Due to the perils of allowing unilateral incoming ssh connections in our incredibly heterogenous environment, it was decided, in December 2001, to limit all incoming ssh connections to a single host: ssh.ucolick.org. In order to insure the most reliable access, you should always ssh to the hostname ssh.ucolick.org (as opposed to a specific, alternate hostname) when connecting from outside the UCO/Lick network.
The ssh services on ssh.ucolick.org are provided by OpenSSH, and will accept both version 1 and version 2 connections. You should be aware, however, that most client implementations of ssh version 1 are deprecated, and tend to be more poorly maintained than ssh version 2. For best results, please insure that your external ssh clients are ssh version 2 capable, especially if you are trying to log in from a physically vulnerable environment (a coffee shop, a wireless network, etc.).
Data transfers
Data transfers initiated from within the UCO/Lick network are not restricted by our firewall in any way.
Any external data transfers over ssh (including scp and sftp) initiated on a host external to the UCO/Lick network need to be directed to ssh.ucolick.org. Please see our page covering ssh data transfers for general information, and specific directions about external data transfers near the end of the page.
Interactive logins
Interactive logins initiated from within the UCO/Lick network are not restricted by our firewall in any way.
Any interactive client logins initiated on hosts external to the UCO/Lick network need to be directed to ssh.ucolick.org. The ssh gateway hosts are configured to redirect your interactive login to a host of your choice; if you have not designed a host to receive your interactive logins, or your designated host is not available, you will be directed to one of the public UNIX hosts. In either of the two latter situations, you may be prompted a second time for your password before you are presented with a shell prompt.
A script is used to designate a NICS-managed Linux or Solaris machine as your preferred login. You can run it on any NICS-managed Linux or Solaris host like so:
/opt/share/bin/make_forwarding hostname
You can run this script as many times as you like, if you change your mind about which host you would like to designate for your interactive logins. The script is also very careful about the operations it performs, and will abort, with some sort of descriptive error, if it sees something is out-of-place. These are the operations the script performs:
Two ssh keys are created-- one RSA1, one DSA-- and are placed in /home/ssh/username/.ssh. These keys are named forwarding1 and forwarding2, respectively, and are used by default when ssh.ucolick.org forwards your ssh login to your designated host.
The file /u/username/.ssh/authorized_keys on your designated login host is modified to allow password-less ssh logins using the two keys listed above, eliminating the need for you to type your password a second time.
The file /home/ssh/username/.ssh_forward_host is created. That file will contain a bit of commentary about where it came from, and lists your designated login host as the last line in the file.
If you want to designate a login host that is not a NICS-managed Linux or Solaris host, you need to mimic the above three steps manually. You may have an easier time performing the correct steps if you first set up your forwarding using a NICS-managed Linux or Solaris host, and use the results from that process as an example.