bastion

The service bastion.desy.de enables the access to the internal DESY computer network (intranet) via secure, encrypted SSH (Secure SHell) connections. The credentials are your DESY login name and password

Many DESY services can be accessed directly from the Internet:

Mail and calendar , Confluence, DESY Sync & Share, to name just a few.

Access to scientific compute resources Maxwell and NAF/BIRD is also possible from the Internet.

SSH is a powerful tool. In the following, we will describe some use cases typically needed.

Simple use case:

eg: Text-login to PAL via SSH :

remote> ssh accountname@bastion.desy.de

bastion> ssh pal.desy.de

pal> 

 

Access from external Computers


You want to connect from a computer outside the DESY network to a computer within the DESY network in order to work on it? Or you just want to call up internal DESY web pages, but you do not want to connect to your work device at DESY for this purpose?

For such cases, this website offers you general information on how to establish a connection from outside DESY using a so-called SSH tunnel.

Please note that the following Windows specific parts of these instructions are written for Windows 10 operating systems. If you do not have a Windows 10 computer, the Windows specific parts of this web guide are not applicable to you. In this case you need PuTTY as SSH client, we have written down a manual for it in the following PDF.

application/pdf SSH Tunnel using PuTTY (1.0 MB)
SSH Tunnel using PuTTY

💡 We have summarized further questions and the clarification of technical problems at the end of this website for you.

General Questions

Can I use these Instructions if I work at V2 / V3?

For V2 and V3 special technical conditions apply for the connection to computers at DESY (this applies to subnets 89 (V3) and 99 (V2)). If you work in one of these groups and need to connect to DESY computers, please contact your responsible group administrator, because this documentation is not usable for your use cases without further information.

Instructions for V2 users, instructions can be found on the following web site (only available in German):
https://it.desy.de/dienste/uco/dokumentation/home_office_fuer_v2

Where can I find Instructions for MacOS?

Short instructions on connecting from Mac to Windows devices can be found in chapter "Step-by-Step Instructions". However, you may find additional information on connecting from Mac devices also to other operating systems on the following web site:
https://it.desy.de/services/operating_systems/macos/remote_access/

Which is the Target Computer?

If possible, please use your personal device at DESY as target computer, which you usually use for your daily work and on which you also would like to work remotely.

It is also possible to use the central Windows Terminal Server winterm.desy.de as target computer. However, please use your personal working device preferably, since the Windows Terminal Server has a limited load capacity. It should therefore only be used for short accesses and not for long-term work.

Do I need a Target Computer when I just want to connect to internal Websites?

No, if you just want to connect to internal websites with your local internet program (browser) and do not need to work on a remote computer at DESY, you do not need a target computer. Instead, you have to configure a so called SOCKS Proxy in your browser, which leads the web traffic through bastion, similar to an SSH tunnel.

You can find instructions about configuring a SOCKS Proxy in your browser in the section "Just connect to internal Websites".

Preliminaries - What do I have to do first?
 

  • Install the latest Updates on your Operating System

Please make sure that the local computer from which you want to connect has installed all necessary operating system updates and install them first, before you follow these instructions. Otherwise some of the options described in this documentation may not be available.

  • Find out the name of your Target Computer

Leave your target computer switched on! How to find out its name is explained on the following website: Computer Name Determination. Without the computer name it won't be necessary to establish a connection to it.

Note: The computername is not or does not only consist of its PCX number (PCX******)!

  • Request Permissions on your Target Computer

To be able to connect to your DESY Windows computer at your office at DESY, please contact one of your responsible Windows group administrators. They are able to permit your user account for a remote connection to your target computer.

Windows group administrators are able to connect to all computers of their group remotely. So they can give you permissions to connect to your computer, even from a distance.


Instructions - How to use an SSH Tunnel?
 

I want...

...just access internal Websites

Note: This instructions were created using Firefox. In other browsers the setup of a proxy is not possible or has not been tested so far.

Figure 1

Step 1 - Establish the SSH Connection

If you are using Windows, press ⊞ Win + R and enter the command cmd, afterwards please click 'OK' to open the Windows command line (Fig. 1).

Execute the following command using your command line (Fig. 2).:

ssh -D 2280 -N username@bastion.desy.de



 

Figure 2

Replace username with your personal DESY user name. Then press the Enter key ↵. Enter your password (the entry is not visible) and press the Enter key ↵ again. Please leave the window open, just minimize it if necessary.

 

Figure 3

Step 2 - Setup the Browser

Start Firefox and open the options using the menu (☰ -> "⛭ Options"). Scroll to the bottom. In the chapter "Network Settings" click on "Settings...". Configure the following options and click on "OK" afterwards (Fig. 3):

  • Activate the Option "Manual Proxy Configuration"
  • SOCKS Host: localhost
  • Port: 2280
  • Activate the Option SOCKS v5
  • Activate the Option "Proxy DNS when using SOCKS v5"


Now you should be able to access internal DESY web sites like https://registry.desy.de using your local Firefox.

