DAMTP SSH information
When connecting to DAMTP machines from elsewhere, (or to distant machines from here), a secure protocol like ssh is much preferable to older insecure ones like telnet, rlogin or rsh.
The ssh protocols encrypt all traffic (including passwords) removing the possibility of interception of data by someone on an untrusted network. It also verifies that the host you are trying to connect to is the same as the one you think it is (if you have their public key in your known_hosts). Using ssh also greatly simplifies running X applications remotely since it handles the forwarding of the X connection transparently (and securely).
All Linux, MacOSX and UNIX machines in DAMTP should accept ssh conections supporting the ssh-2 protocol. If a particular damtp machines does not work with the ssh-2 protocol or you have access only to old clients which can only talk the obsolete ssh-1 protocol please let us know.
The ssh command should be provided on all our machines and should be on the default user PATH. Ssh clients (based on openssh) have been standard for some time, these support both ssh-1 and ssh-2 protocols though will prefer ssh-2.
Reminder: Since 2007-03-09 we no longer support the old ssh-1 protocol on any of our UNIX/Linux machines. Currently our openssh clients will fall back to ssh-1 if remote servers don't support ssh-2 but this may also be disabled at some point in the future.
Openssh is a Free implementation of ssh-1 and ssh-2 from the OpenBSD project, for those in the UK a mirror of the distibution is available at the UK Mirror service. Openssh is available for most popular unix systems (look in the portable directory for non OpenBSD versions).
ssh known hosts
When you connect to a server for which the public keys are not known, you will see a warning message, like:
The authenticity of host 'xxxxx (xxx.xxx.xxx.xxx)' can't be established. RSA1 key fingerprint is xxxxxxxxxxxxxxxxxxx Are you sure you want to continue connecting (yes/no)?
or (for very old ssh clients) like:
Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)?
If you agree the public key will be saved, so it can be checked next time. If the stored key doesn't match the one the server offers you will see a message like:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the host key has just been changed.
if you ever see this do not continue - if the client offers to - and contact the administrator of the machine you are attempting to use. Host keys do sometimes get changed - which will cause this message - but the danger that someone may be trying to obtain your password is very real.
If you have any doubt at all please send a message to help@damtp.cam.ac.uk so we can advise you.
If you want a copy of our ssh-2 public keys in a format which ssh
can use (rename the file to either ~/.ssh/known_hosts or
~/.ssh/known_hosts2 for them to be used), here are the
current versions:
- known hosts for ssh-2 protocol
- ssh-2 known hosts in Windows REG format for use with PuTTY
We also have a List of the expected fingerprints you may be offered when connecting to DAMTP machines.
Note that movern versions of openssh will accept either ssh-1 or
ssh-2 protocol keys in the ~/.ssh/known_hosts so you may
prefer to download it to that name.
Compatability
Openssh clients should automatically detect and work with ssh-1 and
ssh-2 protocols, but if you have any problems you can force it to use
a particular protocol by specifying -1 or -2
on the command line.
We used to get reports of problems using scp from openssh to talk to systems using the ssh-inc ssh-2 (the commercial code from Ssh communications), since their scp doesn't talk the same protocol as the scp from ssh-1 or openssh. The following workrounds seem to help:
- use sftp instead of scp
- arrange for openssh to be installed at the far end instead of ssh-2
- install the openssh scp at the remote end so it is found on your PATH early enough to be used instead of the system scp.
- ssh to the other site and scp the files from there
Only very old versions of Openssh don't support the scp2 stuff (which works using sftp), so this should no longer be a problem.
Secure Shell clients
- Windows:
- winscp is a secure scp/sfcp graphical client - primary site
- winscp installer 4.3.5 local copy (checked 2011-11-21 - may be out of date)
- Putty is a secure ssh/scp/sftp client for windows - primary site
- putty installer 0.61 local copy (checked 2011-11-21 - may be out of date)
- Unix, Linux or MacOSX:
- use the command-line sftp
e.g.
sftp username@hostname.damtp.cam.ac.uk - use the command-line scp, see the manual
- use the command-line rsync command, see the manual
- use the command-line sftp
e.g.
- Linux:
- use the nautilus graphical browser
e.g.
nautilus --no-desktop ssh://username@hostname.damtp.cam.ac.uk
- use the nautilus graphical browser
e.g.
- MacOSX:
- use the Fugu graphical frontend - download from University of Michigan; Fugu site
For other (especially old) platforms please look at the online version of the SSH CD which has clients for a number of other more obscure platforms.
Which machine can I ssh into
Use any DAMTP unix computer name that you can log into. If you run the command:
access-list
it will show the list of computers you have access to.
If all else fails the special name ssh.damtp.cam.ac.uk
refers to a group of machines that all members of DAMTP may use.
Cosmos users
Cosmos users should look at the cosmos ssh page for further information.
Help
If you encounter any problems please contact help@maths.cam.ac.uk for more information.