Bastion Service: SSH access to Department's resources (servers and workstations)

The Bastion host SSH service allows protected access to IT resources in the internal Department's network without directly exposing the services to the Internet and drastically improving network security. 
 
For accesses other than SSH, contact  the support team at difa.csi@unibo.it. 

Who can use it 

The service can be used by: 

• DIFA structured staff (teachers, PTA) 

• DIFA doctoral students 

• DIFA contractors 

• DIFA accredited people 

• people enabled to access the computing clusters 

Activation 

The Bastion service is automatically active for the above-mentioned users and there is no need to request authorization. It is linked to the roles held and recognized by the University. 

Students do not have remote access, except for the use of computing clusters. Enabling the use of the cluster entails the simultaneous automatic enabling of the use of the Bastion service without the need for a further request. 

For support send an e-mail to the support team at difa.csi@unibo.it. 

How to access 

The service can only be used with your institutional account. 
 
If you changed the UPN in your institutional account, you must use your full credentials or those prior to the change. 
For example, if you usually use n.cognome@unibo.it (or name.surname@unibo.it) instead of name.surnameN@unibo.it, you must use one of the following two options to authenticate on the Bastion service: 

• name.surnameN 

• n.surname@unibo.it (or name.surname@unibo.it) 

In this case you cannot authenticate using only n.surname (or name.surname) without @unibo. 

How to configure 

OpenSSH (command line Linux / macOS / Windows PowerShell) 

Simply add -J name.surname@137.204.50.15 to the beginning of the ssh command you used previously. For example: 
 
ssh  -J name.surname@137.204.50.15 <your_machine_account>@<your_machine_IP> 
 
where <your_machine_IP> is the IP address of the target machine and <your_machine_account> is the account for the log-in on the target machine. 

 
A better solution could be to edit ~/.ssh/config by adding the sections: 

Host bastion 
     Hostname 137.204.50.15 
     User     name.surname

 

Host <your_machine_IP> 
     User      <your_machine_account> 
     ProxyJump bastion 

You can copy files to and from your target machine through the Bastion service using tools such as scp or rsync:

• since scp works on top of SSH, if you configured ssh via ~/.ssh/config you can use it as usual. If not, simply add -J name.surname@137.204.50.15 to the beginning of the scp command you used previously. For example: 
   
  scp  -J name.surname@137.204.50.15 $HOME/Desktop/foo <your_machine_account>@<your_machine_IP>:/path/to/foo 

• the rsync program must be configured to use the Bastion service over SSH by adding the -e "ssh J name.surname@137.204.50.15" option to the beginning of the rsync command you used previously. If you have configured SSH via ~/.ssh/config just add -e "ssh -J bastion". For example: 
   
  rsync -e "ssh -J name.surname@137.204.50.15" $HOME/Desktop/foo <your_machine_account>@<your_machine_IP>:/path/to/foo 
   
  rsync -e "ssh -J bastion" $HOME/Desktop/foo <your_machine_account>@<your_machine_IP>:/path/to/foo 

Putty (Windows only) 

Reference site: https://www.chiark.greenend.org.uk/~sgtatham/putty/ 

Requires at least version 0.80 (older ones do not support proxyhost). 

In the "Category" tree, under "Connection" -> "Proxy": 

• select SSH to proxy and use port forwarding in Proxy type field 

• enter 137.204.50.15 as the Proxy hostname and 22 as the Port. 

All the other settings remain the same as those previously used. 

MobaXTerm (Windows only) 

Reference site: https://mobaxterm.mobatek.net 

Change the connection: 

• select Network Settings tab and click on SSH Gateway (jump host). 

• enter 137.204.50.15 as Gateway host 

• enter your institutional account as Username