Configuring ssh to access lab machines

It is often convenient or even necessary to connect to CIT machines from your laptop or some other machine outside the campus firewall. This can be a nuisance, because the firewall prevents you from connecting directly. ssh has options to make this simpler.

TL;DR

From a Linux or macOS system:

  1. Create public/private key pair on your machine

    ssh-keygen
    

    Hit enter several times to accept all of the defaults.

  2. Create a config file with the tunnel settings

    vim ~/.ssh/config
    

    Or use your editor of choice. The file will not exist until you create it. Add the following to the file:

    Host cs2810
        User jdoe
        HostName cs2810.cs.dixie.edu
        ProxyJump jdoe@ssh.cs.dixie.edu
    

    cs2810 is the specific server name; substitute in the appropriate name to connect to a different server. Also, put your CIT username in place of jdoe in both places.

    ssh is picky about file permissions, so make sure that the config file has the correct permissions by running this:

    chmod 600 ~/.ssh/config
    
  3. Register your public key with ssh.cs.dixie.edu:

    ssh-copy-id jdoe@ssh.cs.dixie.edu
    

    Substitute your CIT username for jdoe and type your CIT password when prompted.

    Since ssh.cs.dixie.edu and cs2810.cs.dixie.edu share the same home directory file system, registering your public key on ssh.cs.dixie.edu also registers it on cs2810.cs.dixie.edu.

  4. Test the connection:

    ssh cs2810
    

    The first time you connect, you may have to type “yes” a time or two to say that you trust the servers.

Public key authentication

The first step is to set up public-key authentication so you do not need to type your password when connecting. On the “source” machine (your home machine, laptop, etc.), check if you have a public key:

cat ~/.ssh/id_rsa.pub

If the file is not found, generate a public key:

ssh-keygen

The default options are usually sufficient (I usually leave the passphrase blank as well). With older versions of ssh-keygen, you may be required to specify that you want to use RSA:

ssh-keygen -t rsa

Note that if you run ssh-keygen again, it will clobber your old key, so you will have to set up remote machines to accept your new key.

Next, copy your public key to the authorized_keys file on the target machine. ssh now has a program to do this for you. To install your public key on ssh.cs.dixie.edu, use:

ssh-copy-id jdoe@ssh.cs.dixie.edu

You can add as many keys as you want, but be careful. If you lose the private key associated with it (or your laptop is stolen, etc.) you should delete the corresponding private key from your authorized_keys file.

Now you should be able to ssh from the source machine to the target without using a password.

Configuring ssh

ssh lets you configure the details of connecting to remote machines to save typing. For example, say my username on my desktop machine is john, but my username on the lab machines is jdoe. To connect to a machine like cs2810, I normally have to type:

ssh jdoe@cs2810.cs.dixie.edu

(or, equivalenty):

ssh -l jdoe cs2810.cs.dixie.edu

To simplify things, I create a file called config in my .ssh directory with an entry for each machine I contact. For example:

Host cs2810
    User jdoe
    HostName cs2810.cs.dixie.edu

With that in place, I can just type:

ssh cs2810

and all of the options are taken from the config file. The name I need to type (cs2810) is arbitrary and can be any nickname; ssh looks at the HostName entry to decide where to actually connect.

Connecting through the firewall

To connect to cs2810 from home, I first have to connect to a machine like ssh.cs.dixie.edu that sits outside the firewall. Then I can connect from there to cs2810 in a two-step process:

ssh ssh.cs.dixie.edu
ssh cs2810

This has a couple of disadvantages:

  1. It’s two steps and I’m lazy
  2. It doesn’t work with scp, git, rsync, and other tools that use ssh as a secure transport
  3. X11 forwarding does not work across this link
  4. To avoid typing a password, I have to configure cs2810 to trust ssh.cs.dixie.edu using a public key. I would rather avoid that because ssh.cs.dixie.edu sits outside the firewall and is more likely to be compromised than a machine inside the firewall.

I am happy to have ssh.cs.dixie.edu trust my source machine (someone breaking into ssh.cs.dixie.edu would not be able to do anything with my public key, except let me connect to their machines without a password). I am also happy to have cs2810 trust my home machine. I would like to use ssh.cs.dixie.edu to create a secure tunnel that forwards my ssh session directly from my home machine to cs2810.

Here’s how to do it:

  1. Set up ssh.cs.dixie.edu to trust my home machine by installing my home machine’s public key in the authorized_keys file on ssh.cs.dixie.edu
  2. Same thing for cs2810—its authorized_keys file should include my home machine’s public key
  3. In the config file on my home machine, add an entry for cs2810.

The entry should look like this:

Host cs2810
    User jdoe
    HostName cs2810.cs.dixie.edu
    ProxyJump jdoe@ssh.cs.dixie.edu

The information in the ProxyJump line is for connecting to ssh.cs.dixie.edu, and the information in the rest of the entry is for connecting to cs2810.

Now from my home machine I can type:

ssh cs2810

and the following things happen automatically:

  1. ssh connects to ssh.cs.dixie.edu using my public key.
  2. It creates connection from ssh.cs.dixie.edu to cs2810.cs.dixie.edu and uses it to make a network tunnel from my home machine all the way to cs2810.cs.dixie.edu.
  3. ssh uses the tunnel from my home machine through ssh.cs.dixie.edu to cs2810 to set up a new ssh session that communicates directly with cs2810.
  4. The private key on my home machine is used to authenticate me on cs2810 directly.

As a user, it appears that I am connecting directly; the firewall is invisible. X11 forwarding works as well if you add the ForwardX11 yes option.

Tools that use ssh

Other tools use ssh to establish secure connections. These include rsync, scp, and git among others. Any settings you establish in your config file apply to these tools as well, so I can synchronize files from my home machine to cs2810 using something like:

rsync -av evilassignment cs2810:

and it uses my config file settings and public key settings to establish the connection without requiring a password or other inconvenient steps.

Connecting to git

To connect to the repositories on git.cs.dixie.edu from your home machine, you can apply the information given above. Specifically, you should complete the following steps:

  1. Create a keypair on your home machine:

    ssh-keygen
    
  2. Register the public key (~/.ssh/id_rsa.pub) with git. Normally, this requires you to send the key to your instructor, who will register it with the git server. Be sure to name it <yourlogin>.pub, not id_rsa.pub when you submit it.

  3. Add the public key to your authorized_keys file on one of the lab machines (for example, on ssh):

    ssh-copy-id jdoe@ssh.cs.dixie.edu
    
  4. Create a config file on your home machine with an entry for connecting to git:

    Host git
        User git
        HostName git.cs.dixie.edu
        ProxyJump jdoe@ssh.cs.dixie.edu
    

    Substituting your username for jdoe.

  5. Once you key is registered with the git server, you can clone from it on your home machine:

    git clone git@git:path/to/project.git
    

Last Updated 08/26/2020