs.
You can reach the target system either via load balancer or explicitly with the two addresses mentioned above. To do this, enter the following command and replace the wildcards
Many SSH implementations test all existing identity files, so that different keys can be used on the jumphost and the target system. However, the IP protocols and identity can also be specified explicitly.
For the explicit identity, use the "-o IdentitiesOnly=yes" option and specify the associated file with "-i". You specify the protocol with "-4" for IPv4 or "-6" for IPv6.
ssh [-o IdentitiesOnly=yes][-i identityFile]
[-4|-6] -J account1@sshjump.uni-muenster.de
[-4|-6] account2@zielsystem
Newer SSH versions:
scp -J account1@sshjump.uni-muenster.de
datei account2@zielsystem:datei
sftp -J account1@sshjump.uni-muenster.de
account2@zielsystem
Older SSH versions:
scp -o ProxyJump=account1@sshjump.uni-muenster.de
datei account2@zielsystem:datei
sftp -o ProxyJump=account1@sshjump.uni-muenster.de
account2@zielsystem