Physics SSH Access

Executive summary

Log into the SSH gateway server bastion.physics.ox.ac.uk using your physics authentication (without the preceding "PHYSICS\".) You can then log into systems inside our network from there.

Warning: The ssh-gateway is only meant to be used as a gateway. There are no backups in place so any files in your home directory there are to be treated as scratch. It is the users' responsibility to make sure files such as keys are backed up, they will also be regularly cleaned to prevent the disk filling up any files over 1 month old will be deleted.

Normal SSH usage for Linux/macOS

This example shows how to connect to an example machine called shortname.nat.physics.ox.ac.uk, using an ssh tunnel from a remote unix client to bastion.physics.ox.ac.uk. Replace shortname with the name of the machine you are trying to connect to.

Please note: Most or all of the desktop client machines have names of the form shortname.nat.physics.ox.ac.uk, and are said to be "in the NAT". If you know your desktop only by its short name, and attempts to connect to shortname.physics.ox.ac.uk fail, please try using shortname.nat.physics.ox.ac.uk instead before giving up.

Users in AOPP might also need to try shortname.atm.ox.ac.uk

You should of course drop the .nat for servers, or the occasional desktop system which isn't "in the NAT". If in doubt, try with .nat, then without, and use whichever works first.

To SSH into your machine,

Add the following to your .ssh/config,

If you are using a Physics Department Apple system then you can also add this via the Self Service application.

Then just type ssh your_machine.nat.physics.ox.ac.uk. Using the GSSAPI options as well as using the fully qualified name of your machine, e.g. cplxdt01.physics.ox.ac.uk rather than the short name, are recommended. A detailed explanation is here.

This may ask for your password twice, once for the bastion machine and then for the destination machine. There's a solution to this that it services are working on but for now you can generate a ssh key locally using

This will create a key on your machine which can be used to replace the password on the bastion server. During the process of creating the key it will request a password, as part of department policy you must specify a password on this keyfile.

You can tell the bastion to accept this key by using:

Note: This doesn't currently work for most machines, just the bastion and some DAQs.

Copying files

Using the configuration above files can be copied directly (without the need for port forwarding or copying twice) to do this simply use

The above will copy the files you want to a folder called "remote_location" in your home area, if you want to copy them to another path you can use a `/` after the `:` and specify the path from root, but be careful doing this, Linux won't stop you overwriting something important if you have root on the machine (i.e. DAQs).

Port Forwarding

Forwarding ports is useful when you have a service running on your remote machine and want access to it. The most important part is to know what port the service on your machine is using. In this example we'll use port 8000 (the port used by python3 -m http.server which is a simple test to get this working).

If you used the python command above you can now point your web browser to the url http://localhost:9000 and view a directory listing of the folder you ran the command from.

You can replace port 9000 with any that you want, this is the local port, so you need to change the url along with it.

You can replace port 8000 with which ever your local service uses (3306 for sql, 6379 for redis), this depends completely on what you're connecting to.