General

Linux remote login access at SLAC

Overview
Which hosts can I login to with SSH?
- Bastion hosts accessible to anyone with SLAC Active Directory credentials
Linux interactive login hosts
X11 GUI Bastion Host
Scientific computing bastion hosts
- Scientific systems data transfer
Restricted / Limited Login
How to use SSH to login
- Windows SSH Specific Issue
- Using ProxyCommand for SSH Connections
Related Information

Overview

Secure Shell (SSH) access to systems on SLAC’s networks is only allowed via approved SSH bastion hosts. See the Approved Bastion Hosts for SSH Inbound Connections knowledge base article for more information.

For SLAC IT Storage Platform access, group creation and information please see the link.

Which hosts can I login to with SSH?

The following machines can be used for remote SSH access to SLAC. These bastion hosts use Active Directory credentials for authentication, not Heimdal "Unix" credentials.

Bastion hosts accessible to anyone with SLAC Active Directory credentials

If you need to ssh into SLAC from the outside and VPN is not available, please SSH to jump.slac.stanford.edu and then SSH into your on-site work computer.

Only minimal operating system tools will be installed.

Tools to support interactive usage will not be installed.

Load-Balance Hostname	Operating System	Authentication	Non-Scientific File System	Accessible from the internet?
jump.slac.stanford.edu	Rocky 9.x	Active Directory	Coming soon	Yes

Linux interactive login hosts

These systems are intended for command line, scripting and interactive usage.

No personal productivity tools shall be installed on these systems.

Load-Balance Hostname	Operating System	Authentication	Non-Scientific File System	Accessible from the internet?
rocky9.slac.stanford.edu	Rocky 9.x	Active Directory	SLAC IT Storage Platform	No
ubuntu-lts.slac.stanford.edu	Ubuntu LTS 22.04	Active Directory	Coming soon	No

X11 GUI Bastion Host

SLAC X11 / GUI applications to your remote desktop or laptop.
SLAC IT recommends NoMachine over FastX.

Load-Balance Hostname	Operating System	Authentication	Non-Scientific File System	Guides	Accessible from the internet?
nx4.slac.stanford.edu	Rocky 9.x	Active Directory	Coming soon	Modern NoMachine	Yes
fastx.slac.stanford.edu	Rocky 9.x	Active Directory	Coming soon	Modern FastX	Yes

Scientific computing bastion hosts

These bastion hosts are accessible from non-SLAC networks.

Load-Balance Hostname	Operating System	Authentication	File System	Guides	Accessible from the internet?
s3dflogin.slac.stanford.edu	RHEL 9.x	Heimdal "Unix"	WEKA	S3DF	Yes
s3dfnx.slac.stanford.edu	RHEL 9.x	Heimdal "Unix"	WEKA	S3DF NoMachine	Yes

Scientific systems data transfer

For Scientific data access, please use SSHFS to access files from your desktop or refer to the following linked articles for help with transferring SDF or S3DF data.

S3DF Data Transfer

Restricted / Limited Login

The following systems require VPN access to use:

Load-Balance Hostname	Operating System	Authentication	File System	Guides	Accessible from the internet?
centos7.slac.stanford.edu	Centos 7.x	Heimdal "Unix"	AFS & NFS	None	No

How to use SSH to login

SSH using hostname

ssh username@jump.slac.stanford.edu

-or-

ssh jump.slac.stanford.edu -l username

SSH using IP address

ssh username@192.168.1.3

If you are already logged into a SLAC host, then all you need to supply is the hostname or IP address

ssh rocky9

ssh 192.168.1.3

Windows SSH Specific Issue

Windows 10/11 built-in SSH client uses an outdated OpenSSL version, causing compatibility issues. If you encounter SSH connection issues on Windows.

ssh -m hmac-sha2-512 username@rocky9.slac.stanford.edu

For a permanent fix, edit your SSH config file at %UserProfile%\.ssh\config and add:

Host rocky9.slac.stanford.edu
User username
MACs hmac-sha2-512

Replace username with your actual username.

Using ProxyCommand for SSH Connections

If connecting through a proxy or jump host, configure your SSH client to use a ProxyCommand:

Edit your SSH config file (~/.ssh/config on Linux/Mac or %UserProfile%\.ssh\config on Windows):

Host rocky.slac.stanford.edu
User username
MACs hmac-sha2-512
ProxyCommand ssh -W %h:%p username@jump.slac.stanford.edu

Host ubuntu-lts.slac.stanford.edu
User username
MACs hmac-sha2-512
ProxyCommand ssh -W %h:%p username@jump.slac.stanford.edu

The -W %h:%p flag in the ProxyCommand option does the following:

-W tells SSH to establish a direct TCP tunnel from your local machine, through a proxy or jump host, to the final SSH destination.
%h automatically expands to the destination hostname you're connecting to.
%p automatically expands to the destination port number (typically port 22 for SSH).z

Replace username with your actual username.