Configuring ssh to access lab machines

It is often convenient or even necessary to connect to CIT machines from your laptop or some other machine outside the campus firewall. This can be a nuisance, because the firewall prevents you from connecting directly. ssh has options to make this simpler.

Public key authentication

The first step is to set up public-key authentication so you do not need to type your password when connecting. On the “source” machine (your home machine, laptop, etc.), check if you have a public key:

cat ~/.ssh/

If the file is not found, generate a public key:


The default options are usually sufficient (I usually leave the passphrase blank as well). With older versions of ssh-keygen, you may be required to specify that you want to use RSA:

ssh-keygen -t rsa

Note that if you run ssh-keygen again, it will clobber your old key, so you will have to set up remote machines to accept your new key.

Next, copy your public key to the authorized_keys file on the target machine. ssh now has a program to do this for you. To install your public key on, use:


You can add as many keys as you want, but be careful. If you lose the private key associated with it (or your laptop is stolen, etc.) you should delete the corresponding private key from your authorized_keys file.

Now you should be able to ssh from the source machine to the target without using a password.

Configuring ssh

ssh lets you configure the details of connecting to remote machines to save typing. For example, say my username on my desktop machine is john, but my username on the lab machines is jdoe. To connect to a machine like leghorn, I normally have to type:


(or, equivalenty):

ssh -l jdoe

To simplify things, I create a file called config in my .ssh directory with an entry for each machine I contact. For example:

Host leghorn
    User jdoe

With that in place, I can just type:

ssh leghorn

and all of the options are taken from the config file. The name I need to type (leghorn) is arbitrary and can be any nickname; ssh looks at the HostName entry to decide where to actually connect.

Connecting through the firewall

To connect to leghorn from home, I first have to connect to a machine like that sits outside the firewall. Then I can connect from there to leghorn in a two-step process:

ssh leghorn

This has a couple of disadvantages:

  1. It’s two steps and I’m lazy
  2. It doesn’t work with scp, git, rsync, and other tools that use ssh as a secure transport
  3. X11 forwarding does not work across this link
  4. To avoid typing a password, I have to configure leghorn to trust using a public key. I would rather avoid that because sits outside the firewall and is more likely to be compromised than a machine inside the firewall.

I am happy to have trust my source machine (someone breaking into would not be able to do anything with my public key, except let me connect to their machines without a password). I am also happy to have leghorn trust my home machine. I would like to use to create a secure tunnel that forwards my ssh session directly from my home machine to leghorn.

Here’s how to do it:

  1. Set up to trust my home machine by installing my home machine’s public key in the authorized_keys file on
  2. Same thing for leghorn—its authorized_keys file should include my home machine’s public key
  3. In the config file on my home machine, add an entry for leghorn.

The entry should look like this:

Host leghorn
    User jdoe
    ProxyCommand ssh -l jdoe exec nc %h %p

The information in the ProxyCommand line is for connecting to, and the information in the rest of the entry is for connecting to leghorn.

Now from my home machine I can type:

ssh leghorn

and the following things happen automatically:

  1. ssh connects to using my public key.
  2. It runs nc 22 on, which uses a utility called netcat to connect to the ssh server on leghorn. The connection originates from, so the firewall is not a problem.
  3. ssh uses the tunnel from my home machine through to leghorn to set up a new ssh session that communicates directly with leghorn.
  4. The private key on my home machine is used to authenticate me on leghorn directly.

As a user, it appears that I am connecting directly; the firewall is invisible. X11 forwarding works as well if you add the ForwardX11 yes option.

Tools that use ssh

Other tools use ssh to establish secure connections. These include rsync, scp, and git among others. Any settings you establish in your config file apply to these tools as well, so I can synchronize files from my home machine to leghorn using something like:

rsync -av evilassignment leghorn:

and it uses my config file settings and public key settings to establish the connection without requiring a password or other inconvenient steps.

Connecting to git

To connect to the repositories on from your home machine, you can apply the information given above. Specifically, you should complete the following steps:

  1. Create a keypair on your home machine:

  2. Register the public key (~/.ssh/ with git. Normally, this requires you to send the key to your instructor, who will register it with the git server. Be sure to name it <yourlogin>.pub, not when you submit it.

  3. Add the public key to your authorized_keys file on one of the lab machines (for example, on ssh):

  4. Create a config file on your home machine with an entry for connecting to git:

    Host git
        User git
        ProxyCommand ssh -l jdoe exec nc %h %p

    Substituting your username for jdoe.

  5. Once you key is registered with the git server, you can clone from it on your home machine:

    git clone git@git:path/to/project.git

Last Updated 11/06/2017