Setting up SSH on Windows

Using SSH on Windows

For secure, password-less SSH login to CSAIL systems, please first setup Kerberos for Windows

SSH access restrictions

Inbound SSH connections from outside the CSAIL network to most systems on the CSAIL network are blocked by default. SSH connections within the CSAIL network (either on Ethernet or CSAILPrivate) remain open. Inbound SSH connections to the public login server login.csail.mit.edu remain open.

To SSH to systems from outside the CSAIL network, you have 3 options:

1. Use the MIT VPN for SSH access
2. Use the CSAIL jump host for SSH access
3. Allowlist an SSH server

MIT VPN access

The simplest way to access your systems within CSAIL from outside the CSAIL network is to use the Campus VPN, which is allowlisted.

No additional configuration is required while connected to the campus VPN. If you’d prefer not to use the VPN, follow the instructions below to configure your SSH client to use our jump host.

Using SSH with the CSAIL Jump Host

TIG is supplying a dedicated jump host (separate from the login servers) called jump.csail.mit.edu. This server is configured to allow only proxy connections, not interactive logins.

Despite the impending network restrictions most people can continue to transparently access all CSAIL systems by setting up their client ssh config.

Please see the applicable configuration options for your platform

• CSAIL Linux
• MacOS
• Windows
• Linux

Using SSH to CSAIL via VPN

Using the jump host on Windows is more complicated then on Linux, or MacOS. Therefore, if you need to SSH to a CSAIL system from outside the CSAIL network, we suggest using the VPN. If you’d rather not use the VPN, skip to Using SSH to CSAIL via Jump Host for Windows 10

Both PuTTY and SecureCRT can be used for connecting to CSAIL Linux hosts without passwords. Kerberos tickets allow passwordless logins, and assuming ticket delegation is turned on, also allow access to AFS files once logged in. PuTTY is recommended as a leaner, freer, and more reliable alternative, while SecureCRT has convenient integrated graphical file transfer.

For PuTTY, v.0.61 or later, create a Saved Session with CSAIL-specific settings. In PuTTY Configuration:

1. Connection -> SSH -> Auth -> GSSAPI, set “Allow GSSAPI credential delegation” to YES
2. in Connection -> Data, set “Auto-login username” to your CSAIL username
3. in Session, leave Host Name blank and use csail as the session name under “Saved Settings”
4. Click “Save”

To connect manually, click csail and Load, then enter a Host Name like login.csail.mit.edu and click Open.

For SecureCRT:

• In either “Quick Connect” or Connection Properties -> SSH2, move GSSAPI to be the top item in the “Authentication” list.
• If Kerberos allows you to connect but you can’t see/edit AFS files and the output of klist starts with “No credentials cache found”, make sure that in the “Authentication” list, GSSAPI -> Properties -> Delegation is set to “Full”

WARNING: There is a poorly understood issue preventing delegation from completing successfully using SecureCRT on some Windows installations. Please run klist after connecting to confirm that tickets made it to the remote system; if not, try PuTTY or email help@csail.

Using SSH to CSAIL via Jump Host for Windows 10 on SecureCRT

Using SSH to CSAIL via Jump Host in Windows will use allow you to SSH to systems from within or outside the CSAIL network using Kerberos authentication. Connecting to the VPN is not necessary, but requires a more complicated configuration. We have not gotten this to work reliably with PuTTY - only SecureCRT

1. Create a new session to the jump host
   • From Session Manager -> New Session
   • Connection Tab
     • Name -> enter “csail jump” or similar friendly name.
     • Leave rest defaults
   • SSH2 Tab
     • Hostname = jump.csail.mit.edu
     • Username = [your csail username]
     • Authentication = In following order and checked: GSSAPI, PublicKey, Keyboard Interactive, Password.
     • Leave the rest defaults
2. Create a session to the final host
   • This is the connection you already have to the host you are SSHing to. If you have one, skip to the next session. If you need to create a new one:
   • From Session Manager -> New Session
   • Connection Tab
     • Name -> enter the [hostname] or similar friendly name.
     • Leave rest defaults
   • SSH2 Tab
     • Hostname = [hostname].csail.mit.edu
     • Firewall: Select Session -> select the jump host session from previous step
     • Username = [your csail username]
     • Authentication = In following order and checked: GSSAPI, PublicKey, Keyboard Interactive, Password.
     • Leave the rest defaults
3. Now you can connect final host session and it will us the jump host

Using SSH to CSAIL via Jump Host for Windows 10 on PuTTY

In order to use PuTTY on Windows with a jump host, you will first need to have either public-key authentication (see below) or Kerberos/GSSAPI configured and working. Kerberos authentication is the best option if available on your machine. If you’re using public-key authentication, you will need to have your private key loaded in Pageant; if you’re using Kerberos, you will need to have valid, unexpired Kerberos tickets.

Save a working Kerberos or public-key configuration with destination host jump.csail.mit.edu under the name jump.csail.mit.edu in PuTTY’s saved sessions on the main PuTTY connection settings pane.

To set up PuTTY to use the proxy, in a fresh PuTTY connection, go to the “Proxy” pane, select a proxy type of “local”, enter jump.csail.mit.edu in the proxy name field, and in the “proxy command” field, enter

  plink.exe %user@%proxyhost -agent -nc %host:%port

and choose “Until connection start” in the selector below. Save this on the main connection settings pane under a memorable name like “CSAIL proxy”.