Advanced usage

DESCRIPTION Most DESY computers cannot be reached from the outside world because the DESY firewall blocks all incoming connections. Instead, the host acts as a central login server for the internal DESY network.

You can connect to bastion from anywhere via SSH (and HTTP), and you can also use bastion as a proxy to reach other hosts within the DESY network.

DMZ firewall settings

The firewall between bastion and the internal network only allows traffic on the following ports

Forwarded Ports to be accessed directly from bastion:

  • 22 (ssh)
  • 80 (http)
  • 443 (https)
  • 3389 (rdp)

Should your internal server listen to another port, you might need to further tunnel via a work-group-server or the like.


How to use bastion as an ssh/scp/sftp proxy?

To reach, for example, the PAL cluster via bastion, insert the following lines into the ~/.ssh/config file on your local host (not on bastion itself):


 ProxyCommand ssh netcat -q 3 %h %p

If your username on the target host is different from your AFS account name, replace username with your AFS account name:


  ProxyCommand ssh netcat -q 3 %h %p


How to use Kerberos authentication?

First of all, you need to have the kinit(1) executable installed.


See the following examples to find the corresponding package for your distribution:

Ubuntu/Debian > krb5-user (or heimdal-clients)

RedHat/Fedora > krb5-workstation

SuSE > krb5-client

Now you can obtain a Kerberos ticket with the command:

$ kinit -A -f username@DESY.DE

Finally, make sure that your SSH client has the following options enabled for bastion:


 GSSAPIAuthentication yes

 GSSAPIDelegateCredentials yes

Put those lines either in your personal ~/.ssh/config file or in the global /etc/ssh/ssh_config file. Now you can log in to bastion without typing your password, and you will automatically get an AFS token, too.


How to use public/private SSH key pairs?

Attention: It is not recommended to use SSH keys. Whenever possible, use Kerberos tickets instead (see the section “How to use Kerberos authentication?” above).

You have to do some preparations before you can use SSH keys stored in your AFS home directory:

1. Set the ACL of your ~/.ssh directory to “lookup” permissions for “desy-hosts”:

$ fs sa -dir ~/.ssh -acl system:administrators l

$ fs sa -dir ~/.ssh -acl desy-hosts l

The ACL of your ~/.ssh directory should now look like this:

$ fs la ~/.ssh

Access list for /afs/ is

Normal rights:

  system:administrators l

  desy-hosts l

  username rlidwka

2. Create a .public directory with “read” permissions for “desy-hosts” inside your ~/.ssh directory, and move your authorized_keys file into it:

$ mkdir ~/.ssh/.public

$ fs sa -dir ~/.ssh/.public -acl system:administrators rl

$ fs sa -dir ~/.ssh/.public -acl desy-hosts rl

$ mv ~/.ssh/authorized_keys ~/.ssh/.public 

3. Link the file ~/.ssh/.public/authorized_keys back to your ~/.ssh directory:

$ ln -s ~/.ssh/.public/authorized_keys ~/.ssh

4. Make sure your home directory and your ~/.ssh directory are writable only for you:

$ chmod go-w ~ ~/.ssh

5. Keep in mind that you will neither receive a Kerberos ticket nor an AFS token when you use SSH key authentication.


How to avoid typing your password so often?

Insert the following lines into the ~/.ssh/config file on your local host (not on bastion itself):

Host *

  ControlMaster auto

  ControlPath ~/.ssh/.control-%r@%h:%p

This will allow you to log in to the destination host without typing your password as long as the first connection stays open. If you are working on a network home directory (like NFS), you have to use:

ControlPath ~/.ssh/.control-%l_%r@%h:%p

Unfortunately, this option is only available in OpenSSH version 4.4 or higher.


How to reach internal web servers?

Insert the following lines into the ~/.ssh/config file on your local host (not on bastion itself):


  ProxyCommand ssh netcat -q 3 %h %p

  DynamicForward localhost:2280

You can also use your desktop system or your workgroup server or something similar instead of pal (see also the section “How to use bastion as an ssh/scp/sftp proxy?” above).

Now create a configuration file called ~/.proxy.pac on your local host (not on bastion itself) with the following content:

function FindProxyForURL(url, host)


 if (dnsDomainIs(host, ""))

  return "SOCKS localhost:2280; DIRECT";


  return "DIRECT";


Finally, configure your browser to use this file as an “automatic proxy configuration”.

For Firefox, go to “Edit > Preferences > Advanced > Network > Connection Settings”, select “Automatic proxy configuration URL”, and enter:


Web servers within the DESY domain will now see your requests coming from the target host instead of your local host.


What about ...?

Just send a mail to and ask your question!