Central SSH Access

Executive summary

Log into the SSH gateway server ssh.physics.ox.ac.uk using your central authentication (without the preceding "PHYSICS\".) You can then log into systems inside our subnet from there.

Warning: The ssh-gateway is only meant to be used as a gateway. There are no backups in place so any files in your home directory there are to be treated as scratch. It is the users' responsibility to make sure files such as keys are backed up, they will also be regularly cleaned to prevent the disk filling up.

If you need to transfer files in or out of the network please set up the configuration file as below to use ProxyJump and transfer directly to your system with

scp file mymachine.nat.physics.ox.ac.uk:./file

Normal SSH usage for Linux/OS X

This example shows how to connect to an example machine called shortname.nat.physics.ox.ac.uk, using an ssh tunnel from a remote unix client to ssh.physics.ox.ac.uk. Replace shortname with the name of the machine you are trying to connect to.

Please note: Most or all of the desktop client machines now have IP names of the form shortname.nat.physics.ox.ac.uk, and are said to be "in the NAT". If you know your desktop only by its short name, and attempts to connect to shortname.physics.ox.ac.uk fail, please try using shortname.nat.physics.ox.ac.uk instead before giving up.

You should of course drop the .nat for servers, or the occasional desktop system which isn't "in the NAT". If in doubt, try with .nat, then without, and use whichever works first.

First of all you need to log into ssh.physics.ox.ac.uk.
Use the following command:

ssh -X your_username@ssh.physics.ox.ac.uk


ssh -X your_username@bastion.physics.ox.ac.uk

(where "your_username" is your physics username, the same you normally use to log into most on site desktops or servers). You will be prompted for your physics password. Once the connection is open, enter this command in the same terminal (i.e. the one now connected to the ssh-gateway):

ssh -X local_username@computer_in_.physics.ox.ac.uk

("local_username" is the local username for the machine you are trying to access, which may be different from "your_username" in some circumstances. Replace "computer_in_" by "shortname.nat" or "shortname" as applicable.)

You will be prompted for your local machine username password and then you will get your login shell.

If you need to do this frequently, it will be better to use the ProxyJump feature of the ssh config.

Add this to your .ssh/config to make it all a bit easier:

# This section tells SSH how to connect to any machine in physics.ox.ac.uk, # think of it as defaults, you can still change them on the command line. Host *.physics.ox.ac.uk *.atm.ox.ac.uk User your_physics_user ForwardX11 yes GSSAPIDelegateCredentials true GSSAPIAuthentication true # ssh/bastion can be used here but make sure it is the same in both lines # this section will tell ssh we want to use bastion as a proxyjump for all hosts # except bastion, it is possible to make a loop if you don't include this. Host !bastion.physics.ox.ac.uk *.physics.ox.ac.uk *.atm.ox.ac.uk ProxyJump bastion.physics.ox.ac.uk

Then just type ssh your_machine.nat.physics.ox.ac.uk. Using the GSSAPI options as well as using the fully qualified name of your machine, e.g. cplxdt01.physics.ox.ac.uk rather than the short name, are recommended. A detailed explanation is here.

BOOKMARK: the following paragraph needs updating.

An example for connecting to the machine "linuxts" from outside of the department without a recurring password entry for the user 'brisbane' is here. To avoid typing further passwords, you must first generate a Keberos ticket, for example by running "kinit -f brisbane@PHYSICS.OX.AC.UK".

Port forwarding using an ssh-gateway

This may still be required to tunnel protocols without native ssh tunnel support, such as NX (no machine) remote desktop application.
The following allows you tunnel an unused port on your local machine to a specific port on a machine in the Physics network

From Linux and OS X

This example assumes you want to copy files via scp, but will work for other services by substituting the correct port on the remote machine. In what follows:

  • remotemachine: the name of your machine inside Physics.
  • PhysicsUser: your Central-Physics login name.
  • remoteuser: the login name on your machine (usually the same as PhysicsUser).
  • localhost: use exactly this string.
  • dirpath: the pathname of the directory in question on remotemachine.

To set up a tunnel to port 22 on the remote machine. A network port has a number between 1024 and 65000. It doesn't matter what you pick as long as nobody else is using it.

Let's assume I chose port 2222 for the remaining examples:

ssh -fN -L 2222:remotemachine.physics.ox.ac.uk:22 \

This connects port 2222 on your local machine to port 22 on remotemachine. The ssh-gateway will request your Physics password, and the ssh tunnel will remain open until you kill the ssh process. (Once the tunnel has been set up, ssh will put itself in the background.)

Then point your local client to the port on your local machine. For example, to copy a directory called dirpath (either relative to your home directory, or an absolute path beginning with "/") via scp:

scp -r -P 2222 remoteuser@localhost:dirpath ./

To copy files via RSync over SSH:

rsync -avzR -e "ssh -p 2222" remoteuser@localhost:dirpath/ ./

To tunnel 'no machine', replace the port 22 in the above discussion with port 4000, or use this handy form to generate the command.

Categories: Apple | Linux | Mac | Remote Access | SSH