Navigation :

Remote Work

IS&T provides MIT staff and affiliates with a selection of IT resources that can be leveraged to prepare for and facilitate remote working at MIT.

SSH access restrictions

Inbound SSH connections from outside the CSAIL network to most systems on the CSAIL network are blocked by default. SSH connections within the CSAIL network (either on Ethernet or CSAILPrivate) remain open. Inbound SSH connections to the public login server login.csail.mit.edu remain open.

To SSH to systems from outside the CSAIL network, you have 3 options:

  1. Use the MIT VPN for SSH access
  2. Use the CSAIL jump host for SSH access
  3. Allowlist an SSH server

MIT VPN access

The simplest way to access your systems within CSAIL from outside the CSAIL network is to use the Campus VPN, which is allowlisted.

No additional configuration is required while connected to the campus VPN. If you’d prefer not to use the VPN, follow the instructions below to configure your SSH client to use our jump host.

Using SSH with the CSAIL Jump Host

TIG is supplying a dedicated jump host (separate from the login servers) called jump.csail.mit.edu. This server is configured to allow only proxy connections, not interactive logins.

Despite the impending network restrictions most people can continue to transparently access all CSAIL systems by setting up their client ssh config.

Please see the applicable configuration options for your platform

Allowlist SSH server

If all else fails, or you have a server that:

  1. needs to allow ssh from outside the CSAIL network,
  2. is not on the guest (128.31.0.0/24) or W3C (128.30.52.0/22) network, and
  3. has non-CSAIL users or some application restriction making it difficult to use a jump host configuration as shown above),

please open a ticket by sending mail to help@csail with the names and IP addresses of the machines you’d like to register as ssh servers and an explanation of the reason you need to have a firewall exception made. Note that the servers in question must have a static IP address assigned. Additional documentation can be found elsewhere on this site for (physical servers)[/network-wireless/#requesting-a-static-ip-address] and (OpenStack virtual machines)[/shared-computing/open-stack/network/#using-fixed-ip-addresses].