Häufig gestellte Fragen

Most DESY computers cannot be reached from the outside world because the DESY firewall blocks all incoming connections. Instead, the host bastion.desy.de acts as a central login server for the internal DESY network.
You can connect to bastion from anywhere via SSH (and HTTP), and you can also use bastion as a proxy to reach other hosts within the DESY network.

How to use bastion as an ssh/scp/sftp proxy?
To reach, for example, the PAL cluster via bastion, insert the following lines into the ~/.ssh/config file on your local host (not on bastion itself):
Host pal.desy.de
   ProxyCommand ssh bastion.desy.de netcat -q 3 %h %p

If your username on the target host is different from your AFS account name, replace username with your AFS account name:
Host non-afs-host.desy.de
   ProxyCommand ssh username@bastion.desy.de netcat -q 3 %h %p

How to use Kerberos authentication?
First of all, you need to have the kinit(1) executable installed.
See the following examples to find the corresponding package for your distribution:
Ubuntu/Debian > krb5-user (or heimdal-clients)
RedHat/Fedora > krb5-workstation
SuSE > krb5-client
Now you can obtain a Kerberos ticket with the command:
$ kinit -A -f username@DESY.DE

Finally, make sure that your SSH client has the following options enabled for bastion:
Host bastion.desy.de
   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes

Put those lines either in your personal ~/.ssh/config file or in the global /etc/ssh/ssh_config file. Now you can log in to bastion without typing your password, and you will automatically get an AFS token, too.

How to use public/private SSH key pairs?
Attention: It is not recommended to use SSH keys. Whenever possible, use Kerberos tickets instead (see the section “How to use Kerberos authentication?” above).

You have to do some preparations before you can use SSH keys stored in your AFS home directory:

1. Set the ACL of your ~/.ssh directory to “lookup” permissions for “desy-hosts”:
$ fs sa -dir ~/.ssh -acl system:administrators l
$ fs sa -dir ~/.ssh -acl desy-hosts l

The ACL of your ~/.ssh directory should now look like this:
$ fs la ~/.ssh
Access list for /afs/desy.de/user/u/username/.ssh is
Normal rights:
   system:administrators l
   desy-hosts l
   username rlidwka

2. Create a .public directory with “read” permissions for “desy-hosts” inside your ~/.ssh directory, and move your authorized_keys file into it:
$ mkdir ~/.ssh/.public
$ fs sa -dir ~/.ssh/.public -acl system:administrators rl
$ fs sa -dir ~/.ssh/.public -acl desy-hosts rl
$ mv ~/.ssh/authorized_keys ~/.ssh/.public

3. Link the file ~/.ssh/.public/authorized_keys back to your ~/.ssh directory:
$ ln -s ~/.ssh/.public/authorized_keys ~/.ssh

4. Make sure your home directory and your ~/.ssh directory are writable only for you:
$ chmod go-w ~ ~/.ssh

5. Keep in mind that you will neither receive a Kerberos ticket nor an AFS token when you use SSH key authentication.

How to avoid typing your password so often?
Insert the following lines into the ~/.ssh/config file on your local host (not on bastion itself):
Host *.desy.de
   ControlMaster auto
   ControlPath ~/.ssh/.control-%r@%h:%p

This will allow you to log in to the destination host without typing your password as long as the first connection stays open.

If you are working on a network home directory (like NFS), you have to use:
ControlPath ~/.ssh/.control-%l_%r@%h:%p

Unfortunately, this option is only available in OpenSSH version 4.4 or higher.

How to reach internal web servers?
Insert the following lines into the ~/.ssh/config file on your local host (not on bastion itself):
Host pal.desy.de
   ProxyCommand ssh username@bastion.desy.de netcat -q 3 %h %p
   DynamicForward localhost:2280

You can also use your desktop system or your workgroup server or something similar instead of pal (see also the section “How to use bastion as an ssh/scp/sftp proxy?” above).
Now create a configuration file called ~/.proxy.pac on your local host (not on bastion itself) with the following content:
function FindProxyForURL(url, host)
               if (dnsDomainIs(host, ".desy.de"))
                   return "SOCKS localhost:2280; DIRECT";
                   return "DIRECT";

Finally, configure your browser to use this file as an “automatic proxy configuration”. For Firefox, go to
“Edit > Preferences > Advanced > Network > Connection Settings”,
select “Automatic proxy configuration URL”, and enter:

Web servers within the DESY domain will now see your requests coming from the target host instead of your local host.

What about ...?
Just send a mail to bastion service and ask your question!