Physics SSH Access

Executive summary

Log into the SSH gateway server bastion.physics.ox.ac.uk using your physics authentication (without the preceding "PHYSICS\".) You can then log into systems inside our network from there.

Warning: The ssh-gateway is only meant to be used as a gateway. There are no backups in place so any files in your home directory there are to be treated as scratch. It is the users' responsibility to make sure files such as keys are backed up, they will also be regularly cleaned to prevent the disk filling up any files over 1 month old will be deleted.

Normal SSH usage for Linux/macOS

This example shows how to connect to an example machine called shortname.nat.physics.ox.ac.uk, using an ssh tunnel from a remote unix client to bastion.physics.ox.ac.uk. Replace shortname with the name of the machine you are trying to connect to.

Please note: Most or all of the desktop client machines have names of the form shortname.nat.physics.ox.ac.uk, and are said to be "in the NAT". If you know your desktop only by its short name, and attempts to connect to shortname.physics.ox.ac.uk fail, please try using shortname.nat.physics.ox.ac.uk instead before giving up.

Users in AOPP might also need to try shortname.atm.physics.ox.ac.uk

You should of course drop the .nat for servers, or the occasional desktop system which isn't "in the NAT". If in doubt, try with .nat, then without, and use whichever works first.

To SSH into your machine,

Add the following to your .ssh/config

# This section tells SSH how to connect to any machine in physics.ox.ac.uk, # think of it as defaults, you can still change them on the command line. # For example if you need to get to a machine under a different username Host *.physics.ox.ac.uk *.atm.ox.ac.uk User your_physics_user ForwardX11 yes GSSAPIDelegateCredentials true GSSAPIAuthentication true # ssh/bastion can be used here but make sure it is the same in both lines # this section will tell ssh we want to use bastion as a proxyjump for all hosts # except bastion, it is possible to make a loop if you don't include this. Host !bastion.physics.ox.ac.uk *.physics.ox.ac.uk *.atm.ox.ac.uk ProxyJump bastion.physics.ox.ac.uk

Then just type ssh your_machine.nat.physics.ox.ac.uk. Using the GSSAPI options as well as using the fully qualified name of your machine, e.g. cplxdt01.physics.ox.ac.uk rather than the short name, are recommended. A detailed explanation is here.

This may ask for your password twice, once for the bastion machine and then for the destination machine. There's a solution to this that it services are working on but for now you can generate a ssh key locally using

ssh-keygen -t ecdsa

This will create a key on your machine which can be used to replace the password on the bastion server. During the process of creating the key it will request a password, as part of department policy you must specify a password on this keyfile.

You can tell the bastion to accept this key by using:

ssh-copy-id bastion.physics.ox.ac.uk

Note: This doesn't currently work for most machines, just the bastion and some DAQs.

Copying files

Using the configuration above files can be copied directly (without the need for port forwarding or copying twice) to do this simply use

rsync -Pr local_file_or_directory cplxdt001.nat.physics.ox.ac.uk:remote_location/

The above will copy the files you want to a folder called "remote_location" in your home area, if you want to copy them to another path you can use a `/` after the `:` and specify the path from root, but be careful doing this, Linux won't stop you overwriting something important if you have root on the machine (i.e. DAQs).

Port Forwarding

Forwarding ports is useful when you have a service running on your remote machine and want access to it. The most important part is to know what port the service on your machine is using. In this example we'll use port 8000 (the port used by python3 -m http.server which is a simple test to get this working).

ssh -L 9000:localhost:8000 cplxdt001.nat.physics.ox.ac.uk

If you used the python command above you can now point your web browser to the url http://localhost:9000 and view a directory listing of the folder you ran the command from.

You can replace port 9000 with any that you want, this is the local port, so you need to change the url along with it.

You can replace port 8000 with which ever your local service uses (3306 for sql, 6379 for redis), this depends completely on what you're connecting to.

Categories: Apple | Linux | Mac | Remote Access | SSH