To further improve the IT security of remote access, the existing SSH hop system(hop.psi.ch) will be replaced by a newer version in the course of 2024. The new version will result in some changes to the functionality and use of the system.
Please familiarize yourself with the changes BEFORE using the new system for the first time.
The most important changes at a glance
General information on use
The new system will be available exclusively as a tunneling system. This means that after successfully logging into the system
- NO active, usable shell is available
- the familiar commands "
ssh, kd, host" will be omitted without replacement - it is not possible to continue via SSH, e.g. with
[user@hop]$ ssh user@login.psi.ch
Note:
The obsolete SSH tunneling variant (example),
ssh -L 9999:localhost:9999 hopx.psi.ch ssh -L 9999:localhost:22 -N psi-internes-system.psi.ch
where a local port is to be opened on hopx.psi.ch is also no longer supported due to the elimination of a usable shell and the "ssh" command.
Only one active connection to hopx.psi.ch is possible per user, via which all other connections to the PSI LAN must be tunneled (keyword: ProxyJump, ProxyCommand, SSH multiplexing).
In most use cases, the use of the new hop system is based on the so-called SSH multiplexing. SSH connections are sent through an existing SSH connection (tunnel), which is more efficient and faster than separate connections.
Applied to the Hop system, this means
1. establish an SSH connection to hopx.psi.ch and keep this connection open (important!!).
2. in the next step, a new SSH connection can then be established in another shell or terminal to an internal system via the connection to hopx.psi.ch (step no. 1). This can be repeated as often as required. I.e. it is possible to send several SSH connections through the SSH connection to hopx.psi.ch as long as it continues to exist.
Note: Step 1 and step 2 must be carried out separately and must not be combined in a single command!
********* Attention ****************
If the connection to hopx.psi.ch is terminated while the connection(s) to an internal system are still active/open, all other connections will also be terminated when the connection to hopx.psi.ch is terminated!!!
**********************************
The output after the login contains the following important information:
- The IP address of the client which established the connection to
hopx.psi.ch. - The user name which is used for the connection.
- The NAT IP address, which will be used for the connections established by the user through
hopx.psi.chto systems within the PSI network. - The date and time when the connection to
hopx.psi.chwas started - The maximum date and time until which the connection to
hopx.psi.chcan be held open. At this time (if the maximum session duration of 12 hours has expired) the connection tohopx.psi.chis automatically terminated. All connections to the PSI network going throughhopx.psi.chwill also be disconnected.
The connection to hopx.psi.ch can be terminated with "ctrl-c". No further commands are available!
As already mentioned above, SSH multiplexing must be activated once on the client for this procedure (see below).
Behavior when establishing more than one connection
If a second connection to hopx.psi.ch is established using the same user name and the same source IP address, this connection is terminated after an successful authentication with a reference to the existing connection.
If a second connection to hopx.psi.ch is established using the same user name but a different source IP address to the existing connection, the user is given a choice after an successful authentication. He can actually establish the second connection, but then the first connection and all associated tunneled connections to the PSI network will be disconnected. Or he can terminate the second connection and continue working with the first one. The answer to the question must be 'Y', 'y', 'N' or 'n'.
Maximum session duration of 12 hours
The duration of the active connection to hopx.psi.ch is limited to a maximum of 12 hours, similar to VPN access. The maximum time until which the connection can remain active is displayed after an successful authentication (see above). In the same window, five minutes before the connection is terminated, a message is displayed indicating that the connection is about to be terminated.
********* Attention ****************
If the connection to hopx.psi.ch is terminated while the connection(s) to an internal system are still active/open, then all other connections will also be terminated when the connection to hopx.psi.ch is terminated!!!!
*********************************
Note on the use of VS Code
The remote SSH plugin of VS Code tries to re-establish an interrupted SSH connection several times due to the default settings. If a user was connected to several systems remotely via SSH and the connections were interrupted, VS Code tries to re-establish each connection automatically. This behavior can lead to many failed login attempts on hopx.psi.ch and in extreme cases to an automated blocking of the user account or the client IP address.
To prevent this, the number of automated connection attempts in the VS code must be significantly reduced.
To do this, "Max Reconnection Attempts" must be set to 0:
Use with Unix/Linux/macOS
Activate SSH multiplexing on Unix/Linux/macOS
If the file ~/.ssh/config does not yet exist, it must be created.
$ touch ~/.ssh/config$ chmod 600 ~/.ssh/configthen edit the file ~/.ssh/config with any editor and add the following content
$ cat .ssh/config Host *.psi.ch ControlMaster auto ControlPath ~/.ssh/tmp/%h_%p_%rThen the directory for the "ControlPath" must be created (also once)
$ mkdir ~/.ssh/tmp$ chmod 700 ~/.ssh/tmpThe system is now ready for the use of SSH multiplexing.
