SSH proxy jump: Difference between revisions

From XPUB & Lens-Based wiki
(Created page with "As the collective sandbox servers are hosted from the school, they use a hidden VPN network to connect to the internet, famously known as the HUB. To be able to SSH to a sandbox server from outside of the school, you can use a SSH proxy jump. The SSH proxy jump will make a connection to the sandbox through XPUB's XVM server. ==Using a SSH proxy jump to access a sandbox server== Download the jump key files from Zulip and save them to the <code>~/.ssh/</code> on...")
 
 
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[File:Manetta proxy jump.jpg|thumb|800px|center]]
As the collective sandbox servers are hosted from the school, they use a hidden VPN network to connect to the internet, famously known as the [[HUB]].  
As the collective sandbox servers are hosted from the school, they use a hidden VPN network to connect to the internet, famously known as the [[HUB]].  


Line 5: Line 8:
The SSH proxy jump will make a connection to the sandbox through XPUB's XVM server.
The SSH proxy jump will make a connection to the sandbox through XPUB's XVM server.


==Using a SSH proxy jump to access a sandbox server==
==First make and upload a SSH key for your sandbox user==
 
You can follow the instructions on this page: [[SSH]]
 
These steps need to be done on your own computer.
 
==Configure the SSH proxy jump==
 
The SSH proxy jump works with a special user (called "jump") on the xvm (the XPUB server). We work with one shared pair of keys for this user: the '''jump user SSH keys'''. Everyone downloads these keys to their local <code>.ssh</code> folder, and the public <code>jump.pub</code> key is installed on the xvm.


Download the jump key files from Zulip and save them to the <code>~/.ssh/</code> on your laptop (not on chopchop!):
To do this, first download the jump keys from Zulip. The keys we use this year (2024/2026) can be found [https://zulip.xpub.nl/#narrow/stream/88-XPUB1/topic/Cereal.20Box.20SSH.20insturctions.3A/near/44170 here]. Save them to the <code>~/.ssh/</code> folder on your laptop (not on the sandbox!):


  jump
  jump
  jump.pub
  jump.pub


Copy the following config file, change the USERNAME to your username, and save it as a file called config in the same <code>~/.ssh/</code> folder on your laptop:
Copy the following config file, change the USERNAME to your username, and save it to <code>~/.ssh/config</code> on your laptop:


  Host xvm_jump
  Host xvm_jump
Line 20: Line 31:
  Identityfile ~/.ssh/jump
  Identityfile ~/.ssh/jump
   
   
  Host chopchop
  Host NAMEOFSANDBOX
  Hostname 10.0.0.16
  Hostname 10.0.0.XX
  User USERNAME
  User USERNAME
  ProxyJump xvm_jump
  ProxyJump xvm_jump
  Identityfile ~/.ssh/id_ed25519
  Identityfile ~/.ssh/id_ed25519
Now, you should be able to ssh to the sandbox, both from the school and outside the school, with this command:
$ ssh NAMEOFSANDBOX
==(for staff) generate and install new jump SSH keys==
We started to work with a new set of keys for the jump user for each year, because passphrases were forgotten, or the keys somehow mysteriously did not work.
So for a new year:
# generate a new pair of keys
# rename them to jump and jump.pub, and share them with the students on zulip
# ssh into xvm, switch to the jump user: $ sudo su jump
# copy one of the lines in /home/jump/.ssh/authorized_keys and add jump.pub
==Uploading files with FTP==
You can use the SSH shortcut from your config file, and SSH key that you generated.
* '''servername''': <code>cerealbox</code>
* '''key''': select <code>id_ed25519</code>
===Cyberduck===
Install: https://cyberduck.io/
Howto: you can follow this screenshot that Sevgi made:
[[File:Cyberduck-ssh-proxy-jump-setting.png|400px]]
===Winscp===
Install: https://winscp.net/
Docs: https://winscp.net/eng/docs/ui_import#openssh_config
Howto: i did not test winscp yet, but it should work in the same way as Cyberduck :fingers_crossed:
===scp===
(using the terminal)
You can also upload files through the terminal with scp.
I made a short howto page on the wiki: [[Scp|scp]]
==Claudio's notes (⚠ ⚠ to edit)==
When you connect to the sandbox you normally type this in the terminal :
<code>ssh + *yourusername + *sandbox's id address</code>
Inside of the school, this works, you're connecting to the sandbox under the same network, but how does it work from home or from outside of the school's walls in general?
If you're somewhere else you'll have to connect to the XVM (XpubVirtualMachine) server, which is a public server from the school that hosts all the sandboxes (and other things like ...).
The XVM is ''somewhere'', but definitely '''not''' in the building. Inside the XVM, you'll log into a public user called "jump" (*representation of jump 🕵), jump is part of a super secret connection that is not accessible to the broader "public", through this connection (VPN) 




