Notes on SSH Client Configuration

Author: Merlin Hansen
Date: 2020-11-16 / 2024-03-11

Summary

This document provides information on configuring and using SSH clients to access CSCI servers from external non-VIU computers. Some of the topics include SSH keys and the SSH config file,

Note: when you have completed the procedures in this tutorial you may want to look at the tutorial on ssh tunnels.

SSH Keys Resources

The following links have examples and general descriptions on how SSH keys work.

General information on CSCI services and ssh

CSCI use of SSH keys

The following scenarios are typical:

In both cases the purpose for connecting can be one or more of the following:

For this tutorial the following is used throughout:

Accessing CSCI computers via SSH from off campus using SSH keys with command line SSH tools

SSH keys can be used to provide a safe secure method of connecting to CSCI servers without the need to provide a password. Further, a SSH config file can be used to specify various options automatically such as the username, what SSH key to use, etc. Combining the two provides an easy to use and safe SSH environment that can support having multiple keys, each used for different individual or groups of sites and servers.

References:

Configuring SSH Keys

For the following procedure The "Bash" commands will work in a Linux or Mac OS X terminal, and the "PowerShell" commands will work on Windows 10+ using Windows PowerShell.

Configure default connection options for the CSCI gateway

An SSH config file can be used to specify options to use when connecting to various remote servers. This includes specifying which SSH key pair (identity) and username to use when connecting to the CSCI server.

# Connection options for the CSCI gateway
Host otter otter.csci.viu.ca
    #Hostname otter.csci.viu.ca
    Hostname 104.128.240.2
    User exstu
    IdentityFile ~/.ssh/csci_id_rsa
    IdentitiesOnly yes
    AddKeysToAgent yes

# Connection options for all connections - '*' is a wildcard
Host *
    ServerAliveInterval 300
    ServerAliveCountMax 10

Eliminating the need to enter the SSH passphrase

Mac OS X, Windows, and Linux all have the ability to store SSH keys so that you are not prompted for the SSH passphrase at each connection attempt.

  UseKeychain yes

Configuring SSH to directly access CSCI lab machines.

Students are asked not to perform work on otter.csci.viu.ca, the server you initially connect to when using ssh. This means that you much first use ssh to connect to otter.csci.viu.ca, and then connect from otter to one of the lab machines. SSH provides a couple of ways to shorten this process to one step.

Using ProxyJump on the command line

SSH provides the ProxyJump command line option to specify a Jumpbox (aka Bastion Host or Jump Host) to connect through when connecting to a machine behind a firewall. The ProxyJump option is -J; for example:

Using ProxyJump in the SSH config file

Using entries in the ~/.ssh/config file on your home computer, you can configure SSH to use otter.csci.viu.ca as a proxy to connect to your preferred lab machine. Here is the process:

Host cscijump
    #Hostname otter.csci.viu.ca
    Hostname 104.128.240.2
    User exstu
    IdentityFile ~/.ssh/csci_id_rsa
    IdentitiesOnly yes
    AddKeysToAgent yes

Host pup*.csci.viu.ca cub*.csci.viu.ca kit*.csci.viu.ca
    Hostname %h
    ProxyJump cscijump
    User exstu
    IdentityFile ~/.ssh/csci_id_rsa
    IdentitiesOnly yes
    AddKeysToAgent yes

Host pup* cub* kit* 
    Hostname %h.csci.viu.ca
    ProxyJump cscijump
    User exstu
    IdentityFile ~/.ssh/csci_id_rsa
    IdentitiesOnly yes
    AddKeysToAgent yes

Using graphical SSH based programs such as PuTTY to access csci.viu.ca using SSH keys

Although using PuTTY and similar graphical front-ends to SSH appear convenient they are limited in what they can do compared to using the command line. Feel free to use such programs but it is recommended you also learn how to configure and use SSH on the command line, as described in the above sections.

References:

Configuring PuTTY for SSH connections to CSCI

Configuring PuTTY to connect directly to a lab machine

PuTTY versions prior to 0.78 do not directly the SSH ProxyJump option outlined below. Please ensure you have the latest stable version of PuTTy installed before proceeding.

Accessing internal CSCI services from off campus using SSH

SSH can be used to access services that are not directly available from off campus. This includes CSCI services such as the student web server, databases, and assignment Git server. There is a tutorial that specifically deals with these scenarios. Once you have configured SSH keys and the SSH config file as shown in this tutorial, you may want to refer to Tutorial-sshTunnel.md depending on your specific needs.