Informatics SSH Server
With the “Secure Shell” (SSH) access protocol you get secure terminal access to services of the Informatics IT group, e.g.
- Access to your personal data,
- Execution of (small) Linux/Unix scripts and programs,
- Login to other Unix computers that are not accessible from outside,
- Redirection of graphic output using the X protocol (if bandwidth is sufficient),
- Tunneling into the Informatics network with
sshuttle
For all this you can use the department's SSH-Server
rzssh1.informatik.uni-hamburg.de
.
The SSH protocol does not support certificate authorities and thus does not support the DFN-CA of the university, but uses self-generated private/public key keys. You can check the authenticity using the currently valid hostkey (ECDSA) fingerprint of the server:
SHA256:mMfqLOIIj4spGkmKC3gvYpXqRI3/K8waCYGBqXGfZGk
If your SSH connection uses the hostkey algorithm ED25519, then the server's fingerprint is:
SHA256:da+2PJib3dWUM8WeLIU9DMtllI1yGoIPP4yAZiG+OXo
Using SSH
On Linux computers you invoke the program ssh
directly in a terminal window.
On Macs, invoke ssh
in Programs → Utilities → Terminal.
Specify your informatics user ID (e.g. 0user
) as follows:
ssh -l 0user rzssh1.informatik.uni-hamburg.de
or
ssh 0user@rzssh1.informatik.uni-hamburg.de
On Windows computers you can install and use terminal program Putty. Here, too, you have to specify your user ID (e.g.0user
) and the server name rzssh1.informatik.uni-hamburg.de
.
Authentication
There are three ways to authenticate yourself with your user ID when using an SSH connection:
- Authentication with password
-
This is the easiest case. When the SSH server
rzssh1
asks you for the password to your Informatics user ID, just enter it..Technically: With this, you'll get access to the computer. But also a so-called “Kerberos ticket” will be generated from your ID and your password, with which you will gain access to your home directory on one of the Informatics file servers, i.e. to your user data.
- Authentication with Kerberos ticket
-
When you have logged on to the department network with your Informatics user ID, e.g. on your office PC or in the Informatics computer pool, you automatically received a Kerberos ticket to access your home directory. If you then use SSH to log on from your current computer so departmental server configured for this (e.g.
ccblade*
,rzgpu*
), your existing Kerberos ticket is automatically used for authentication on this server; you are not asked for your password any more but are given direct access. - Authentication with personal SSH key
-
In addition to private/public key keys for server authentication, SSH can also use personal private/public keys for user authentication.
But this usually does not work for our network setup because of a chicken and egg problem:
If you generate a personal SSH key pair with
ssh-keygen
, you have the private key on your own PC/notebook, and you have to store the public key on the target computer, i.e. in your Informatics home directory. When you log on torzssh1
, the SSH server wants to check if these two keys match and has to read the public key in your home directory.However, your home directory residing on on of the Informatics file servers isn't accessible for you yet, unless a Kerberos ticket generated from your password exists, e.g. from a parallel or earlier login. Therefore authentication with your personal SSH key fails and you will be asked for your password. Only after that will your Kerberos ticket be generated and your home directory be accessible.