Category: Help for New Users, Linux, Remote Working

Subject

SSH

Content

SSH is a simple, secure way of connecting to the shell (or terminal) of a remote Linux system.

Please note: All of the desktop/daq clients have names of the form <hostname>.nat.physics.ox.ac.uk

Users in AOPP might also need to try <hostname>.atm.ox.ac.uk to access interactive servers

For PuTTY users: we would prefer you use the ssh client built into windows, but if you'd prefer you're welcome to follow the PuTTY help page.

Setup

SSH is simple to use but it can be made easier with some settings. To start type mkdir ~/.ssh; editor ~/.ssh/config. This should open up a text file with your configuration (or a blank file).
If on Windows, please use right-click on the Start or Search menu  and enter "notepad" instead of "editor". your configuration file is located C:\Users\<YourUsername>\.ssh\config create the folder and file if required.

If you add the following configuration to the file it will allow you to connect to our systems more easily. As with all system configuration, you will need to tailor this to your use case especially if you work with multiple institutions. 

Host *
    ConnectTimeout 10
Host *.physics.ox.ac.uk
    # This sets the username ssh will try to use by default for anything under the physics domain
    # Please change this to your physics username.
    User <my_physics_username>
    # If using ssh keys you can specify the key here, and remove the "# "
    # IdentityFile ~/.ssh/id_2025_oxphy
    # If you have multiple keys you should always specify which to use as too many auth attempts 
    # will be blocked, to disable keys uncomment this line
    # PubkeyAuthentication=no
Host winfe.physics.ox.ac.uk gitlab.physics.ox.ac.uk bastion.physics.ox.ac.uk
    # These three systems should be accessed directly without the proxy
    ProxyJump none
Host *.physics.ox.ac.uk !bastion.physics.ox.ac.uk
    # This tells ssh to "jump" via another system, this is needed to get in from outside the network.
    ProxyJump bastion.physics.ox.ac.uk

Host Keys

When you first connect to a system it will ask you to accept the host key for that system. 

For the bastion service this is "SHA256:l3/khU/E+6BbJstls9883ldQFlh4u1416QDzTHlKhmg"

Keys

SSH Keys are extremely long and complex passwords that allow us to connect without repeatedly typing our password. If you use this method you are responsible for keeping your key secure, this means it must be password protected, not doing so is a breach of university policy.

To create a new key type: pushd ~ ; ssh-keygen -t ed25519 -f .ssh/id_2025_oxphy ; popd . This will walk you through creating a new key, the default options are very sensible and you should only have to enter a password. This is just for your key, please do not use your physics password.

We recommend using a custom filename so that you can limit exposure if they key is compromised and rotate the keys when required, while keeping the old keys.

user@cplxts12:~$ pushd ~ ; ssh-keygen -t ed25519 -f .ssh/id_2025_oxphy ; popd
~ ~
Generating public/private ed25519 key pair.
Enter file in which to save the key (.ssh/id_2025_oxphy): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in .ssh/id_2025_oxphy
Your public key has been saved in .ssh/id_2025_oxphy.pub
The key fingerprint is:
SHA256:CKYYxqjvRln4HO8vWBlkw/xf6BnuOU31v3BWKt4wfCw user@<hostname>.nat.physics.ox.ac.uk
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|o .              |
|== .o            |
|==+=...          |
|ooBOo.. S.       |
| .*B= o o        |
| .+=.E *         |
| .+++ %          |
| .o..+.+.        |
+----[SHA256]-----+


Once this is done you can update your `~/.ssh/authorized_keys` file in your Linux home area to include the public half of the key, this will sync to the bastion server. You can do this again for any machine you want to connect to so that neither asks for a password, this will not work on machines that have networked home directories, as you need to authenticate with a password before the home area is available.

On Windows, upload the (e.g.) id_2025_oxphy.pub file (only) with pushd ~ ; scp .ssh/id_2025_oxphy.pub cplxts12.nat.physics.ox.ac.uk:.ssh/ ; popd in Powershell
If you do not have access to a Linux system which mounts your home directory you can do this via cplxts12.nat.physics.ox.ac.uk which is available to all users via RDP or SSH.
 
If you use the physics Gitlab you should also upload this key to the user settings page, this will allow you to access git repositories without typing your password. It's recommended to set the expiry here to 1 year as this will give you a reminder to rotate the key.

Copying files

The below commands/actions all assume your configuration roughly matches the one above, if it doesn't work please try to update your configuration and then contact IT Support if it still doesn't work.

From the CLI

SCP and Rsync are both used for uploading files, as a rule scp is for simpler tasks involving a single file and rsync can do much more complicated actions.
 

To a specific machine

scp ./local_file remote.nat.physics.ox.ac.uk:/tmp/ # Upload file into the tmp directory
rsync -Pr ./local_file remote.nat.physics.ox.ac.uk:remote_path/ # -P show progress; -r recurse (include folders)

To a group / website / home area

scp ./local_file winfe.physics.ox.ac.uk:/dfs/Groups/CondensedMatter/GROUP_NAME # Upload file into a group share
scp ./local_file winfe.physics.ox.ac.uk:/dfs/LinuxUsers/web/users/USER_NAME    # Upload file into a website
scp ./local_file winfe.physics.ox.ac.uk:/myhome                                # Upload file into a your windows home area
scp ./local_file winfe.physics.ox.ac.uk:/home/USER_NAME                        # Upload file into a your linux home area

From the GUI

The Linux file manager natively understands sftp, so you can simply pass it the path to a file and it should handle it invisibly, for example my Windows home area is accessible from my Linux desktop by typing the path sftp://winfe.physics.ox.ac.uk/myhome/. This can be done with any of the URLs from the previous section.

On Windows, you can either access the DFS tree directly (recommended) or configure WinSCP. If you are transferring a file directly to a machine WinSCP is the only option.

Troubleshooting

WARNING: Connection is not using post-quantum kex

This is a client side warning given when a server does not support either `sntrup761x25519-sha512@openssh.com` or `mlkem768x25519-sha256`, these exchange algorithms have been hardened against possible future quantum computing based attacks.

Where possible these are being enabled on all systems, but some windows users may need to copy the configuration from the Corrupted MAC on Input section into their configuration file.

General Advice

Try running "ssh -v ..." where you would have run "ssh ..." and look at the end of the output for clues. If you don't get anywhere with that, send the whole of the log with a description of what you expect and what you actually see to itsupport@physics.ox.ac.uk. Please include the network you're on (so, how you're connected to the internet, e.g. Physics_S, my home ISP, etc), the operating systems of the computers you're connecting from and to, and what you're trying to do.  

If your config does not specify an ssh key to use, ssh will automatically try to use them all, this will fail after three attempts, please either specify which key to use or tell it not to use them.

Corrupted MAC on input

Using OpenSSH in Windows and see the error "Corrupted MAC on input", in the file config in the .ssh subdirectory of your user profile (cd %userprofile% , or cd ~ in powershell, to go to your user profile directory) add the lines

Host * 
    Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr 
    MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com 
    KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256

Documents

FileHeadingDate
Drupal page URL06-12-2024 10:32
Writer: Matthew Clifford-Smith
Created on 16-11-2011 01:11
Last update on 23-01-2026 13:36		1820 views
This item is part of the Physics IT knowledgebase