Access the Institute Network

Access to the institute's network is possible via the ssh gateway

(from inside HIM network use: gw.<group name> as host with <group name> = (acid, emp, mam, she, specf, thfl) )

You can log in to the gateway using your public key, but not with username/password. Therefore, you must provide your public key to the gateway via sFTP. This is the only time where user/password login is allowed. The keys have to be put into a file called authorized_keys, which has to reside in the subfolder keys.

Prepare your public key

If you know your public key - great. Copy or append it to a file named authorized_keys and proceed to copy that file to the gateway.

If not, go to your /home/<username>/.ssh/ directory and look for a file named and copy it to a new file named authorized_keys.

If there is no, you may need to create a public key by entering:


 You can accept the default values, the private and public keys will be stored in your  ~/.ssh/ directory. It must be named authorized_keys, so copy your public key:

cat >> authorized_keys

This way you can also append keys to authoriezed_keys if it already exists. You can now proceed to copy that key file to the gateway.

Copy Public Key file using FileZilla

An easy way to copy your puplic key(s) to the gateway is to use the open source ftp client FileZilla. Enter the following values:

Host (from outside HIM network): s

Host (from inside HIM network): gw.<group name>  (with <group name> = (acid, emp, mam, she, specf, thfl) )

Username: <your Uni-Mainz ID>

Password: <your password>

Port: 22022

It will look similar to this image:

In the left hand pane you can browse your files. Select your prepared authorized_keys file and drag it to the remote keys folder. Please be advised that this will override any current authorized keys. If you wish to add more than one public key to the gateway, please copy the remote file first, append your new public key and copy the file back to the gateway.

Add your authorized_keys file:

Your keys should now be stored on the gateway. You can check that by entering:

ssh <username>

(from inside HIM network use: gw.<group name> as host with <group name> = (acid, emp, mam, she, specf, thfl) )

You should be promted the message "Hello, <username>" and asked the hostname of the machine you want to connect to like this:

You can now enter your desired destination

<username>@<hostname>.<group name>

Please keep in mind that this username is the name on that specific machine and not neccessarily your zdv username. You need to enter your password for that machine as well.

A more elegant solution is to setup your .ssh/config file to use the gateway as a jump host and use public key authentication, see below. If set up correctly, you don't need to enter a password when connecting to your workstation.

If instead you are presented the message "Permission denied (publickey).", something went wrong and the has not been stored correctly on the gateway.

Copy Public Key using the command line

Alternatively, if you do not want to use FileZilla or any other sftp compatible program, you can use the built-in tools of most Linux systems.

Go to the directoy containing your public key in a file called authorized_keys. You can copy your local authorized_keys file to the remote destination keys/authorized_keys using:

sftp -P 22022 <userid> <<< "put authorized_keys keys/authorized_keys"

(from inside HIM network use: gw.<group name> as host with <group name> = (acid, emp, mam, she, specf, thfl) )

The authorized keys file should contain all public keys, one key per line.

In order to add a key one can first fetch the keys file via

sftp -P 22022 <userid> <<< "get keys/authorized_keys"

(from inside HIM network use: gw.<group name> as host with <group name> = (acid, emp, mam, she, specf, thfl) )

then add the new key

cat >> authorized_keys

and reupload the file using the put command above.

Add a new Key using the command line

Go to your user directory and make sure your is in ~/.ssh/. Then exchange <user ID> with your ZDV user ID and enter the follwing in your terminal of choice:

cd ~ && sftp -P 22022 <user ID> <<< "get keys/authorized_keys" && cat ~/.ssh/ >> authorized_keys && sftp -P 22022 <user UD> <<< "put authorized_keys keys/authorized_keys" && rm authorized_keys

You need to enter your password twice, once for downloading your authorized keys and once for uploading the new authorizd keys. Congratulations, your new key was added to the gateway.

Setup the Gateway as Jump Host

You don't need to manually enter the remote hostname each time you want to log in to your desktop, but instead configure your ssh config file to use the gateway as jump host. Look inside your ~/.ssh/ directory for a file called config. If it's not already there, create it:

nano ~/.ssh/config

And add entries for two hosts, which we will call work (your workstation) and gate (the gateway). Your config should look like this:

Host gate
  User <Uni-Mainz ID>
  ServerAliveInterval 15
  ForwardX11Trusted yes

Host work
  HostName <hostname> OR <IP>
  User <user name on that machine>
  ServerAliveInterval 5
  ProxyCommand ssh -X gate nc %h 22 

The ProxyCommand is crucial here. ssh -X enables X forwarding, gate is the gateway and "nc %h 22" is the actual login to your workstation. Do not enable compression should it already be in your config file, as it will reduce your transfer speeds significantly.

Please note that your public key must also be on your workstation in ~/.ssh/authorized_keys. Place them there in whatever way you prefer or refer to your OS man pages. If that is set up correctly, you can ssh into your workstation at HIM by using

ssh work

Without any further credentials.

Accessing HIMster2

Please read: 

Accessing Clover

You can reach the Clover just the same way. Add the following to your ".ssh/config":

Host gate
  User <Uni-Mainz ID>
  ServerAliveInterval 15
  ForwardX11Trusted yes


Host clover
  User <username on himster/kph>  #this is probably NOT your ZDV name
  ServerAliveInterval 15
  ProxyCommand ssh -X gate nc %h 22

You can also reach clover from within the THFL subnet of the HIM Network directly.

Public key authentication works just the same.


You will receive an email upon any change to the keys file, i.e. if you receive an email from the gateway system, without having modified your keys an attacker is possibly trying to use your account. In such a case please contact immediately.

The gateway is regularly rebooted every Monday morning at 5 am.

An easy way to use the gateway as a "jump host" is to setup your client's config file, i.e. ~/.ssh/config, where the syntax is

Host him
        ProxyCommand ssh <uid> nc <destination host> 22

(from inside HIM network use: gw.<group name> as host with <group name> = (acid, emp, mam, she, specf, thfl) )

Alternatively you can ssh into the gateway directly and interactively specify the host to login to.


The basis for the temporary storage of user data is Art. 6 Abs. 1 lit. f DSGVO. 

Logfiles on the print server are kept for in general not more than two weeks documenting:

  • authentication data, i.e. ip address of the computer, username, especially failed attempts

These are necessary for security and debugging purposes.

All of the above data is only used for the purpose of providing the ssh gateway service and is not shared with a third party.