Configure SSH for automatic tunneling

Single Hop

Automatic tunneling will allow you to tunnel any connection to machines inside CERN on the fly, without any input from your side. Say that you want to be able to access your CERN desktop PC named “CernDesktop” from your home's one. Suppose also that your CERN username (account on LXPLUS) is “CernUsername”. In order to setup the automatic tunnelling, only add these lines to your .ssh/config file on your home desktop (running Linux):

Host lxplus.cern.ch
  user CernUsername

This instructs SSH to always log as “cernusername” when trying to reach LXPLUS with no username specified, and in particular when tunneling. Next, add the following to the same file:

Host CernDesktop.cern.ch
  ProxyCommand ssh lxplus.cern.ch /usr/bin/nc %h %p 2> /dev/null
  GSSAPITrustDNS no

The first line tells SSH that “cerndesktop.cern.ch” should be reached by executing the given command. Now ssh cerndesktop.cern.ch will work like a charm.

This logs on LXPLUS and forwards the connection to “cerndesktop”. The second line deals with issues with DNS and clusters. You only need it when going through a cluster like LXPLUS. Note that the string after Host can give several names separated by spaces and can have wildcards. For example lxvo*.cern.ch lxbuild*.cern.ch. However, do not use *.cern.ch or you will loop forever!

Multiple Hops

The recipe is recursive and thus extremely powerful when you need to go through several machines. Take the following path: “Home → LXPLUS → ProxyToHiddenNet → CriticalMachine”. The following .ssh/config on your home PC will allow to log straight to “CriticalMachine”:

Host criticalmachine
  ProxyCommand ssh ProxyToHiddenNet /usr/bin/nc %h %p 2> /dev/null
Host ProxyToHiddenNet
  user LocalUsernameOnProxy
  ProxyCommand ssh lxplus.cern.ch /usr/bin/nc %h %p 2> /dev/null
  GSSAPITrustDNS no
Host lxplus.cern.ch
  user CernUsername

Optimizing number of connections and usage of passwords

You may have noticed after setting automatic tunneling that one tunnel is open per connection to any machine and that your password may be asked at each step (so three passwords to type for the last example). This can be optimized by using the ControlPath and ControlMaster options in the .ssh/config file. For this, add the following section :

Host *.cern.ch
  ControlPath ~/.ssh/%h.%p.%r
  ControlMaster auto

You will have all your tunnels to any machine inside “*.cern.ch” shared. You reduce the number of connections and get rid of the password typing for all connections but the first one.