Computer Laboratory

SSH on macOS

You can use the ssh command-line tool that comes with macOS to connect to other Unix/Linux machines in the department, including the Linux time-sharing servers. Password-based login via ssh is generally deactivated on departmental Linux servers, but several other authentication techniques are available.

Kerberos-based access

A Kerberos ticket is a piece of cryptographic data that you can obtain from the department’s Kerberos server using your Kerberos password, and which allows you to log into other machines or access the filer without having to type your password each time. Our Kerberos tickets are valid for up to 30 days.

If you are using a domain-joined desktop machine (where you log in with your departmental Kerberos password), you already receive a Kerberos ticket when you log in.

Otherwise (e.g., for a laptop), first get a Kerberos ticket. To do this you need to be connected to the University network. If you are not then open up a VPN to either the CL or University then obtain the ticket manually by typing into a Terminal shell

$ kinit crsid@AD.CL.CAM.AC.UK

Once you have a Kerberos ticket (klist will show it), you can then connect using e.g.

$ ssh -K crsid@slogin-serv.cl.cam.ac.uk

To save yourself having to type “-K” each time, you can also enable Kerberos authentication and delegation by editing ~/.ssh/config or /etc/ssh_config to append the following options:

HOST *.cl.cam.ac.uk
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

It is recommended to restrict the host list (set above to *.cl.cam.ac.uk) only to machines you trust in order to avoid any security breaches.

Don't forget to use a VPN if you are trying to log in via ssh from outside the Lab.

Key-based access

Public key authentication is more complicated to set up and will usually have to be used together with some other means to obtain the Kerberos ticket needed on the server to access one’s home directory on the filer.

Generating the keys

Type 'terminal' into Spotlight and open a terminal window. In the terminal window, type

ssh-keygen

Accept the default location and enter a suitable passphrase.

Copying the public keys to the laboratory filespace

Copy the file in .ssh called id_rsa.pub to the lab home filespace unix home directory using a memory stick to transfer it via a public Linux machine into the .ssh folder in your home directory.

Then login to a laboratory computer and move the public key into the correct location.

For maximum security, it is recommended that you also restrict the addresses that this public key can be used from:

cd .ssh
from="*.cam.ac.uk" cat ../id_rsa.pub >> authorized_keys

You can add multiple domains as a comma separated list.

Connecting using ssh

When you have completed the above steps, you should be able to login to laboratory ssh servers by typing e.g. ssh slogin-serv.cl.cam.ac.uk .