Further interesting information about SSH multiplexing can be found here:
https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection/
SSH connections to PSI internal systems with Unix/Linux/macOS
Once SSH multiplexing has been set up, SSH connections can be established via Hopx to systems within the PSI network. This requires at least two steps
- Establish an SSH connection to
hopx.psi.chand leave it open - Establish an SSH connection to the internal system via
hopx.psi.chin a new terminal
Example:
Step no. 1:
$ ssh <user>@hopx.psi.ch
It is then recommended to open a new terminal and start the SSH connection for step no. 2
Step no. 2:
$ ssh -J <user>@hopx.psi.ch <user>@internes-system.psi.ch
The option "-J <user>@hopx.psi.ch" informs the SSH client that the connection to the server "internes-system.psi.ch" should be established via the existing connection from step no. 1 to hopx.psi.ch. This only works if
- SSH multiplexing has been set up as described above!
- the host name of Hopx is specified in the
-Joption exactly as in step no. 1, i.e.hopx.psi.ch
Note: Step 1 and step 2 must be carried out separately and must not be combined in a single command!
As long as the connection from step no. 1 to hopx.psi.ch is open, any other connections to the same or other internal systems can be established. For example with
Step no. 3, 4....
$ ssh -J <user>@hopx.psi.ch <user>@weiteres-internes-system.psi.ch
SSH connections to PSI internal systems with Unix/Linux/macOS with simultaneous port forwarding via the internal system (example RDP to winterm4.psi.ch)
The SSH connection to an internal system described above can be extended by one or more port forwarding. A local port is opened on the client system for this purpose. Connections to this port are sent through the SSH tunnel to the internal system and then sent to the actual target system. Three steps are required for this:
- Establish an SSH connection to
hopx.psi.chand leave it open - Establish SSH connection via
hopx.psi.chto the internal system, with port forwarding - Use of port forwarding
Example:
Step no. 1:
$ ssh <user>@hopx.psi.ch
It is then recommended to open a new terminal and start the SSH connection for step no. 2
Step no. 2:
$ ssh -L 8888:winterm4.psi.ch:3389 -J <user>@hopx.psi.ch <user>@internes-system.psi.ch
With the option "-L 8888:winterm4.psi.ch:3389", port 8888 is opened locally on the SSH client system.
Note: Step 1 and step 2 must be carried out separately and must not be combined in a single command!
Step no. 3
If you then start the RDP client and connect with "localhost:8888" or "127.0.0.1:8888", you will reach the login prompt of winterm4.psi.ch.
If further port forwarding is required, this can be specified when connecting from step no. 2. The "-L" option can be specified multiple times, e.g:
ssh -L 8888:winterm4.psi.ch:3389 -L 5900:vnc-int.psi.ch:5900 -J <user>@hopx.psi.ch <user>@internes-system.psi.ch
In this example, the local port 5900 is also forwarded to port 5900 of the vnc-int.psi.ch system.
SSH connections to PSI internal systems Unix/Linux/macOS through another internal gateway system with simultaneous port forwarding via the internal system
The examples above can be extended by another "jump system", e.g. another internal SSH gateway. This means that the connection from the external SSH client to the target system, the internal SSH server, is established via hopx.psi.ch and an another SSH gateway. Four steps are required for this:
- Establish an SSH connection to hopx.psi.ch and leave it open
- Establish SSH connection via hopx.psi.ch and the internal SSH gateway to the internal system, with port forwarding
- together with step no. 2
- Use port forwarding
Example:
Step no. 1:
$ ssh <user>@hopx.psi.ch
Then it is recommended to open a new terminal and start the SSH connection from step no. 2
Step no. 2 + 3:
$ ssh -L 8888:rdp.psi.ch:3389 -L 5900:vnc.psi.ch:5900 -J <user>@hopx.psi.ch,<user>@int-ssh-gateway.psi.ch <user>@internes-system.psi.ch
Authentication is first performed on the "int-ssh-gateway.psi.ch" system and then on the "internes-system.psi.ch" system. The local port forwarding at the SSH client terminates on the "internes-system.psi.ch" system. From there they are forwarded to the target systems (rdp.psi.ch + vnc.psi.ch).
Note: Step 1 and step 2 must be carried out separately and must not be combined in a single command!
Step no. 4
If you then start the RDP client and connect with "localhost:8888" or "127.0.0.1:8888" you will reach the login prompt of rdp.psi.ch.
