Central SSH Access

Log into the SSH gateway server ssh.physics.ox.ac.uk using your central authentication (without the preceding "PHYSICS\".)

Warning: The ssh-gateway is only meant to be used as a gateway. There are no automatic backups in place so any files in your home directory there are to be treated as scratch. It is the users' responsibility to make sure files such as keys are backed up.

Normal SSH usage for Linux/OS X

This example shows how to connect to an example machine called computer_in_.physics.ox.ac.uk, using an ssh tunnel from a remote unix client to ssh.physics.ox.ac.uk. Replace computer_in_.physics.ox.ac.uk with the name of the machine you are trying to connect to.

Please note: Most or all of the desktop client machines now have IP names of the form shortname.nat.physics.ox.ac.uk, and are said to be "in the NAT". If you know your desktop only by its short name, and attempts to connect to shortname.physics.ox.ac.uk (as suggested below) fail, please try using shortname.nat.physics.ox.ac.uk instead before giving up.

The usages below have been left as-is (but commented) partly for those few systems which haven't yet been moved into the NAT, and partly for those who wish to contact servers, which won't be moved.

First of all you need to log into ssh.physics.ox.ac.uk.
Use the following command:

ssh -X your_username@ssh.physics.ox.ac.uk

("your_username" is your physics user name, the same you normally use to access your physics emails) You will be prompted for your physics password. Once the connection is open, enter this command in the same terminal (i.e. the one connected to the ssh-gateway):

ssh -X local_username@computer_in_.physics.ox.ac.uk

("local_username" is the local username for the machine you are trying to access, which may be different from "your_username" in some circumstances. Replace "computer_in_" by "shortname.nat" or "shortname" as applicable.)

You will be prompted for your local machine username password and then you will get your login shell.

If you need to do this frequently, it will be better to use a netcat proxy command (my thanks to Chris Williams for this trick):

Add this to your .ssh/config to make it all a bit easier:
e.g for your host "your_machine" behind the physics firewall, with your user name "your_name":

Host oxford_ssh_gateway Hostname ssh.physics.ox.ac.uk User your_name ForwardX11 yes GSSAPIDelegateCredentials true GSSAPIAuthentication true

Host your_machine Hostname your_machine User your_name ProxyCommand ssh oxford_ssh_gateway nc -q 0 your_machine 22 ForwardX11 yes GSSAPIDelegateCredentials true GSSAPIAuthentication true

Then just type ssh your_machine. Using the GSSAPI options as well as using the fully qualified name of your machine, e.g. cplxdt01.physics.ox.ac.uk rather than the short name, are recommended. A detailed explaination is here.

An example for connecting to the machine "linuxts" from outside of the department without a recurring password entry for the user 'brisbane' is here. To avoid typing further passwords, you must first generate a Keberos ticket, for example by running "kinit -f brisbane@PHYSICS.OX.AC.UK".

Update 2017-02-20: For a system "in the NAT", you should probably use entries of this form for Host and Hostname:

Host your_machine Hostname your_machine.nat.physics.ox.ac.uk

Port forwarding using an ssh-gateway

This may still be required to tunnel protocols without native ssh tunnel support, such as NX (no machine) remote desktop application.
The following allows you tunnel an unused port on your local machine to a specific port on a machine in the Physics network

From Linux and OS X

This example assumes you want to copy files via scp, but will work for other services by substituting the correct port on the remote machine. In what follows:

  • remotemachine: the name of your machine inside Physics.
  • PhysicsUser: your Central-Physics login name.
  • remoteuser: the login name on your machine (usually the same as PhysicsUser).
  • localhost: use exactly this string.
  • dirpath: the pathname of the directory in question on remotemachine.

To set up a tunnel to port 22 on the remote machine. A network port has a number between 1024 and 65000. It doesn't matter what you pick as long as nobody else is using it.

Let's assume I chose port 2222 for the remaining examples:

ssh -fN -L 2222:remotemachine.physics.ox.ac.uk:22 \

This connects port 2222 on your local machine to port 22 on remotemachine. The ssh-gateway will request your Physics password, and the ssh tunnel will remain open until you kill the ssh process. (Once the tunnel has been set up, ssh will put itself in the background.)

Then point your local client to the port on your local machine. For example, to copy a directory called dirpath (either relative to your home directory, or an absolute path beginning with "/") via scp:

scp -r -P 2222 remoteuser@localhost:dirpath ./

To copy files via RSync over SSH:

rsync -avzR -e "ssh -p 2222" remoteuser@localhost:dirpath/ ./

To tunnel 'no machine', replace the port 22 in the above discussion with port 4000, or use this handy form to generate the command.

Categories: Apple | Linux | Mac | OS X | Remote Access | SSH