Physics SSH Access

Executive summary

Connect to your machine from anywhere by using the SSH gateway server bastion.physics.ox.ac.uk as an SSH jump proxy. Use your Physics username (without the preceding "PHYSICS\".) In the same way, you can log into most systems inside our network that support ssh access.

Warning: The ssh-gateway is only meant to be used as a gateway. In general you should not log in to it, only use it as a jump proxy. However, if you do, note that there are no backups in place so any files in your home directory there are to be treated as scratch. It is the users' responsibility to make sure files such as keys are backed up, they will also be regularly cleaned to prevent the disk filling up. Any files over 1 month old will be deleted.

Normal SSH usage for Linux/macOS

This example shows how to connect to an example machine called shortname.nat.physics.ox.ac.uk, a proxy jump server bastion.physics.ox.ac.uk. Replace shortname with the name of the machine you are trying to connect to.

Please note: Most or all of the desktop client machines have names of the form shortname.nat.physics.ox.ac.uk, and are said to be "in the NAT". If you know your desktop only by its short name, and attempts to connect to shortname.physics.ox.ac.uk fail, please try using shortname.nat.physics.ox.ac.uk instead before giving up.

Users in AOPP might also need to try shortname.atm.ox.ac.uk

You should of course drop the .nat for servers, or the occasional desktop system which isn't "in the NAT". If in doubt, try with .nat, then without, and use whichever works first.

To SSH into your machine, add the following to your .ssh/config,

If you are using a Physics Department Apple system then you can also add this via the Self Service application.

# This section tells SSH how to connect to any machine in physics.ox.ac.uk, # think of it as defaults, you can still change them on the command line. # For example if you need to get to a machine under a different username Host *.physics.ox.ac.uk *.atm.ox.ac.uk User your_physics_user ForwardX11 yes # ssh/bastion can be used here but make sure it is the same in both lines # this section will tell ssh we want to use bastion as a proxyjump for all hosts # except bastion, it is possible to make a loop if you don't include this. Host !bastion.physics.ox.ac.uk *.physics.ox.ac.uk *.atm.ox.ac.uk ProxyJump bastion.physics.ox.ac.uk

Then just type ssh your_machine.nat.physics.ox.ac.uk. Using the fully qualified name of your machine, e.g. cplxdt01.physics.ox.ac.uk rather than the short name, are recommended. A detailed explanation is here.

This may ask for your password twice, once for the bastion machine (jump proxy) and then again for the destination machine. There's a solution to this that IT services are working on but for now you can generate a ssh key locally using

ssh-keygen -t ed25519

This will create a key on your machine which can be used to replace the password on the bastion server. During the process of creating the key it will request a password, as part of department policy you must specify a password for the encryption of this keyfile.

You can tell the bastion to accept this key by using:

ssh-copy-id bastion.physics.ox.ac.uk

Note: This doesn't currently work for most machines, just the bastion and some DAQs.

Copying files

Using the configuration above files can be copied directly (without the need for port forwarding or copying twice) to do this simply use

rsync -Pr local_file_or_directory cplxdt001.nat.physics.ox.ac.uk:remote_location/

The above will copy the files you want to a folder called "remote_location" in your home area, if you want to copy them to another path you can use a `/` after the `:` and specify the path from root, but be careful doing this, Linux won't stop you overwriting something important if you have root on the machine (i.e. DAQs).

Port Forwarding

Forwarding ports is useful when you have a service running on your remote machine and want access to it. The most important part is to know what port the service on your machine is using. In this example we'll use port 8000 (the port used by python3 -m http.server which is a simple test to get this working).

ssh -L 9000:localhost:8000 cplxdt001.nat.physics.ox.ac.uk

If you used the python command above you can now point your web browser to the url http://localhost:9000 and view a directory listing of the folder you ran the command from (take care which directory you run this in, as the files will be accessible by other users logged in to the machine you run it on).

You can replace port 9000 with any that you want, this is the local port, so you need to change the url along with it.

You can replace port 8000 with which ever your local service uses (3306 for sql, 6379 for redis), this depends completely on what you're connecting to.

Troubleshooting

  • If your login to a Linux system pauses and you are not shown a password prompt, hit ctrl-C and try adding -oPubkeyAuthentication=no to the ssh command line
  • If your home directory is not present on a Linux system, try running kinit on that system and entering your password, then logging out and in again
  • If you get disconnected often, e.g. by a fluctuating mobile signal, try using screen on the remote system
  • If you are using ssh in Windows and see the error "Corrupted MAC on input", in the file config in the .ssh subdirectory of your user profile (cd %userprofile% , or cd ~ in powershell, to go to your user profile directory) add the lines
    Host * Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

Categories: Apple | Linux | Mac | Remote Access | SSH