BNL Home

SSH Gateways - all Operating Systems

Secure Shell (SSH) is a network protocol that facilitates secure data exchange between networked devices. By establishing a secure channel between a local and a remote computer, SSH exchanges information securely by using data encryption and message authentication codes.

BNL policy dictates that you use an official SSH gateway to enter the lab network with SSH. To make moving around from computer to computer faster and easier, advanced users may want to put their SSH keys on the gateway (see 'Additional Info' sidebar). That allows you to have single sign-on capabilities.

NOTE: The SSH gateways are not designed for file storage. Transferring large data sets should be accomplished by tunneling.

The Laboratory has several SSH gateways. The addresses to reach the SSH gateways are:

  • ssh.bnl.gov (main gateway)
  • ssh.bluegene.bnl.gov (Bluegene users only)

If you are trying to reach the gateways from inside the Laboratory for any reason, the address is:

  • ssh.sec.bnl.local (main gateway)
  • ssh.bluegene.bnl.local (Bluegene users only)

Instructions for using the SSH gateways

If you need assistance installing the appropriate SSH client contact the Help Desk.

To use the SSH Gateway as an entry/exit point you need to:

  1. Setup an account on an SSH Gateway. This can be done by calling the Account Management Office at (631) 344-4444 or by filling out an Account Request Form
  2. Enroll in DUO Security, which provides two-step verification and will be required to access many protected resources and applications.
  3. Test this account by attempting to connect to the SSH gateways
  4. Each time you want to SSH into or out of the lab simply logon to your account on the SSH Gateway first.

Testing Account:

Note: When you first connect to the gateway, you will receive a message similar to the one below. Respond by answering [yes].

localhost:~$ ssh your_user_name@ssh.bnl.gov

The authenticity of host 'ssh.bnl.gov (130.199.3.131)' can't be established.
RSA key fingerprint is 11:0e:ac:b5:33:17:92:66:b4:0e:1a:73:9a:a6:23:95.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'ssh.bnl.gov' (RSA) to the list of known hosts.

When completed you will be prompted to enter you BNL domain password.


Password:

After your password is entered correctly, follow the prompts shown below to complete the login process.

Duo two-step verification login for your_user_name

Enter a passcode (Duo App or YubiKey) or select the following option:

  1. Push to XXX-XXX-XXXX (smartphone) - recommended method
  2. Phone Call to XXX-XXX-XXXX (incurred costs may apply)

Passcode or option (1-2): 1

After successful two-factor authentication, you will be able to ssh to another machine on the internal BNL network. Login as you normally would but expect to answer yes the first time like you did above.

your_user_name@sshvip1:~$ ssh user_name@somehost.bnl.gov
The authenticity of host 'somehost.bnl.gov (xxx.xxx.xxx.xxx)' can't be established.
RSA key fingerprint is ef:30:09:34:e5:5b:c2:e6:92:b9:a1:2e:02:cf:82:40.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'somehost.bnl.gov,xxx.xxx.xxx.xxx' (RSA) to the list of known hosts.

user_name@somehost.bnl.gov’s password::

The RSA key fingerprint for "ssh.bnl.gov" is
11:0e:ac:b5:33:17:92:66:b4:0e:1a:73:9a:a6:23:95