Like OpenSSH, PuTTY can also be configured to use a proxy host and share connections. Note that recent versions of Windows include or have OpenSSH available to install, which could be used instead of PuTTY, following the OpenSSH instructions. The PuTTY example below uses PuTTY version 0.78. If you find options missing, obtain1 and use a newer PuTTY.2
Go to Connection > Proxy. Select Proxy type "SSH to proxy and use port forwarding." For Proxy hostname enter login.jlab.org.,3 and for Port enter 22. Because the ifarm and qcdi hostnames are not published externally, select "Yes" for Do DNS name lookup at proxy end. Enter your JLab CUE username for Username.
Go Connection > SSH and select Share SSH connections if possible.
Return to Session and enter Host Name your-CUE-username@ifarm or your-CUE-username@qcdi. Enter "ifarm via login.jlab.org." (or "qcdi," as the case may be) under Saved Sessions and select the Save button.
When you select Open, if you haven't yet saved login.jlab.org.'s host key, you will be prompted to verify it. The fingerprint should be one of
ssh-ed25519 255 SHA256:lxAZjU2BeGi+10IxYkrt6zCOrhidf9QI6SUyxqtPAV4
ecdsa-sha2-nistp256 255 SHA256:C2DNbPb5xtxMyG4dxJ40zumQLYyyqCYHpIlbho6rxQ8
ssh-rsa 3071 SHA256:MBGw+tIjtSiVy3cXJDpFuCB4aPVS0b9xr/SSINjngRM
or else someone may be snooping on your connection and you should Cancel and contact us with a screenshot first.
After you Accept, you will be prompted first for two-factor authentication (into login.jlab.org.), and then for your CUE password (into ifarm).
Second connections should re-use the existing connection (provided, of course, you select and Load the stored configuration first).
1. All you need for this recipe is the putty.exe under "alternative binary files." Using the MSI installer is optional.
2. In earlier versions of PuTTY, one can supposedly use PuTTY's Plink command as a Local proxy, but I was not able to get that to work, I assume because the proxy process runs in the background and therefore must function without interaction (e.g. saved password or public key authentication), which is not compatible with JLab's two-factor authentication. PuTTY just hangs
ostensibly waiting for the proxy process
to complete a connection that it cannot complete without input that cannot and will never be provided. Opening a separate instance of PuTTY to forward a port through login.jlab.org., and then configuring a second instance of PuTTY to connect through that tunnel would likely work, but would lack the convenience.
3. You could also use acclogin.jlab.org. or one of login.jlab.org.'s aliases. I'm using final .s because I am a pedant and that is technically the way to specify an absolute domain name (just as an initial / indicates an absolute path) but Windows' DNS resolver should work with or without.