Gateway machines


  • ‘’ and ‘’ have been decommissioned on June 11, 2024


The gateway machines and provide ssh access to MPCDF computing resources. One should note that the home directory $HOME is local to each of those machines and very limited in size (quota -vs will tell your current usage). SHA256-based key exchange methods are supported exclusively; a more recent version of your favourite ssh/sftp client software might be required in case connection attempts fail. Note that all MPCDF gateway machines enforce 2 factor authentication (2FA).

The ssh key fingerprints (SHA256) are: ( )
SHA256:VSjalFu2TI5LGonWDTSzSAz2ie9DFsXoLdbXNk3FoZY (ED25519)

gate1 will be rebooted each Tuesday, 3:45 am, and gate2 each Saturday, 3:45 am, German local time; user sessions will thus persist no longer than 7 days on either gateway system.

Please note further that both gate1 and gate2 support password and GSSAPI authentication methods only, an additional 2nd authentication method based on our OTP infrastructure is mandatory.

If you intend to forward your Kerberos5 ticket from remote via GSSAPI, please ensure to pass ‘GSSAPIDelegateCredentials=yes’ to ssh.

These gateway machines are for login only, not for compiling or running applications; the module environment is also not supported. Compilers and batch systems are available on the Linux clusters and on the HPC system. If necessary, please apply for an account on these systems via the MPCDF helpdesk.

GSSAPI-based logins to MPCDF hosts

If you want to login directly to an internal machine, here named ‘TARGET’ as user ‘MPCDF-USERNAME’, you can put following snippet into your ‘~/.ssh/config’ file:

ProxyCommand ssh -W %h:%p 2>/dev/null
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
ControlMaster auto
ControlPath ~/.ssh/control:%h:%p:%r

This supports GSSAPI, so with a Kerberos5 ticket on your machine, you can login to TARGET without typing the password again.

The corresponding Kerberos Client configuration is given here.

Tunneled access to MPCDF services

Many MPCDF services and clusters are only available to internal MPG networks and are not visible from external institutes and/or a users home network.

To overcome this restriction ssh tunneling can be used to simplify access to these internal services.

For example accessing the archive service from an external node can be achieved by creating a tunnel as follows

ssh <user> -L -N

Once this tunnel has been established SFTP/SCP can be used to access the archive as it if were on your local system (in this case point your sftp client to port 2002 on localhost). This means that you can use file transfer tools such as FileZilla by just setting up the tunnel and configuring the FileZilla remote SFTP/SCP connection to use localhost and port 2002. When using FileZilla the 2FA may cause some problems (login requests can occur on each file transfer). To overcome this change the Login Type to interactive and set the Max number of connection to 1 in the Site Manager configuration.

Note that for windows systems WinSCP is also capable of using the gate node as a proxy. Simply configure WinSCP to use an ssh tunnel in the Advanced Options section using as the hostname and your usual MPCDF user name and password.

To simplify direct access from Linux-based systems the ssh ProxyJump option can be used.

To access the archive (or any cluster login node)

sftp -o 'ProxyJump <user>' <user>

or alternatively:

sftp -J <user> <user>

Note: This will also work for ssh connections and rsync via ssh

ssh -J <user> <user>

rsync -av -e 'ssh -J <user>' source-dir <user>