Setting up SSH on MacOS
Using SSH on MacOS
SSH access restrictions
Inbound SSH connections from outside the CSAIL network to most systems on the CSAIL network are blocked by default. SSH connections within the CSAIL network (either on Ethernet or CSAILPrivate) remain open. Inbound SSH connections to the public login server login.csail.mit.edu remain open.
To SSH to systems from outside the CSAIL network, you have 3 options:
MIT VPN access
The simplest way to access your systems within CSAIL from outside the CSAIL network is to use the Campus VPN, which is allowlisted.
No additional configuration is required while connected to the campus VPN. If you’d prefer not to use the VPN, follow the instructions below to configure your SSH client to use our jump host.
Using SSH with the CSAIL Jump Host
TIG is supplying a dedicated jump host (separate from the login
servers) called jump.csail.mit.edu
. This server is configured to
allow only proxy connections, not interactive logins.
Despite the impending network restrictions most people can continue to transparently access all CSAIL systems by setting up their client ssh config.
Please see the applicable configuration options for your platform
Configuring CSAIL SSH via Jump Host for Mac OS 10.12+
Place the following in the .ssh/config
file within your local home directory (ie, /Users/$YOU/.ssh/config
).
This configuration will use allow you to SSH to systems from within or outside the CSAIL network using Kerberos authentication
Host jump.csail.mit.edu
GSSAPIAuthentication yes
VerifyHostKeyDNS yes
# optional, if X forwarding is desired
#ForwardX11 yes
# optional, if your local username does not match YOUR_CSAIL_USERNAME
#User YOUR_CSAIL_USERNAME
Host *.csail.mit.edu !jump.csail.mit.edu 128.52.* 128.30.* 128.31.*
ProxyJump jump.csail.mit.edu
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
# optional, if X forwarding is desired
#ForwardX11 yes
# optional, if your local username does not match YOUR_CSAIL_USERNAME
#User YOUR_CSAIL_USERNAME
The above will allow you to connect to hosts using their
fully qualified domain names (eg, ssh login.csail.mit.edu
). If you
want to also use X11 (to run extra xterms or MATLAB remotely, for
example), make sure X11.app is installed on your mac and then add
ForwardX11 yes
to just after GSSAPIDelegateCredentials yes
.
Once you save the file, make sure that you are its owner and no one else can write to it. For example:
$ chmod 600 config
$ chown $YOU config