CSLab SSH Gateway

The CSLab SSH Gateway at

gateway.cs.cityu.edu.hk

is a Ubuntu server for general access by all valid CSLab users using a regular SSH client.

This server is equipped with 96 CPU cores and 1.5TB of main memory. A single process can occupy as much as 128GB of memory.

Besides each user’s home directory, users can create their own folders on the ‘/public’ path. Each user can have up to 200GB of disk space on ‘/public’. Data backup is not available on ‘/public’. All files not accessed for 30 days will be removed automatically.

SSH terminal logon service

Users can log on to the terminal of the gateway server using any SSH clients

On Windows 10 Desktop, user can invoke the ssh command from PowerShell or CMD like

> ssh eid@gateway.cs.cityu.edu.hk

On macOS, users can invoke the ssh command from the Terminal App

SSH tunneling services

For use when users are outside the CityU campus and failed to connect to CSLab SSL VPN servers. The tunneling services only work on Windows 10 and MacOS desktop clients. Mobile devices are not supported. 

The use of an SSH tunnel is a two-stage process. Firstly, we use the SSH command to establish a tunnel from a Windows PC or a MacOS machine to the gateway server. Then we configure a specific application to use that tunnel. Different applications require different types of SSH tunnels. 

  1. Use as a SOCKS proxy for web browsers supporting SOCKS Proxy such as Firefox

    On Windows 10, open PowerShell or CMD to run the command

    > ssh –ND 8080 <eid>@gateway.cs.cityu.edu.hk

    to establish the tunnel. After login, the screen will freeze and the PowerShell or CMD must be kept on the screen for the tunnel to work. Then configure, say Firefox, to use the tunnel as SOCKS proxy. Set the SOCKS host to '127.0.0.1' and the port number to 8080 as shown below.

    And you can surf the web via the SSH tunnel

  2. Use as a tunnel for Remote Desktop Access to users' individual Windows desktops

    On Windows 10, open PowerShell or CMD to run the command

    > ssh –NL 33890:<remote_desktop_ipaddress>:3389 <eid>@gateway.cs.cityu.edu.hk

    to establish the tunnel. Then configure MSTSC to connect to localhost:33890 like,

    and you can access your individual Windows desktop.

Setting Up SSH Key-Based Authentication

Key-based authentication offers stronger security and a more convenient login experience compared to password access. Here’s how to set it up:

1. Generate SSH Key Pair

On your local system (Windows, macOS, or Linux), open Terminal or PowerShell, and run:

> ssh-keygen -t ed25519

  • Press Enter to accept the default file location (~/.ssh/id_ed25519).
  • Optionally enter a passphrase or just press Enter twice for no passphrase.

2. Install Your Public Key on the CSLab SSH Gateway

On Windows, use PowerShell or CMD; on macOS/Linux, use Terminal:

> ssh-copy-id eid@gateway.cs.cityu.edu.hk

If ssh-copy-id isn't available (e.g., Windows without WSL/Git Bash), connect manually and append your public key:

View the key:
> cat ~/.ssh/id_ed25519.pub

Copy the output, then SSH to the gateway:
> ssh eid@gateway.cs.cityu.edu.hk

On the gateway, paste the copied text into ~/.ssh/authorized_keys:
> mkdir -p ~/.ssh
> echo "<paste-your-public-key-here>" >> ~/.ssh/authorized_keys
> chmod 600 ~/.ssh/authorized_keys
> chmod 700 ~/.ssh

Test your login! You should no longer be prompted for a password.

Accessing Internal Servers Using Jumpbox Mode (ssh -J)

Instead of logging in and landing on the gateway, you can use the gateway as a transparent jumpbox (bastion). This keeps your gateway session stateless and routes SSH directly to internal servers.

Requirements:

  • Your public SSH key must be installed on both the gateway and the internal server.
  • Replace eid with your CSLab ID, internaluser with your username on the target internal server, and internalserver with its hostname.

1. Basic Jumpbox SSH Command

From your local machine, run:

> ssh -J eid@gateway.cs.cityu.edu.hk internaluser@internalserver

  • This command forwards the SSH session via the gateway, authenticating you on both servers if your keys are set up.

2. With SSH Config File (Recommended)

For convenience, add the following to your ~/.ssh/config:

Host internalserver
HostName internalserver
User internaluser
ProxyJump eid@gateway.cs.cityu.edu.hk

Then simply type:

> ssh internalserver