Using Penn VPN to access resources via SSH

Inbound connections to SSH services on PennNet are blocked at the campus border firewall (this block started in October 2020). This block applies to all inbound SSH connections, regardless of port.  SSH connections within PennNet and outbound SSH connections will not be affected.

SSH servers remain accessible from off campus via Penn’s VPN service, available to the entire Penn community. VPN users must have an active PennKey affiliation and must be enrolled in two-step authentication. General VPN instructions and client downloads can be found here:  https://www.isc.upenn.edu/how-to/university-vpn-getting-started-guide. Information on enrolling in two-step authentication can be found here: https://www.isc.upenn.edu/how-to/two-step-faq

If blocking inbound connections to your SSH server will cause a significant impact to your work, or if you have any other questions, please contact CETS: https://cets.seas.upenn.edu/contact-us/

Linux compatibility notes

This is an incomplete list of compatibilities, as reported by various users as of September 24, 2020:

Reported Compatible: OpenSuSE 15.2, CentOS, RHEL, Ubuntu 18.04 and 20.04

Reported Incompatible: Fermi SL (but see below)

A reported workaround is to modify the appropriate /etc/*-release file to pretend you are running a compatible OS with the closest matching paths to SSL Certificate storage. For example, on Fermi SL you might have success using CentOS or RHEL versions of /etc/redhat-release.

If you find you can connect but then lose DNS, check for and remove any manually configured /etc/resolv.conf nameserver entries.


* The University of Pennsylvania’s Office of Information Security continues to see thousands of attacks a day targeting SSH throughout Campus, resulting in multiple host compromises at UPenn. UPenn’s VPN requires two factor authentication, and many SSH servers at Penn do not require 2FA. Best practices such as using key-based authentication, IP restrictions, and other controls are often not followed. There are many devices maintained by vendors that have poor SSH configurations that are difficult to secure.