skip to content

Department of Computer Science and Technology

 

You can use the ssh command-line tool that comes with macOS to connect to other Unix/Linux machines in the department, including the Linux time-sharing servers. Password-based login via ssh is generally deactivated on departmental Linux servers, but several other authentication techniques are available.

Kerberos-based access

A Kerberos ticket is a piece of cryptographic data that you can obtain from the department’s Kerberos server using your Kerberos password, and which allows you to log into other machines or access the filer without having to type your password each time. Our Kerberos tickets are valid for up to 30 days.

If you are using a domain-joined desktop machine (where you log in with your departmental Kerberos password), you already receive a Kerberos ticket when you log in.

Otherwise (e.g., for a laptop), first get a Kerberos ticket. To do this you need to be connected to the University network. If you are not then open up a VPN to either the CL or University then obtain the ticket manually by typing into a Terminal shell

 $ kinit -V -f crsid@DC.CL.CAM.AC.UK 

Replace crsid by your CRSID, and ensure that DC.CL.CAM.AC.UK is in CAPITALS. On Big Sur systems, this should report:

Placing tickets for 'crsid@DC.CL.CAM.AC.UK' in cache 'API:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

If if does not, ssh, scp, NFS mounts etc are likely to fail. Try prefixing kinit and klist with /usr/bin to ensure that you are using the Big Sur versions. Check the result using

 $ /usr/bin/klist -l; /usr/bin/klist -f

If if does not include 'API' a HACK is to try:

 $ export KRB5CCNAME=API:01234567-0123-0123-0123-0123456789AB
 $ /usr/bin/kinit -V -c $KRB5CCNAME crsid@DC.CL.CAM.AC.UK

Once you have a Kerberos ticket (klist will show it), you can then connect using e.g.

 $ ssh -K crsid@slogin-serv.cl.cam.ac.uk 

To save yourself having to type “-K” each time, you can also enable Kerberos authentication and delegation by editing ~/.ssh/config or to append the following options:

 HOST *.cl.cam.ac.uk
 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes 

If you do not set these options in the config file then in order to copy files using scp you will need to specifically enable GSSAPIAuthentication in the command line

 scp -o GSSAPIDelegateCredentials=yes -o GSSAPIAuthentication=yes myFileOMyMac crsid@slogin-serv.cl.cam.ac.uk:~/myFileOnLinux 

It is recommended to restrict the host list (set above to *.cl.cam.ac.uk) only to machines you trust in order to avoid any security breaches.

Don't forget to use a VPN if you are trying to log in via ssh from outside the Lab.

Key-based access

Public key authentication is more complicated to set up and will usually have to be used together with some other means to obtain the Kerberos ticket needed on the server to access one’s home directory on the filer.

Generating the keys

Type 'terminal' into Spotlight and open a terminal window. In the terminal window, type

 ssh-keygen 

Accept the default location and enter a suitable passphrase.

Copying the public keys to the laboratory filespace

Copy the file in .ssh called id_rsa.pub to the lab home filespace unix home directory using a memory stick to transfer it via a public Linux machine into the .ssh folder in your home directory.

Then login to a laboratory computer and move the public key into the correct location.

For maximum security, it is recommended that you also restrict the addresses that this public key can be used from:

 cd .ssh
 echo from="*.cam.ac.uk,2001:630:212:200::/56" $(cat ../id_rsa.pub) >> authorized_keys 

You can add multiple domains, hostnames or IP address ranges as a comma separated list.

Connecting using ssh

When you have completed the above steps, you should be able to login to laboratory ssh servers by typing e.g. ssh slogin-serv.cl.cam.ac.uk .