Now, you should be able to ssh to chopchop, both from the school and outside the school, with this command:


$ ssh chopchop


[[Category:Cookbook]]
[[Category:Cookbook]]

Latest revision as of 12:34, 22 October 2024

Manetta proxy jump.jpg


As the collective sandbox servers are hosted from the school, they use a hidden VPN network to connect to the internet, famously known as the HUB.

To be able to SSH to a sandbox server from outside of the school, you can use a SSH proxy jump.

The SSH proxy jump will make a connection to the sandbox through XPUB's XVM server.

First make and upload a SSH key for your sandbox user

You can follow the instructions on this page: SSH

These steps need to be done on your own computer.

Configure the SSH proxy jump

The SSH proxy jump works with a special user (called "jump") on the xvm (the XPUB server). We work with one shared pair of keys for this user: the jump user SSH keys. Everyone downloads these keys to their local .ssh folder, and the public jump.pub key is installed on the xvm.

To do this, first download the jump keys from Zulip. The keys we use this year (2024/2026) can be found here. Save them to the ~/.ssh/ folder on your laptop (not on the sandbox!):

jump
jump.pub

Copy the following config file, change the USERNAME to your username, and save it to ~/.ssh/config on your laptop:

Host xvm_jump
User jump
Hostname 194.61.65.6
Port 2501
Identityfile ~/.ssh/jump

Host NAMEOFSANDBOX
Hostname 10.0.0.XX
User USERNAME
ProxyJump xvm_jump
Identityfile ~/.ssh/id_ed25519

Now, you should be able to ssh to the sandbox, both from the school and outside the school, with this command:

$ ssh NAMEOFSANDBOX

(for staff) generate and install new jump SSH keys

We started to work with a new set of keys for the jump user for each year, because passphrases were forgotten, or the keys somehow mysteriously did not work.

So for a new year:

  1. generate a new pair of keys
  2. rename them to jump and jump.pub, and share them with the students on zulip
  3. ssh into xvm, switch to the jump user: $ sudo su jump
  4. copy one of the lines in /home/jump/.ssh/authorized_keys and add jump.pub

Uploading files with FTP

You can use the SSH shortcut from your config file, and SSH key that you generated.

  • servername: cerealbox
  • key: select id_ed25519

Cyberduck

Install: https://cyberduck.io/

Howto: you can follow this screenshot that Sevgi made:

Cyberduck-ssh-proxy-jump-setting.png

Winscp

Install: https://winscp.net/

Docs: https://winscp.net/eng/docs/ui_import#openssh_config

Howto: i did not test winscp yet, but it should work in the same way as Cyberduck :fingers_crossed:

scp

(using the terminal)

You can also upload files through the terminal with scp.

I made a short howto page on the wiki: scp

Claudio's notes (⚠ ⚠ to edit)

When you connect to the sandbox you normally type this in the terminal :


ssh + *yourusername + *sandbox's id address


Inside of the school, this works, you're connecting to the sandbox under the same network, but how does it work from home or from outside of the school's walls in general?

If you're somewhere else you'll have to connect to the XVM (XpubVirtualMachine) server, which is a public server from the school that hosts all the sandboxes (and other things like ...).

The XVM is somewhere, but definitely not in the building. Inside the XVM, you'll log into a public user called "jump" (*representation of jump 🕵), jump is part of a super secret connection that is not accessible to the broader "public", through this connection (VPN)

See also