SSH port forwarding via hopx.psi.ch with Unix/Linux/macOS
The examples above each use hopx.psi.ch as a gateway system(-J) and port forwarding takes place via a system in the internal PSI network. In general, however, one or more ports can also be forwarded via hopx.psi.ch alone, without the involvement of an internal system. The reasons for this can be, for example
- the user has no rights to log on to an internal system via SSH
- the user has not set up multiplexing on their client system or generally does not want to set it up.
- the user only wants quick access to an internal system without establishing two SSH connections (one to
hopx.psi.chand one to an internal system)
In these cases, only one SSH connection to hopx.psi.ch is required.
Example
$ ssh -L 8000:winterm4.psi.ch:3389 <user>@hopx.psi.ch
tunnels, for example, the local port 8000 to port 3389 (RDP) of the terminal server winterm4.psi.ch
or in the case of multiple port forwarding
$ ssh -L 8000:winterm4.psi.ch:3389 -L 8445:fileserver.psi.ch:445 <user>@hopx.psi.ch
the local port 8445 is also tunneled to port 445 of fileserver.psi.ch, via which a data transfer can then be carried out.
SSH and the use of the config file
The commands shown above are certainly good for quick access. However, if you want to use the same port forwarding regularly and often, using the config file is a considerable relief.
The file has already been edited to activate SSH multiplexing (see above). It can be found in the .ssh directory in the home directory of the respective user.
Note:
When using the example config file described below, please delete the line
Host *.psi.ch
which was inserted during the activation of SSH multiplexing.
The new content of the config file could then look like this:
$ cat ~/.ssh/config ControlMaster auto ControlPath ~/.ssh/tmp/%h_%p_%r ForwardAgent yes ForwardX11 yes ForwardX11Trusted yes host hopx.psi.ch psi-outside-ssh-gw hostname hopx.psi.ch host internes-system.psi.ch hostname internes-system.psi.ch DynamicForward 9000 LocalForward 8389 winterm4.psi.ch:3389 LocalForward 8445 fileserver.psi.ch:445 # for use with macOS match host *.psi.ch !host hop*.psi.ch !exec "ifconfig -a inet | grep -q -E 'inet 129\.129\.'" ProxyJump psi-outside-ssh-gw # for use with Linux #match host *.psi.ch !host hop*.psi.ch !exec "ip -o -4 a | grep -v -E 'lo *inet' | grep -q -E 'inet 129\.129\.'"# ProxyJump psi-outside-ssh-gw
Again, two connections must be established:
- Establish a SSH connection to
hopx.psi.chand leave it open - Establish a SSH connection to
internes-system.psi.chand leave it open
With the SSH connection to "internes-system.psi.ch", three local ports are opened on the SSH client. Port 9000 for "dynamic forwarding/socks proxy (see below)", port 8389 to winterm4.psi.ch and port 8445 to fileserver.psi.ch
Use with Windows and Putty
Prerequisites
In order to be able to use the new Hopx system to its full extent with Putty, it is recommended to use at least version 0.78 of Putty. From this version onwards, the so-called "Connection Sharing", which corresponds to the SSH multiplexing described above, is supported.
Note:
With Putty versions lower than 0.78, the new Hopx system can only be used for port forwarding via hopx.psi.ch itself. SSH connections to internal systems via an existing connection to hopx.psi.ch are not possible with a Putty version lower than 0.78!
Preparing Putty for the use of hopx.psi.ch
<This step is not necessary if you just want to use SSH port forwarding via hopx.psi.ch with Putty>
Putty must first be prepared for use with hopx.psi.ch so that the configurations described below work.
The first step is to create a connection profile for hopx.psi.ch.
In the "Category" column on the left, select the "Session" entry at the top and fill in the "Host Name (or IP address)" field on the right
<user>@hopx.psi.ch
(please replace <user> with the actual user name)
Enter a name for this profile in the "Saved Session" field. In this case "hopx.psi.ch"(do not click on Save yet )
Then select the "Connection -> SSH" entry in the "Category" column on the left and check the "Share SSH connections if possible" box under "Sharing an SSH connection between PuTTY tools".
The settings must now be saved. In the "Category" column on the left, select the "Session" entry at the top and click "Save" on the right.
The basic configuration for the connection to hopx.psi.ch is now created and ready for operation.
SSH connections to PSI internal systems with Windows + Putty with simultaneous port forwarding via the internal system (example RDP to winterm4.psi.ch)
Similar to Unix, Putty can be used to establish SSH connections via Hopx to systems within the PSI network. Port forwarding is not absolutely necessary for this, but is also explained in this example. If port forwarding is not required, the corresponding configuration can be omitted.
