skip to content
Home

Computing

 

ssh (Secure Shell) usage

ssh (Secure SHell) usage

Why use ssh

The Secure Shell (SSH) networking protocol should always be used for communications between Maths systems and external networks. SSH software encrypts traffic to prevent sensitive information, especially passwords, from being read by others, and can also ensure that the computer you are connecting to is not an imposter waiting to steal your login password or other confidential information.

Like all modern Linux machines, the Maths computers do not support incoming telnet, rlogin or rsh connections, because these protocols are insecure and someone snooping traffic on a remote system may discover your password and then use your Maths account to cause mayhem. For the same reason you should never set a login password on a remote computer to be the same as your Maths password in case it gets discovered in a breach of security on the remote system.

ssh usage and options

From any Linux machine or Macintosh, Maths users should type the following to connect from outside:

ssh -X CRSid@ssh.maths.cam.ac.uk
  • The -X option means "enable X forwarding" so that you can run graphical applications on the CMS machine.
  • CRSid should be replaced by your login name.
  • ssh.maths.cam.ac.uk can be replaced by the name of any computer to which you have login access.
  • List of Maths Linux and Windows computers
  • Cosmos users should look at the cosmos quick start page for further information.

Similarly, to connect from a Maths machine to a remote site:

ssh -X remote-login-name@remote.host.name

Within Maths you can use a shorter command

ssh machine-name

(The -X option is enabled by default here, the login name can be omitted if it is the same at both ends, and the system can work out the full name of a local machine from just its "leafname".)

We recommend that Windows users connect with PuTTY for text-based connections or Hotdesk for graphical connections.

Users of other ssh clients are mostly on their own, however these tips may help.

  • If asked which port to use choose 22.
  • If asked whether to use ssh-1 or ssh-2 choose ssh-2.

Key authentication

Using SSH public-key user authentication might depending on configuration be more secure and/or more convenient than using passwords. Please note however that it is MANDATORY for private keys stored in shared Maths home directories, and highly recommended for private keys in general, to be protected by a strong passphrase - as without it anyone who can gain access to your key file can then connect as you to other systems.

We recommend using the algorithm "ed25519" for new SSH key pairs because operations on "rsa" keys long enough to provide the same level of security (2048 bits or longer) are much slower, whereas "ecdsa" is not considered entirely trustworthy (it relies on highly specific elliptic-curve parameters provided to the US standards body NIST without any explanation by the US National Security Agency, which has in the past successfully managed to inject back doors into NIST standards).

Further details TBA.

Connection multiplexing

It can sometimes be beneficial to, instead of the default approach of every SSH/SCP/SFTP/... operation opening a separate SSH connection, only establish an SSH connection once and then use it for multiple operations. Two use cases where this could be of particular advantage are:

  • SSH-aware development environments routinely transfer files to and from the remote hosts. With all the cryptographic exchanges taking place when a new SSH connection is established, those transfers can end up noticeably slowing one's work - and in case of some IDEs (*cough* VSCode *cough*) they have bee known to temporarily lock users out of remote systems due to rate limiting;
  • SSH servers using an interactive second authentication factor like TOTP can quickly become tedious to work with - especially in combination with the aforementioned routine file transfers by SSH-aware IDEs

The OpenSSH solution to this problem is known as connection multiplexing. It is, however, not enabled by default because of potential security considerations - so please make sure you understand the consequences before you do switch it on.

Details TBA

Study at Cambridge

About the University

Research at Cambridge