Computer Laboratory

Configuring ssh access from MacOS X

Using Kerberos for machies within the lab

For domain joined machines the simplest option is to use the kerberos ticket you have from login to access Unix machines. To do this you first need to enable the protocols within ssh. You do this by editing /etc/ssh_config to set the following options on

HOST *.cl.cam.ac.uk
    GSSAPITrustDns yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
and then connect using
	ssh slogin-serv.cl.cam.ac.uk

The actual host list (set above to *.cl.cam.ac.uk) should be restricted to machines you trust for maximum security since a forwarded ticket with delegation will enable a rogue machine to trivially impersonate you.

Using Public/private key pair

Generating the keys

On the Mac, in spotlight type 'terminal' and open a terminal window. In the terminal window type

ssh-keygen

and accept the default location and enter a suitable passphrase.

Copying the public keys to the laboratory filespace

Copy the file in .ssh called id_rsa.pub to the lab home filespace unix home directory using a memory stick to transfer it via a public Linux machine into the .ssh folder in your home directory.

Then login to a laboratory computer and move the public key into the correct location.

cd .ssh
cat ../id_rsa.pub >> authorized_keys

You should then edit the authorized_keys file and set the addresses that this public key can be used form by inserting at the front of the line you just added a string like:-

from="*.cam.ac.uk" 

where you enter the domain you will be using the machine form. You can add multiple domains as a comma seperated list. See the main ssh documentation for more details.

Connecting using ssh

When you have completed the above you should be able to login to laboratory ssh servers by typing something like:-

ssh slogin-serv.cl.cam.ac.uk