Secure shell (SSH) is used to connect to command line sessions on remote systems using a secure (encrypted) connection.  There are many different SSH clients available for a range of computing devices but the basic details you will need for your SSH client are:

The host name unix.ncl.ac.uk will always point at the current, live timesharing service server and we recommend that you use this name rather than the individual server hostnames such as "aidan", "finan", etc.

If you wish to verify the server's authenticity before connecting, the timesharing server's key fingerprint is shown below:

SHA256:/Y4i041azse1Yj4Edo8xnnz4AVijVdvsXN4H0UKy6mg.

Contents

1. Connecting from off-campus
2. Using key authentication with OpenSSH (Linux, MacOS)
3. Using key authentication with PuTTY (Windows)
4. Using key authentication with MobaXterm (Windows)
5. Troubleshooting Tips

Connecting from off-campus

To connect to the timesharing service from off-campus you must use SSH key authentication instead of password authentication. Every SSH client tends to handle key authentication slightly differently but the general process is:

1. Create an SSH key pair with your SSH software
2. Copy the public key to the timesharing service and add to your ~/.ssh/authorized_keys file
3. Use the private key to authenticate in your SSH software

Using key authentication with OpenSSH (Linux, MacOS)

First, create an SSH key pair on your computer:

mypc$ ssh-keygen -f mykey

Enter a strong passphrase to protect the private key when prompted.  This will create two files called "mykey" (the private key) and "mykey.pub" (the public key).  The private key should be kept on your computer(s) only and not distributed.

Now push the public key to the timesharing server:

mypc$ ssh-copy-id -i mykey.pub <myuserid>@unix.ncl.ac.uk

(the ssh-copy-id command copies your public key to a remote server and automatically adds it to the authorized_key file - because it uses password authentication you must run this step while connected to the on-campus network)

You can now use SSH key authentication to log into the time sharing service.  Use the ssh command's '-i' switch to indicate that you want to use a private key:

mypc$ ssh -i mykey <myuserid>@unix.ncl.ac.uk

Optionally, you can configure OpenSSH to always use your key for ssh, scp, sftp, etc by creating or editing the client configuration file on your computer ($HOME/.ssh/config).  Add an entry like this:

Host unix.ncl.ac.uk
  User <your campus login ID>
  IdentityFile <path to your private key>

Using key authentication with PuTTY (Windows)

First, start the "PuTTYGen" utility provided with PuTTY and click on "Generate" - follow the instructions to generate the key.  If your installation of PuTTY doesn't include PuTTYGen you can download the latest version from the PuTTY download page.

In the "Public key for pasting into OpenSSH authorized_keys file" text box, right click, "Select All" then right click, "Copy" to copy the OpenSSH public key to your clipboard.

Next, enter a strong passphrase to protect your private key in the "Key Passphrase" and "Confirm Passphrase" boxes.

Finally, save your keys on your computer by clicking on "Save public key" and "Save private key".

Now, start PuTTY and log into unix.ncl.ac.uk as usual.  Create a ".ssh" directory in your home directory if it doesn't already exist:

finan$ mkdir -p ~/.ssh && chmod 700 ~/.ssh

Using the editor of your choice, edit or create the "authorized_keys" file in your ".ssh" directory, eg:

finan$ nano ~/.ssh/authorized_keys

Right-click in the PuTTY window to paste the OpenSSH public key data you copied into your clipboard earlier.  Save the file.

Set the correct permissions on the file

finan$ chmod 600 ~/.ssh/authorized_keys

You can now configure PuTTY to use your private key for authentication.  In the main PuTTY screen navigate to Connection -> SSH -> Auth -> Private Key and select the private key you saved earlier.

Now navigate to Connection -> Data -> Auto-login username and set your campus username.

Return to the main PuTTY session page, add the hostname and save the session settings with a descriptive name.

Using key authentication with MobaXterm (Windows)

MobaXterm uses PuTTY-format keys, so to create your SSH keypair, follow the "PuTTYGen" instructions above.  Once you have generated your keys and copied the public key data to the timesharing server you can create a new SSH session (or modify an existing one) in MobaXterm to use them.

Right click in the "User Sessions" pane and create or modify a session.

On the "SSH" pane, click on the "Advanced SSH Settings" tab and tick "Use private key".  Click on the adjacent blue document icon to search for your PuTTY private key you generated earlier and select it. 

Save the session and connect as usual.

Troubleshooting Tips

• Ensure that the permissions on your ".ssh" directory (chmod 700) and "authorized_keys" file (chmod 600) on the timesharing server are correct
• Check that the data in the ~/.ssh/authorized_keys file on the timesharing server matches the original public key exactly
• Make sure your public key is in OpenSSH format: if it was generated with a different client it may need to be converted
• If you see a message like "REMOTE HOST IDENTIFICATION HAS CHANGED" this is usually the result of maintenance or upgrades on the server itself.  You will need to remove the cached hostkey entries on your local SSH client to continue connecting:
  • • Recent versions of OpenSSH: run the following commands...
      • ssh-keygen -f $HOME/.ssh/known_hosts -R "finan.ncl.ac.uk"
      • ssh-keygen -f $HOME/.ssh/known_hosts -R "aidan.ncl.ac.uk"
      • ssh-keygen -f $HOME/.ssh/known_hosts -R "unix.ncl.ac.uk"

• • • Older versions of OpenSSH: edit the $HOME/.ssh/known_hosts file, find the lines starting with "finan.ncl.ac.uk", "aidan.ncl.ac.uk" or "unix.ncl.ac.uk", delete them and save the file

• • • Other SSH clients: Consult the documentation for your client regarding removing cached hostkeys.