SSH Access

Contents

Connecting to Physics Department Login Servers

The Department login servers for ssh access from anywhere are named login.physics.wisc.edu. Once connected via ssh, you can

 

On a Windows computer, you can use the built-in ssh command or a GUI ssh client such as PuTTY.  On a Mac, you can use ssh from the Terminal app found in Applications/Utilities.

Below is an example ssh session.  Note that the ‘$’ sign is not part of the command.  It is part of the command prompt.  Therefore, when copying the command, enter just ssh youraccount@login.physics.wisc.edu.

$ ssh dan@login.physics.wisc.edu
dan@login.physics.wisc.edu's password:
Last login: Tue Apr 15 11:24:06 2014 from 128.104.164.180


#######################################################
    Welcome to login01.physics.wisc.edu
    Scientific Linux release 6.4 (Carbon)

    996.66 MB RAM
    1 cores of type QEMU Virtual CPU version 1.1.2
#######################################################

[dan@login01 ~]$ logout
Connection to login.physics.wisc.edu closed.

Passwordless Authentication

If you frequently ssh to login.physics.wisc.edu, you may wish to use a form of authentication that avoids frequent entry of your password. SSH keys are one way to achieve this, but they have the disadvantage of not obtaining an AFS token. One way to get an AFS token and avoid entry of your password every time you ssh is to use kerberos delegation.

Windows (PuTTY): Kerberos Delegation

In the Kerberos Network Identity Manager, ensure your account is the default account. If it is not, right click and select “set as default”

( To install Kerberos Network Identity Manager follow the instructions here: Windows AFS Setup )

Edit your PuTTY configuration to allow GSSAPI credential delegation.

This option is located under: Connection -> SSH -> Auth -> GSSAPI

If you have not yet logged into Kerberos and/or your Kerberos ticket has expired you will be prompted to log into your Kerberos account. The prompt should no longer appear after doing this once unless your ticket has expired or you have been logged out of Kerberos.

Windows (Cygwin): Kerberos Delegation

Install Cygwin, including the openssh and krb5-workstation packages.

Run the Cygwin Terminal as Administrator.
Add the following to /etc/krb5.conf:

[libdefaults]
   forwardable = yes

Close Cygwin Terminal, then run it again, this time NOT as administrator.
Put the following in ~/.ssh/config

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Then you can get a kerberos ticket for PHYSICS.WISC.EDU, and this will be used to authenticate you in all subsequent ssh sessions. Once the ticket expires, you will need to get a new one. To get a ticket, use the following command:

kinit youraccount@PHYSICS.WISC.EDU

Mac: Kerberos Delegation

Put the following in ~/.ssh/config


GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
# add following line only in macOS <= 10.11; else see note below
GSSAPITrustDns yes 

Then you can get a kerberos ticket for PHYSICS.WISC.EDU, and this will be used to authenticate you in all subsequent ssh sessions. Once the ticket expires, you will need to get a new one. To get a ticket, use the following command:

kinit youraccount@PHYSICS.WISC.EDU

Note: on macOS > 10.11, passwordless ssh does not currently work when the target specified is login.physics.wisc.edu. Instead, you need to specify login01.physics.wisc.edu or login02.physics.wisc.edu.

Linux: Kerberos Delegation

Put the following in ~/.ssh/config

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Then you can get a kerberos ticket for PHYSICS.WISC.EDU, and this will be used to authenticate you in all subsequent ssh sessions. Once the ticket expires, you will need to get a new one. To get a ticket, use the following command:

kinit youraccount@PHYSICS.WISC.EDU

Transferring Files

Files can be securely transferred to and from the Department login machines using the ssh protocol. Under Windows, this can be done using a tool such as WinSCP. On a Mac or in Linux, this can be done using the command-line tools scp and sftp.

Example scp file transfer

This example copies a file from my computer where I am running scp to my AFS home directory. The same thing could be achieved by setting up AFS access directly from my computer.

$ scp MyDocument.pdf dan@login.physics.wisc.edu:

This example copies a file from my AFS home directory to my computer where I am running scp and puts it in a directory named Downloads.

$ scp dan@login.physics.wisc.edu:MyDocument.pdf Downloads/