Gateway machines

The gateway machines and provide ssh access to MPCDF computing resources. One should note that gatezero has no access to AFS. Thus, even the home directory $HOME will be local on that machine and very limited in size. SHA256 based key exchange methods are supported exclusively; a more recent version of your favourite ssh/sftp client software might be required in case connection attempts fail.

Their ssh key fingerprints are: (

SHA256:FMEK9sd2yd6U3TuQwRdOh6sgJU5WYyHGrLLC9MmuFAs (RSA)
SHA256:28HyXemglZTQgDWYBdqmRSloBpEjWgYNtdzEt6SSC4c (ED25519)

SHA256:zF/sNLAYqwwRlY3/lhb1A805pGiQiF3GhGP1bBCpvik (RSA)
SHA256:qjBJoqcJcCM0LyTqtj09BAxS74u81SizY9zob+XwEOA (ED25519)

Please note that gateafs (gate) supports password and GSSAPI authentication methods only, while gatezero additionally allows public keys for authentication.

If you intend to forward your Kerberos5 ticket from remote via GSSAPI, please ensure to pass 'GSSAPIDelegateCredentials=yes' to ssh.

These gateway machines are for login only, not for compiling or running applications; the module environment is also not supported. Compilers and batch systems are available on the Linux clusters and on the HPC system. If necessary, please apply for an account on these systems via the MPCDF helpdesk.


If you want to login directly to an internal machine, here named <TARGET> as user <MPCDF-USERNAME>, you can put following snippet into your ~/.ssh/config file:

ProxyCommand ssh -W %h:%p 2>/dev/null
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
ControlMaster auto
ControlPath ~/.ssh/control:%h:%p:%r

This supports GSSAPI, so with a Kerberos5 ticket on your machine, you can login to <TARGET> without typing the password again.

The corresponding Kerberos Client configuration is given here.

Tunneled access to MPCDF hosts:

Many MPCDF services and clusters are only available to internal MPG networks and are not visible from external institutes and/or a users home network.

To overcome this restriction ssh tunneling can be used to simplify access to these internal services.

For example accessing the archive service from an external node can be achieved by creating a tunnel as follows

ssh <user> -L -N

Once this tunnel has been established SFTP/SCP can be used to access the archive as it if were on your local system (in this case point your sftp client to port 2002 on localhost). This means that you can use file transfer tools such as FileZilla by just setting up the tunnel and configuring the FileZilla remote SFTP/SCP connection to use localhost and port 2002.

Note that for windows systems WinSCP is also capable of using the gate node as a proxy. Simply configure WinSCP to use an ssh tunnel in the Advanced Options section using as the hostname and your usual MPCDF user name and password.

To simplify direct access from linux based systems the ssh ProxyJump option can be used.

To access the archive (or any cluster login node)

sftp -o 'ProxyJump <user>' <user>

or alternatively:

sftp -J <user> <user>

Note: This will also work for ssh connections and rsync via ssh

ssh -J <user> <user>
rsync -av -e 'ssh -J <user>' source-dir <user>


Document Actions