The following steps are required for an SSH connection via hopx.psi.ch with Putty
- Establish an SSH connection to
hopx.psi.chwith Putty and leave it open (see above for configuration) - Establish a new SSH connection to the internal system via
hopx.psi.chusing Putty - Use port forwarding
The preparation for the connection to hopx.psi.ch has already been completed with the configuration above. To connect to the internal system (e.g. login.psi.ch), proceed as follows:
In the "Category" column on the left, select the "Session" entry at the top and fill in the "Host name (or IP address)" field on the right
<user>@login.psi.ch
(please replace <user> with the actual user name)
Enter a name for this profile in the "Saved Session" field. In this case "login-via-hopx"(do not click on Save yet )
To connect to login.psi.ch via hopx.psi.ch, the "Proxy" entry must be selected in the "Category" column on the left. In the right part of the Putty window, "Proxy type" must be set to "SSH to proxy and use port forwarding". "hopx.psi.ch" must be entered in the "Proxy hostname" field and "22" must be entered in the "Port" field.
In the line "Do DNS name lookup at proxy end" must be changed from "Auto" to "Yes".
Then select the "Category SSH -> Tunnels" in the left-hand column. Then enter the local port "9000", for example, in the "Source port" field and leave the "Destination" field empty. The type is set to "Dynamic" (for dynamic tunneling, see below) and then click "Add".
Then enter the local port "8389" in the "Source port" field, for example, and the destination server and the corresponding port "winterm4.psi.ch:3389" in the "Destination" field. The type is set to "Local" and then click "Add". With this setting, RDP connections to the local port 8389 are routed to winterm4.psi.ch port 3389.
After the tunnel configuration is complete, it will look like this
Then go back to "Category -> Session" and save the settings by clicking on "Save"
The three steps mentioned above can then be applied.
Step no. 1, establish SSH connection to hopx.psi.ch and leave it open
Select the saved connection "hopx.psi.ch", click on "Load" and then on "Open". As soon as the connection to hopx.psi.ch is established and after an successful authentication, step no. 2 follows
Step no. 2, establish SSH connection via hopx.psi.ch to the internal system (login.psi.ch), with port forwarding
Call Putty again and select the saved connection "login-via-hopx", click on "Load" and then on "Open". As soon as the connection to login.psi.ch is established, step no. 3 follows
Step no. 3, using port forwarding
If you then start the RDP client and connect with "localhost:8389" or "127.0.0.1:8389", you will reach the login prompt of winterm4.psi.ch.
SSH port forwarding via hopx.psi.ch with Windows + Putty
The example above uses hopx.psi.ch as the gateway system and the port forwarding takes place via a system in the internal PSI network. In general, however, one or more ports can also be forwarded via hopx.psi.ch alone, without the involvement of an internal system. The reasons for this can be, for example
- the user has no rights to log on to an internal system via SSH
- the user has not set up "
Connection Sharing" on their client system in Putty or generally does not want to set it up. - the user has installed a Putty version lower than 0.78 on their client system. An installation of version 0.78 or higher is not possible or desired.
- The user only wants quick access to an internal system without establishing two SSH connections (one to
hopx.psi.chand one to an internal system).
In these cases, only one SSH connection to hopx.psi.ch is required in order to subsequently use port forwarding.
Proceed as follows for the configuration.
Start Putty and select the top entry "Session" in the "Category" column on the left, fill in the "Host Name (or IP address)" field on the right
<user>@hopx.psi.ch
(please replace <user> with the actual user name)
Enter a name for this profile in the "Saved Session" field. In this case "hopx.psi.ch"(do not click on Save yet )
Then select the "Category SSH -> Tunnels" in the left-hand column. Then enter the local port "9000", for example, in the "Source port" field and leave the "Destination" field empty. The type is set to "Dynamic" (for dynamic tunneling, see below) and then click on "Add".
Then enter the local port "8389" in the "Source port" field, for example, and the destination server and the corresponding port "winterm4.psi.ch:3389" in the "Destination" field. The type is set to "Local" and then click "Add". This setting directs RDP connections to the local port 8389 to winterm4.psi.ch port 3389.
After the tunnel configuration is complete, it will look like this.
Then jump back to "Category -> Session" and save the settings by clicking on "Save"
The following steps are then required for use
Step no. 1, establish an SSH connection to hopx.psi.ch and leave it open
Select the saved connection "hopx.psi.ch", click on "Load" and then on "Open". As soon as the connection to hopx.psi.ch is established after an successful authentication, step no. 2 follows
Step no. 2, using port forwarding
If you then start the RDP client and connect with "localhost:8389" or "127.0.0.1:8389" you will reach the login prompt of winterm4.psi.ch.
