SSH provides a 'remote terminal' feature that is encrypted, so passwords cannot be eavesdropped.


  • SSH access is only supported for client computers correctly registered in the DNS
  • SSH version 1 is not supported. On some very old client platforms (e.g. Linux Suse 7.2), the "-2" option may be required.
  • External users must use a non-standard port number (see below).

For Windows-based personal computers, two programs are available for download, PuTTY and WinSCP:

From the external side (external users having an user account on an internal system)

Users first connect to a 'proxy' server running on the firewall computer, which will in turn automatically connect them to the destination system. To use the SSH proxy, simply SSH to the firewall computer as if you want to log into it, indicating the port number depending on the target institute (-p option for a UNIX/Linux command, or selected in menus on a graphical interface):

  • port 5022 on login ESRF (NICE cluster)
  • port 5023 on login ILL
  • both EMBL and IBS use a different architecture

There will be a short pause, and you will be prompted with a password prompt directly on the internal SSH server.

The external user must have a valid user account (identified by a username and a password) on this SSH server. If the username on the remote server differs from the username on the local client computer, then do not forget to configure the remote username:

  • -l username option for SSH command on UNIX
  • is also possible
  • examples:
    • ssh -l smith -p 5023
    • ssh -p 5022

On some client platforms (e.g. Linux Suse 7.2), the '-2' option may be required in order to force the use of SSH version 2.

  • ssh -2 -p 5022

Once logged into the SSH server, SSH to any other internal host is permitted - this is referred to as 'bouncing'.
At the ESRF, a server belonging to the NICE cluster will be automatically selected when coming from outside. Example:

% ssh -p 5022 -l johnson Password: xxxxxxx Please wait...checking for disk quotas (...etc.)  sshgw% wortk on NICE or ssh to another-host

From inside

Internal users should not cross the firewall for SSH access, just SSH directly to the remote host. Note that outgoing SSH is fully supported provided a SSH client program is used internally (e.g. on the NICE cluster at the ESRF).