Setting up SSH on MacOS

Using SSH on MacOS

SSH access restrictions

Inbound SSH connections from outside the CSAIL network to most systems on the CSAIL network are blocked by default. SSH connections within the CSAIL network (either on Ethernet or CSAILPrivate) remain open. Inbound SSH connections to the public login server login.csail.mit.edu remain open.

To SSH to systems from outside the CSAIL network, you have 3 options:

1. Use the MIT VPN for SSH access
2. Use the CSAIL jump host for SSH access
3. Allowlist an SSH server

MIT VPN access

The simplest way to access your systems within CSAIL from outside the CSAIL network is to use the Campus VPN, which is allowlisted.

No additional configuration is required while connected to the campus VPN. If you’d prefer not to use the VPN, follow the instructions below to configure your SSH client to use our jump host.

Using SSH with the CSAIL Jump Host

TIG is supplying a dedicated jump host (separate from the login servers) called jump.csail.mit.edu. This server is configured to allow only proxy connections, not interactive logins.

Despite the impending network restrictions most people can continue to transparently access all CSAIL systems by setting up their client ssh config.

Please see the applicable configuration options for your platform

• CSAIL Linux
• MacOS
• Windows
• Linux

Configuring CSAIL SSH via Jump Host for Mac OS 10.12+

Place the following in the .ssh/config file within your local home directory (ie, /Users/$YOU/.ssh/config).

This configuration will use allow you to SSH to systems from within or outside the CSAIL network using Kerberos authentication

CanonicalizeHostname always
CanonicalDomains csail.mit.edu

Host jump.csail.mit.edu
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  VerifyHostKeyDNS yes
  # optional: uncomment and edit if your CSAIL username doesn't match your local username
  #User <CSAIL username>
  # optional: uncomment if you need X11 forwarding
  #ForwardX11 yes

Host *.csail.mit.edu !jump.csail.mit.edu !login.csail.mit.edu 128.52.* 128.30.* 128.31.*
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  ProxyJump jump.csail.mit.edu
  # optional: uncomment and edit if your CSAIL username doesn't match your local username
  #User <CSAIL username>
  # optional: uncomment if you need X11 forwarding
  #ForwardX11 yes

The above will allow you to connect to hosts using their fully qualified domain names (eg, ssh login.csail.mit.edu). or their short names (login). If you want to also use X11 (to run extra xterms or MATLAB remotely, for example), make sure XQuartz is installed on your Mac and then uncomment ForwardX11 yes.

Once you save the file, make sure that you are its owner and no one else can write to it. For example:

$ chmod 600 config
$ chown $YOU config