You are here

Using ssh from Linux

Printer-friendly versionPrinter-friendly version

For background reading see connecting from outside the University - an overview.

Most Linux distributions have an ssh client installed by default. For Fedora and Redhat it is in the openssh-clients package; on Debian and Ubuntu it is in the openssh-client package.

To access an Informatics ssh server simply start a terminal application and enter something like the following:

ssh yourusername@staff.ssh.inf.ed.ac.uk

where you should enter your Informatics username and use the appropriate SSH server (see the External login servers page for the names).

Host Key Management

One of the ways in which ssh ensures the security of your connection is with host keys. When you first login to a machine you will be prompted to accept the key. The dialog will look something like this:

The authenticity of host 'staff.ssh.inf.ed.ac.uk (129.215.33.85)' can't be established.
RSA key fingerprint is ad:c2:2d:a2:4b:be:d3:ac:50:21:ac:89:0e:bd:2a:79.
Are you sure you want to continue connecting (yes/no)? 

Once you have entered yes at the prompt, you will be informed that the key has been accepted:

Warning: Permanently added 'staff.ssh.inf.ed.ac.uk,129.215.33.85' (RSA) to the list of known hosts.

After this key has been accepted, you will be alerted if it ever changes. This is designed to prevent man-in-the-middle attacks. It is rarely necessary to change a host key, but when it happens - for instance due to a reinstallation of the machine - all users will be informed by email and the fingerprint of the new host key will be specified.

After a host key has changed, the first time you attempt to login you will be presented with a rather alarming looking dialog like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
c3:ff:6a:ec:10:f9:4f:91:a5:08:51:ac:db:29:cc:2c.
Please contact your system administrator.
Add correct host key in /home/yourusername/.ssh/known_hosts to get rid of this message.
Offending key in /home/yourusername/.ssh/known_hosts:3
RSA host key for staff.ssh.inf.ed.ac.uk has changed and you have requested strict checking.
Host key verification failed.

If you have not received any message from the Computing Team containing details of host key changes you should not proceed any further. You should immediately contact the support team giving full details of which service you were attempting to access and what happened.

If you are happy that this change in host key is legitimate then you can go ahead and remove the old keys which are stored in your known_hosts file. This is done using the ssh-keygen command.

ssh-keygen -R staff.ssh.inf.ed.ac.uk

Once you have removed the old key, at the next login you will be prompted to accept the new key in the same way as described earlier. You might also get a warning about the key differing for the IP address of the server, like this:

Warning: the RSA host key for 'staff.ssh.inf.ed.ac.uk' differs from the key for the IP address '129.215.33.85'
Offending key for IP in /home/yourusername/.ssh/known_hosts:3

This warning can be stopped by removing the key stored for that IP address in a similar way to before:

ssh-keygen -R 129.215.33.85

IPv6

The SSH servers are accessible using IPv6. Client software will often prefer IPv6 where it is available which causes problems for some users with internet providers that have badly implemented support for this protocol. In that case it is possible to force the client software to use IPv4, this can either be doing by specifying the -4 option on the command line or by having the following in your .ssh/config file.

Host *.inf.ed.ac.uk
  AddressFamily inet

Using GSSAPI (Kerberos) authentication

The recommended way to authenticate with the Informatics ssh service is to use GSSAPI wherever possible. This is highly secure and very convenient once you have a Kerberos client installed and configured on your system. See the notes on how to configure Kerberos for your machine.

Before making your first ssh connection you need to authenticate to the Informatics Kerberos service, like this:

kinit yourusername@INF.ED.AC.UK

you will be prompted to enter your Informatics password. After you have successfully authenticated you will have the convenience of single-sign-on: you can make as many ssh connections as you like without being prompted for a password for as long as the permitted lifetime of the Kerberos ticket.

To make it all work correctly you need to set some configuration options for your ssh client. This is done by editing the file .ssh/config in your home directory. Note that the file will not exist if you have not previously needed to set any options. You need to add a stanza like this:

Host *.inf.ed.ac.uk
  User yourusername
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

where you need to set your username appropriately. After that you can login to Informatics machines without having to specify your username or password.

If, on connecting with ssh to an Informatics machine, you do not have access to your home directory and see a message like this:

Could not chdir to home directory /afs/inf.ed.ac.uk/user/y/yourusername: Permission denied

... this is probably because you have not obtained forwardable tickets. This is the default on most OSes, but if you experience this, you can explicitly obtain forwardable tickets using kinit -f

Forwarding to your desktop

If you have a desktop machine on the Informatics network it is possible to forward a connection through one of the SSH hosts. Add a stanza like this to your SSH client configuration (possibly incorporating previous suggestions above).

Host mydesktop
  HostName %h.inf.ed.ac.uk   
  ForwardX11 no
  ProxyCommand ssh -x staff.ssh.inf.ed.ac.uk -W %h:%p

Replace mydesktop with the name of your desktop machine. If you do not have permission to use the staff SSH server then replace staff.ssh.inf.ed.ac.uk with ssh.inf.ed.ac.uk.

Last reviewed: 
22/03/2016

System Status

Home dirs (AFS)
Network
Mail
Other services
Scheduled downtime

Choose a topic