Setting up SSH on MacOS

Using SSH on MacOS

Prerequisites

1. Setup CSAIL DUO

• Sign in to https://duo.csail.mit.edu/ and configure your preferences.

• If you attempt to ssh to systems require DUO before this is configured you will be denied access and presented with a link to configure your DUO preferences:

$ ssh user@login.csail.mit.edu
user@login.csail.mit.edu's password:
Please enroll at https://api-f9e5e8b6.duosecurity.com/frame/portal/v4/enroll?code=1fc14591696012e7&akey=DAY2HO8ZVB7D9PBIZINN
Please enroll at https://api-f9e5e8b6.duosecurity.com/frame/portal/v4/enroll?code=1fc14591696012e7&akey=DAY2HO8ZVB7D9PBIZINN
Please enroll at https://api-f9e5e8b6.duosecurity.com/frame/portal/v4/enroll?code=1fc14591696012e7&akey=DAY2HO8ZVB7D9PBIZINN
user@login.csail.mit.edu: Permission denied (publickey,gssapi-with-mic,keyboard-interactive).

2. Optionally, configure Kerberos for CSAIL environment

SSH access restrictions

Inbound SSH connections from outside the CSAIL network to most systems on the CSAIL network are blocked by default. SSH connections within the CSAIL network (either on Ethernet or CSAILPrivate) remain open. Inbound SSH connections to the public login server login.csail.mit.edu remain open.

To SSH to systems from outside the CSAIL network it is strongly recommended that you Use the CSAIL jump host for SSH access as this by passes the firewall restriction and Minimizes DUO Prompts

It is also possible to bypass the firewall restriction using:

1. Campus VPN
2. Allowlist an SSH server

If the system you are connecting to inside the CSAIL is not running CSAIL Linux these methods are fine, however if you are connecting to a CSAIL Linux using one of these methods rather than the jump-host method will require DUO interaction on every ssh connection which is not a good experience.

Configuring CSAIL SSH via Jump Host for Mac OS 14+

Two Steps are required

1. Place the following in the .ssh/config file within your local home directory (ie, /Users/$YOU/.ssh/config).
2. Create the directory ~/.ssh/cm_socket either through the Finder or by opening a terminal and running mkdir ~/.ssh/cm_socket

This configuration will use allow you to SSH to systems from within or outside the CSAIL network using Kerberos authentication and minimizing DUO prompts.

HashKnownHosts yes
VerifyHostKeyDNS ask
CanonicalizeHostname always
CanonicalDomains csail.mit.edu

Host *.csail.mit.edu 128.52.* 128.30.* 128.31.*
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  ForwardAgent yes
  # If you have a different local username uncomment the following line
  # and fill in your CSAIL User Name
  # User <CSAIL User Name>
  # ForwardX11 yes
  

Host jump.csail.mit.edu login.csail.mit.edu
  VerifyHostKeyDNS yes
  ControlMaster auto
  ControlPersist 10h
### This directory must be manually created! ###
  ControlPath ~/.ssh/cm_socket/%C
#  If running AFS, comment-out the line above and uncomment the line below.
#  ControlPath /run/user/%i/cm_socket/%C
Host *.csail.mit.edu !jump.csail.mit.edu !login.csail.mit.edu 128.52.* 128.30.* 128.31.*
  ProxyJump jump.csail.mit.edu

The above will allow you to connect to hosts using their fully qualified domain names (eg, ssh login.csail.mit.edu). or their short names (login).

If you want to also use X11 (to run extra xterms or MATLAB remotely, for example), make sure XQuartz is installed on your Mac and then uncomment ForwardX11 yes.

Once you save the file, make sure that you are its owner and no one else can write to it. For example:

$ chmod 600 config
$ chown $YOU config