Dynamic tunneling
With dynamic tunneling, hopx.psi.ch or a system in the internal PSI network is used as a Socks5 proxy. This allows, for example, several different internal web servers/websites to be contacted without having to set up a separate tunnel or port forwarding to each one.
Dynamic tunneling with Unix/Linux/macOS
To open a port for dynamic tunneling locally on the system, you can specify the command line option "-D" using Unix/Linux/macOS.
Tunneling directly via hopx.psi.ch
$ ssh -D 9000 -J <user>@hopx.psi.ch
...opens port 9000 locally on the client system. Connections to this port are sent via the SSH connection to hopx.psi.ch and from there to the internal server.
Tunneling via an internal system in the PSI network (Attention: there must already be an SSH connection to hopx.psi.ch!)
$ ssh -D 9000 -J <user>@hopx.psi.ch <user>@internes-system.psi.ch
...opens port 9000 locally on the client system. Connections to this port are sent through the SSH tunnel to "internes-system.psi.ch" and from there to the internal server.
The "-L" option described above for port forwarding of RDP connections, for example, can be used at the same time as the "-D" option. E.G.
$ ssh -D 9000 -L 8888:winterm4.psi.ch:3389 -J <user>@hopx.psi.ch <user>@internes-system.psi.ch
(An SSH connection to hopx.psi.ch must already exist in this case too!)
Use with the SSH config file
If you use the SSH config file, you can also make the corresponding entry with "DynamicForward 9000".
Example, excerpt from the config file (see above)
host internes-system.psi.ch hostname internes-system.psi.ch DynamicForward 9000 LocalForward 8389 winterm4.psi.ch:3389 LocalForward 8445 fileserver.psi.ch:445 If the port for dynamic tunneling has been opened on the local client system, it can be used with the browser. This is described below.
Dynamic tunneling with Windows + Putty
How to prepare for dynamic tunneling within Putty has already been described above in the sections
"SSH connections to PSI internal systems with Windows + Putty with simultaneous port forwarding via the internal system (example RDP to winterm4.psi.ch)"
"SSH port forwarding via hopx.psi.ch with Windows + Putty"
is described. It describes how to add the local port 9000 as "Dynamic forwarded port" in the tunneling configuration.
It is important for the user to differentiate at which connection with Putty the local port 9000 is opened for forwarding. Either during the connection to hopx.psi.ch or just during the second connection via hopx to an internal system in the PSI network.
Use of dynamic tunneling
Once an SSH connection has been established with Unix/Linux/macOS or Putty to hopx. psi.ch or a system in the internal PSI network and port 9000 is available locally (see above for instructions), it can be used with a browser.
Now you can, for example, in the proxy settings of the Firefox browser (Settings -> General -> Network) at
SOCKS Host: localhost enter Port: 9000.
Instead of "localhost" you can also enter "127.0.0.1".
In the No Proxy for: field, you should also enter all domain/host names, IP addresses/ranges that are to be called up directly, i.e. without the detour via hopx.psi.ch or the internal system, e.g. localhost, 127.0.0.1, .ethz.ch, .com.
The option "Proxy DNS when using SOCKS v5" must be activated with a tick. The settings must be confirmed by clicking on "OK".
Note:
PSI employees can only access PSI internal websites, www.psi.ch and intranet.psi.ch via hopx.psi. ch. Access to ServiceNOW should also work. Other PSI-owned but externally hosted sites can be enabled if required. Connections to non-PSI, external websites will not be forwarded! If you need unrestricted access to PSI's own websites (as if a system is used on site at PSI), we recommend dynamic tunneling via a PSI-internal system in the PSI network and NOT directly via hopx.psi.ch.
Note for macOS users
If you want to access internal websites using the Safari browser, you must activate the use of the Socks proxy via the network properties. To do this, go to System Preferences -> Network -> the network connection used (Ethernet or WiFi) -> Details -> (left) Proxies and then activate SOCKS proxy in the right-hand field. Then enter "127.0.0.1" in the Server field and "9000" in the Port field. The proxy exceptions are entered at the bottom of the list. Then confirm with "OK".
Attention:
The settings are globally valid for all applications on the Mac system that use the network properties. This includes, for example, the Mail and Calendar applications. This means that all network connections of these applications are then also made via the socks proxy. This then leads to connection problems if servers outside the PSI are contacted. To avoid this, the servers must be excluded from proxy use by making an entry in the "Bypass proxy settings for these hosts & domains:" field.