Navigation :

Setting up SSH on MacOS

Using SSH on MacOS

SSH access restrictions

Inbound SSH connections from outside the CSAIL network to most systems on the CSAIL network are blocked by default. SSH connections within the CSAIL network (either on Ethernet or CSAILPrivate) remain open. Inbound SSH connections to the public login server login.csail.mit.edu remain open.

To SSH to systems from outside the CSAIL network, you have 3 options:

  1. Use the MIT VPN for SSH access
  2. Use the CSAIL jump host for SSH access
  3. Allowlist an SSH server

MIT VPN access

The simplest way to access your systems within CSAIL from outside the CSAIL network is to use the Campus VPN, which is allowlisted.

No additional configuration is required while connected to the campus VPN. If you’d prefer not to use the VPN, follow the instructions below to configure your SSH client to use our jump host.

Using SSH with the CSAIL Jump Host

TIG is supplying a dedicated jump host (separate from the login servers) called jump.csail.mit.edu. This server is configured to allow only proxy connections, not interactive logins.

Despite the impending network restrictions most people can continue to transparently access all CSAIL systems by setting up their client ssh config.

Please see the applicable configuration options for your platform

Configuring CSAIL SSH via Jump Host for Mac OS 10.12+

Place the following in the .ssh/config file within your local home directory (ie, /Users/$YOU/.ssh/config).

This configuration will use allow you to SSH to systems from within or outside the CSAIL network using Kerberos authentication

Host jump.csail.mit.edu
  GSSAPIAuthentication yes
  VerifyHostKeyDNS yes
  # optional, if X forwarding is desired
  #ForwardX11 yes
  # optional, if your local username does not match YOUR_CSAIL_USERNAME
  #User YOUR_CSAIL_USERNAME
Host *.csail.mit.edu !jump.csail.mit.edu 128.52.* 128.30.* 128.31.*
  ProxyJump jump.csail.mit.edu
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  # optional, if X forwarding is desired
  #ForwardX11 yes
  # optional, if your local username does not match YOUR_CSAIL_USERNAME
  #User YOUR_CSAIL_USERNAME

The above will allow you to connect to hosts using their fully qualified domain names (eg, ssh login.csail.mit.edu). If you want to also use X11 (to run extra xterms or MATLAB remotely, for example), make sure X11.app is installed on your mac and then add ForwardX11 yes to just after GSSAPIDelegateCredentials yes.

Once you save the file, make sure that you are its owner and no one else can write to it. For example:

$ chmod 600 config
$ chown $YOU config