Configuring ssh to access lab machines

It is often convenient or even necessary to connect to CIT machines from your laptop or some other machine outside the campus firewall. This can be a nuisance, because the firewall prevents you from connecting directly. ssh has options to make this simpler.


From a Linux or macOS system:

  1. Create public/private key pair on your machine


    Hit enter several times to accept all of the defaults.

  2. Create a config file with the tunnel settings

    vim ~/.ssh/config

    Or use your editor of choice. The file will not exist until you create it. Add the following to the file:

    Host cs2810
        User jdoe

    cs2810 is the specific server name; substitute in the appropriate name to connect to a different server. Also, put your CIT username in place of jdoe in both places.

    ssh is picky about file permissions, so make sure that the config file has the correct permissions by running this:

    chmod 600 ~/.ssh/config
  3. Register your public key with


    Substitute your CIT username for jdoe and type your CIT password when prompted.

    Since and share the same home directory file system, registering your public key on also registers it on

  4. Test the connection:

    ssh cs2810

    The first time you connect, you may have to type “yes” a time or two to say that you trust the servers.

Public key authentication

The first step is to set up public-key authentication so you do not need to type your password when connecting. On the “source” machine (your home machine, laptop, etc.), check if you have a public key:

cat ~/.ssh/

If the file is not found, generate a public key:


The default options are usually sufficient (I usually leave the passphrase blank as well). With older versions of ssh-keygen, you may be required to specify that you want to use RSA:

ssh-keygen -t rsa

Note that if you run ssh-keygen again, it will clobber your old key, so you will have to set up remote machines to accept your new key.

Next, copy your public key to the authorized_keys file on the target machine. ssh now has a program to do this for you. To install your public key on, use:


You can add as many keys as you want, but be careful. If you lose the private key associated with it (or your laptop is stolen, etc.) you should delete the corresponding private key from your authorized_keys file.

Now you should be able to ssh from the source machine to the target without using a password.

Configuring ssh

ssh lets you configure the details of connecting to remote machines to save typing. For example, say my username on my desktop machine is john, but my username on the lab machines is jdoe. To connect to a machine like cs2810, I normally have to type:


(or, equivalenty):

ssh -l jdoe

To simplify things, I create a file called config in my .ssh directory with an entry for each machine I contact. For example:

Host cs2810
    User jdoe

With that in place, I can just type:

ssh cs2810

and all of the options are taken from the config file. The name I need to type (cs2810) is arbitrary and can be any nickname; ssh looks at the HostName entry to decide where to actually connect.

Connecting through the firewall

To connect to cs2810 from home, I first have to connect to a machine like that sits outside the firewall. Then I can connect from there to cs2810 in a two-step process:

ssh cs2810

This has a couple of disadvantages:

  1. It’s two steps and I’m lazy
  2. It doesn’t work with scp, git, rsync, and other tools that use ssh as a secure transport
  3. X11 forwarding does not work across this link
  4. To avoid typing a password, I have to configure cs2810 to trust using a public key. I would rather avoid that because sits outside the firewall and is more likely to be compromised than a machine inside the firewall.

I am happy to have trust my source machine (someone breaking into would not be able to do anything with my public key, except let me connect to their machines without a password). I am also happy to have cs2810 trust my home machine. I would like to use to create a secure tunnel that forwards my ssh session directly from my home machine to cs2810.

Here’s how to do it:

  1. Set up to trust my home machine by installing my home machine’s public key in the authorized_keys file on
  2. Same thing for cs2810—its authorized_keys file should include my home machine’s public key
  3. In the config file on my home machine, add an entry for cs2810.

The entry should look like this:

Host cs2810
    User jdoe

The information in the ProxyJump line is for connecting to, and the information in the rest of the entry is for connecting to cs2810.

Now from my home machine I can type:

ssh cs2810

and the following things happen automatically:

  1. ssh connects to using my public key.
  2. It creates connection from to and uses it to make a network tunnel from my home machine all the way to
  3. ssh uses the tunnel from my home machine through to cs2810 to set up a new ssh session that communicates directly with cs2810.
  4. The private key on my home machine is used to authenticate me on cs2810 directly.

As a user, it appears that I am connecting directly; the firewall is invisible. X11 forwarding works as well if you add the ForwardX11 yes option.

Tools that use ssh

Other tools use ssh to establish secure connections. These include rsync, scp, and git among others. Any settings you establish in your config file apply to these tools as well, so I can synchronize files from my home machine to cs2810 using something like:

rsync -av evilassignment cs2810:

and it uses my config file settings and public key settings to establish the connection without requiring a password or other inconvenient steps.

Connecting to git

To connect to the repositories on from your home machine, you can apply the information given above. Specifically, you should complete the following steps:

  1. Create a keypair on your home machine:

  2. Register the public key (~/.ssh/ with git. Normally, this requires you to send the key to your instructor, who will register it with the git server. Be sure to name it <yourlogin>.pub, not when you submit it.

  3. Add the public key to your authorized_keys file on one of the lab machines (for example, on ssh):

  4. Create a config file on your home machine with an entry for connecting to git:

    Host git
        User git

    Substituting your username for jdoe.

  5. Once you key is registered with the git server, you can clone from it on your home machine:

    git clone git@git:path/to/project.git

Last Updated 08/26/2020