Note: After setting the proxy in the browser or system websites belonging to DESY will become unavailable or load significantly longer when the SSH connection is not established. Also this tunnels all your traffic through DESY. If you don't want this you have to follow the advanced alternative configuration.

...connect from WINDOWS to WINDOWS

Figure 1

Step 1 - Establish the SSH Tunnel

Press ⊞ Win + R and enter the command cmd, afterwards please click 'OK' (Fig. 1). In the command prompt enter the following command (Fig. 2) and press Enter ↵ :

ssh -L 8006:computername.desy.de:3389 username@bastion.desy.de


 



 

Figure 2

Replace computername with the name of the target computer, username with your personal DESY user name. Then press the Enter key ↵.

Enter your password (the entry is not visible) and press the Enter key ↵ again. Please leave the window open, just minimize it if necessary.


 

Figure 3

Step 2 - Connect to your Target Computer

To start the Remote Desktop Client, click on the Windows icon in the system tray at the bottom left and enter 'rdp'. Open the remote desktop client by clicking on "Remote Desktop Connection" (Fig. 3).

 

 

 

 

 

Figure 4

Enter the following into the textfield "Computer" (Fig. 4):

localhost:8006

 

 

 

Click on "Connect" (Fig. 4) and enter your password when prompted. If you receive a certificate warning, confirm this message with "Yes".

 

Note

When entering the user name for the remote desktop connection, the domain "WIN\" may have to be entered before the user name. If the connection cannot be established successfully, please make sure that your user name is stored in the form WIN\username. To do this, click on "Show options" in the Remote Desktop Connection window (Fig. 4).

...connect from WINDOWS to LINUX with graphical Interface

Step 1 - Install the FastX2 Server on the Target Computer

You can obtain the installation files for the FastX server (for Ubuntu/Debian please use xxx.deb, for other Linux desktops xxx.rpm), as well as the corresponding instructions for setting up the server via the DESY web pages. Please use the latest version of the server, which is available there. If you need assistance in installing the server on a green DESY Ubuntu desktop, please contact the UCO (Email: uco@desy.de, phone: 5005), specifying the name of the target computer.

Central workgroup servers like pal.desy.de already provide a FastX 2 server and can therefore already be used without this step for the connection via FastX 2.

Step 2 - Install the FastX2 Client on your local Computer

The client can be installed using the Software Shop NetInstall / DSM on DESY Windows devices. If you are not using a DESY computer, you may download the client using the DESY web sites. Please use the newest version which is available there.

Figure 1

Step 3 - Establish the SSH Tunnel

Press ⊞ Win + R and enter the command cmd, afterwards please click 'OK' (Fig. 1). In the command prompt enter the following command (Fig. 2):

ssh -L 8006:computername.desy.de:22 username@bastion.desy.de

 

 

 

Figure 2

Replace computername with the name of the target computer, username with your personal DESY user name. Then press the Enter key.

Enter your password (the entry is not visible) and press the Enter key again. Please leave the window open, just minimize it if necessary.

 

fig. 4

Step 4 - Connect to your Target Computer


  1. Start FastX 2
  2. Click on the plus symbol on the right upper corner of the window and select SSH to configure the connection as follows and click on "Save" (Fig. 4):
     
  • Name: Any you like
  • Host: localhost
  • Port: 8006
     
  1. Enter your username and password when prompted
  2. In the next window, again, click on the plus symbol on the right upper corner to establish the connection
     
  1. You will be asked to chose the so called "Window Manager", XFCE is the recommended one. As soon as you chose a Window Manager the connection will be established immediately.
...connect from WINDOWS to LINUX without graphical Interface

Figure 1

Press ⊞ Win + R and enter the command cmd, afterwards please click 'OK' (Fig. 1). In the command prompt enter the following command (Fig. 2):

ssh username@bastion.desy.de

 

 

When prompted, enter your password and then connect to the desired Linux target computer using

ssh computername

 

 

Figure 2

Instead of username please enter your personal DESY username, instead of computername the name of the computer you want to connect to. Press the Enter key to connect.

When prompted, enter your password and press the Enter key. Please note that the password entry is not visible.

Please note that from outside the DESY network you usually have to connect to bastion.desy.de first and can only connect to other Linux computers afterwards.

...connect from LINUX to WINDOWS

Step 1 - Install a Remote Desktop Client

remmina
As RDP client we currently recommend remmina in the latest version (at least v1.4.3). You can install it on green DESY Ubuntu desktop computers using snap. You will find instructions on the following website:
https://confluence.desy.de/display/linux/snap

Alternatively follow the installation instructions on the official web site:
https://remmina.org/how-to-install-remmina/

xfreerdp
xfreerdp can also be used in principle, but it must be available in version (2.0.0-dev5) (status 04/2020), since older versions cannot establish a connection to up-to-date Windows computers due to incompatibilities.

