AN 939: JTAG Connections Over SSH

ID 683756
Date 7/07/2021
Public

3. Securing JTAG Communication with SSH

Use SSH to encrypt communication between the Intel® Quartus® Prime JTAG Server and JTAG clients such as the Intel® Quartus® Prime Programmer.
Two scenarios are supported for JTAG communication with SSH tunnels:
  • Remote machine has the FPGA board attached

    In this scenario, the SSH server and JTAG Server run on the remote machine, while the SSH client and JTAG clients run on the local machine. This scenario is called SSH tunneling or SSH local port forwarding.

    The following block diagram is a simplified representation of this scenario:

  • Local machine has the FPGA board attached

    In this scenario, the SSH client and JTAG Server run on the local machine, while the SSH server and JTAG clients run on the remote machine. This scenario is called reverse SSH tunneling or SSH remote port forwarding.

    The following block diagram is a simplified representation of this scenario:

Establishing an SSH tunnel between the JTAG Server and JTAG clients ensures that communication between them is encrypted and better protected from network eavesdropping.

To prepare your machines to establish an SSH tunnel for secure JTAG communication, complete the following prerequisites:

  1. Ensure that you are using the most recent version of SSH server and client software to ensure that they have all the latest security updates.
  2. Ensure that you have your SSH server software configured and running on the remote machine.
  3. Ensure that you have an SSH client installed and configured on the local machine.
  4. Ensure that your SSH server and SSH client are on different machines. Having the SSH client and server run on the same machine is not supported for JTAG communication.

    For these instructions, the remote machine runs the SSH server and the local machine runs the SSH client.

After you completed these prerequisites, you can continue with one of the following procedures: