BNL Home

SSH Tunneling

One-hop logins and file transfers using ssh tunneling

Please note, New York Blue/L has been decommissioned and these web pages have not yet been updated to reflect its removal from service. The New York Blue/P is now one rack and remains in service. The BNL Blue Gene/Q also remains in service.


The only way to access Blue Gene computing resources remotely (outside the Blue Gene network enclave) is through the Blue Gene ssh gateways. Even users connecting from inside the BNL campus network need to go through the gateways. ssh tunneling allows one-hop access (logins and file transfers) to the Front-End nodes and the Visualization cluster.

Top of Page

Linux/Mac OS X

  • Generate an ssh key pair on your remote desktop using ssh-keygen. The generated public key will need to be copied to the Blue Gene Front-End Node (FEN) and be appended in the user's .ssh/authorized_keys file.
    Note: Key generation needs to be done once only, not every time the tunnel is created.

    stratos@salonica:~$ ssh-keygen -t dsa
    Generating public/private dsa key pair.
    Enter file in which to save the key (/home/stratos/.ssh/id_dsa):
    /home/stratos/.ssh/id_dsa already exists.
    Overwrite (y/n)? y
    Enter passphrase (empty for no passphrase): (enter passphrase)
    Enter same passphrase again: (enter passphrase)
    Your identification has been saved in /home/stratos/.ssh/id_dsa.
    Your public key has been saved in /home/stratos/.ssh/
    The key fingerprint is:
    34:71:e5:71:70:c4:32:7d:12:7d:bd:53:66:0c:16:c7 stratos@salonica

    The above ssh-keygen command will generate the default private key (id_dsa) and public key ( in the local user's directory ~/.ssh/. The generated public must now be transfered and appended in the .ssh/authorized_keys file on the Blue Gene Front-End host.
  • On the remote desktop, start the ssh-agent and load the private key:

    stratos@salonica:~$ eval `ssh-agent`
    Agent pid 22677

    stratos@salonica:~$ ssh-add
    Enter passphrase for /home/stratos/.ssh/id_dsa: (enter passphrase)
    Identity added: /home/stratos/.ssh/id_dsa (/home/stratos/.ssh/id_dsa)

    stratos@salonica:~$ ssh-add -l
    1024 34:71:e5:71:70:c4:32:7d:12:7d:bd:53:66:0c:16:c7 /home/stratos/.ssh/id_dsa (DSA)

  • Open an ssh tunnel from the remote desktop to the Front-End Node of our Blue Gene/L machine: (all in one line)

    argonaut:~ stratos$ ssh -N -f -L

    The user will be prompted. Enter the PIN number for your RSA SecurID immediately followed by the tokencode, as described in Accessing the Blue Gene SSH Gateways . (If you have forgotten your RSA SecurID PIN number, please contact the ITD help desk at 631-344-5522).


    • In the above, 2134 is a port number on your desktop that will be used for the tunneling. You can choose any large number for the port number.
    • The last entry in the above command is the hostname of the Blue Gene ssh gateway. The exact hostname depends on whether the user connects from inside or outside the BNL network.
      • ssh (outside the BNL network)
      • ssh (inside the BNL network)
  • Use the tunnel to:
    • one-hop login:

      stratos@salonica:~$ ssh -p 2134 stratos@localhost

    • login with X-forwarding:

      stratos@salonica:~$ ssh -X -p 2134 stratos@localhost
      stratos@fen:~> xclock

    • one-hop transfer data from your desktop to the Front-End Node:

      stratos@salonica:~$ scp -P 2134 ccsoft.dat stratos@localhost:.
      ccsoft.dat 100% 27 0.0KB/s 00:00

    • one-hop transfer data from the Front-End Node to your local desktop:

      stratos@salonica:~$ scp -P 2134 stratos@localhost:ccsoft.dat .
      ccsoft.dat 100% 27 0.0KB/s 00:00

    Note: If you get prompted for password in any of the above commands, most likely, the locally generated public key has NOT been correctly deployed on Front-End Node.
  • Cleaning up
    Once done with the tunnel, remove the tunnel that day as soon as you are done with it, and kill the ssh-agent. To remove the tunnel, simply find the corresponding ssh process and kill it using kill -9 PID. To kill the ssh-agent:

    stratos@salonica:~$ ssh-agent -k
    unset SSH_AUTH_SOCK;
    unset SSH_AGENT_PID;
    echo Agent pid 22677 killed;

    It may be a good idea to put the above ssh-agent -k command in the user's .logout file in the remote desktop.

Top of Page


ssh clients on windows (such as puTTY) support agent forwarding and tunneling.
Please see: One-hop logins and File Transfers in Windows to fen using Putty and SSH Tunneling

Top of Page

Additional Info