Step 2 - Establish the SSH Tunnel

Open a terminal and execute the following command. Replace computername with the desired target computer, username with your personal DESY user name. Then press the Enter key ↵:

ssh -L 8006:computername.desy.de:3389 username@bastion.desy.de

 

Step 3 - Using remmina to connect to the Target Computer (recommended)

Start remmina and enter the following settings to configure the connection:

  • Name: Any you like
  • Protocol: RDP
  • Server: localhost:8006
  • Domain: WIN


Click on "Connect" to establish the connection. Please leave all other settings at their default settings. In particular, it is not necessary to configure a tunnel in remmina, as this tunnel is already created on the command line at the time of connection establishment, and will otherwise result in a connection problem concerning the RDP connection.

Step 3 - Using xfreerdp to connect to the Target Computer

If a connection with remmina is not possible for you, you can alternatively use xfreerdp as RDP client. To do so, open a new terminal window and enter the following command in the command line. Please replace username with your DESY user name first.

xfreerdp /u:username /d:win /v:localhost:8006 /dynamic-resolution

 



 
			
			 
				

Alternative to an SSH Tunnel: sshuttle

As an alternative to an SSH Tunnel, you may use sshuttle instead. sshuttle is an application which leads all network traffic through one specific gateway (bastion.desy.de in this case). So this application can be used as good alternative to a VPN conncetion.

  1. Install sshuttle using your local Linux package manager or download it from github:
    https://github.com/apenwarr/sshuttle
  2. Afterwards execute the following command to establish the connection. Replace username with your personal DESY user name
sshuttle --dns -r username@bastion.desy.de 131.169.0.0/16

  1. Now you will be able to connect to all internal web sites and services and thus will be able to use Remote Desktop programs without using any specific parameters like local ports. To connect to winterm please use the webaddress https://rdsweb.desy.de/rdweb/webclient/. To connect to your personal Windows computer, use the following command:
xfreerdp /u:username /d:win /v:computername.desy.de /dynamic-resolution


Replace computername with the name of the target computer, username with your personal DESY user name.

...connect from MAC to WINDOWS

Figure 1

Install the latest version of the "Microsoft Remote Desktop Client" using the AppStore (Fig. 1).

Then open a terminal via "Go" -> "Utilities" (Fig. 2) and select "Terminal". Enter the following command into the command prompt.

ssh -L 8006:computername.desy.de:3389 username@bastion.desy.de


 

 

Figure 2

Replace computername with the name of the target computer, username with your personal DESY user name. Then press the Enter key ↵.

Enter your password (the entry is not visible) and press the Enter key ↵ again. Please leave the window open, just minimize it if necessary.

 

 

 

 


 

Figure 3

Then start the Microsoft Remote Desktop Client and enter localhost:8006 for the connection as PC name. Afterwards, save and start the connection.

 

 

 

 

 

 

Technical Questions and Problems

What is an SSH Tunnel?

An SSH tunnel is a network connection between two computers, which is routed through a gateway computer (here bastion.desy.de). It is necessary, for example, if the target computer cannot be reached directly from the Internet. The following figure illustrates the basic concept.

I get a Warning about the RSA Key - What shall I do?

When you connect to bastion.desy.de for the first time, you will usually receive a message like the one shown in the adjacent figure. This informs you that due to an unknown fingerprint the identity of the server could not be determined, please confirm the message with yes. Afterwards the connection should still be established successfully.

The Command "ssh" cannot be found in the command line - What should I do?

If you receive an error message like the one shown in the adjacent figure, but you are running Windows 10, please follow these steps to resolve the problem

  1. Install all operating system updates and then restart the computer


If the problem persists, please check if the Windows SSH client is installed:

  1. Right-click the Windows icon in the lower left corner of the taskbar
  2. Click on "Apps and Features
  3. Click on "Optional Features" in the new window
  4. Click "Add Feature" and select "OpenSSH Client" for installation from the list
  5. Restart your computer afterwards
     

If the problem is still not solved, PuTTY must be used as SSH client. Please refer to the following PDF document for instructions on how to connect to PuTTY.

application/pdf SSH Tunnel using PuTTY (1.0 MB)
SSH Tunnel using PuTTY
Is it possible to use several SSH Tunnels at the same time?

Yes, that's no problem. However, please make sure that you use different local ports for each tunnel. The local port is that one which is specified before the target computer. In the following command e.g. 8006 is the local port:

ssh -L 8006:computername.desy.de:3389 username@bastion.desy.de


So if you want to establish an SSH tunnel for your Windows computer and one for your Linux computer, you will have to open two terminals and execute the following commands:

Terminal 1 (SSH Tunnel for Windows)

ssh -L 8006:computername.desy.de:3389 username@bastion.desy.de


Terminal 2 (SSH Tunnel for Linux)

ssh -L 8007:computername.desy.de:22 username@bastion.desy.de


Afterwards you will be able to connect to your Windows computer using localhost:8006 and to your Linux computer using localhost:8007.

UCO Hamburg

UCO Hamburg
Phone: +49 (0)40 8998 5005
E-Mail: UCO Hamburg
Location: 2b / 131d
Link: https://it.desy.de/services/uco