SSH service

1. About

TL;DR

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. The Secure Shell Protocol is an essential component of the administration of any computer network and the Internet.

2. Systems

2.1 Frontend

FQDN BFH IT-Services IPv6 IPv4
ssh.bfh.info
ipv6.ssh.bfh.info
ipv4.ssh.bfh.info
FQDN BFH IT-Services IPv6 IPv4
ssh.bfh.science
ipv6.ssh.bfh.science
ipv4.ssh.bfh.science

2.2 Backend

Warning
Always use the frontend DNS record

Never use the backend nodes directly:

  • backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
  • backend has no legacy support or grace periods, changes are implemented instantly
  • backend can be rebootet without notice at any time
  • backend access will soon be restricted

FQDN IPv6 IPv4
node1.ssh.bfh.info 2a07:6b40::71 147.87.0.71
node2.ssh.bfh.info 2a07:6b40::72 147.87.0.72
node3.ssh.bfh.info 2a07:6b40::73 147.87.0.73
node4.ssh.bfh.info 2a07:6b40::74 147.87.0.74
FQDN IPv6 IPv4
node1.ssh.bfh.science 2a07:6b42:101:11::11 147.87.8.11
node2.ssh.bfh.science 2a07:6b42:101:11::12 147.87.8.12

3. Features

  • TODO

4. Operations

  • TODO

6. Backlog

Legacy

  • retire ssh{1,2}.its.bfh.ch

  • retire node{1,2}.ssh.esb{,-test}.bfh.ch [2025-08 after ESB debian-lifecycle]

Setup

  • regenerate containers with Debian 12

Features

  • anycasting ssh.bfh.info

  • setup automated ssh hostkey signing CA

  • selfservice for user keys via ldap in IDM

  • (non-)persistent home on ssh.bfh.science after some more testing

  • provide enduser documentation on how to use SSH, SSH Gateways and SSH Keys

  • support MFA

  • test environment

  • benchmarking

Known issues

  • no known issues