skip to content
 

Bastion Host (remote access with ssh)

The bastion host is a computer on the network that mitigates the security risks of allowing external connections by providing a single entrance point from the internet to the internal network for remote access.

The bastion host for all members of the department is called citadel.ch.cam.ac.uk.

Getting an Account on the Bastion Host

Any user with an Active Directory account may use citadel, using the usual Admitto password. No intervention by Computer Officers is required.

Help

Examples: UNIX and ssh

Login to citadel:
ssh CRSID@citadel.ch.cam.ac.uk

replacing CRSID with your Cambridge user ID.

Login to citadel with X11 forwarding:

linux:
ssh -X CRSID@citadel.ch.cam.ac.uk

mac:
ssh -Y CRSID@citadel.ch.cam.ac.uk

copy files to citadel:
scp file CRSID@citadel.ch.cam.ac.uk:/home/CRSID/

copy files from citadel:
scp CRSID@citadel.ch.cam.ac.uk:/home/CRSID/file ./

Change your password:
passwd

Copying files from your home computer to a file-server in Chemistry

Futher details about ssh/winscp for copying files via ssh.

Host Fingerprint

ssh servers are identified via a fingerprint. This is a unique identifier associated with the server that allows you to verify that the server you are connecting to really is the server you think it is. For example, if you are using an internet connection from outside the University, it is theoretically possible for the owner of the internet connection to silently intercept your network traffic and instead redirect it to a malicious server.

You can optionally configure your SSH client to trust all host fingerprints on our managed servers and workstations by trusting our ssh certification authority. Or, you can manually verify the host fingerprint as follows.

Because citadel supports multiple types of ssh host key algorithm, it has multiple fingerprints - one for each type of algorithm. The fingerprint reported by your ssh client should be one of the following SHA256 fingerprints

RSA
SHA256:v2OOZd820Zfbs95C/xGE+3TmkzYN1TyuAN1f1wN2JnE
ECDSA
SHA256:1B6Le9yEPQNIJ7KgTv0A9fPgDGueuYVmscdo35kOr9w
ED25519
SHA256:4Gb6qYeM3b72swRQ2V1uDx5tPVrvxfAsi6J2iA13mi0

or one of the following MD5 fingerprints

RSA
c7:97:8b:72:ed:b6:49:d6:86:63:e5:f0:93:4b:3c:d8
ECDSA
eb:7c:f2:2f:75:49:2d:cd:5b:be:40:5e:dc:cf:21:82
ED25519
47:74:a4:d1:8e:28:54:c1:cc:2d:78:af:02:35:7a:07

depending on the algorithm your client uses.
If your ssh client reports a fingerprint that is not listed in the table above when connecting to citadel.ch.cam.ac.uk, or if you see a warning message similar to the one shown below ("WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED"), you should not enter your username/password, and you should instead disconnect immediately and inform support@ch.cam.ac.uk .

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
4c:ef:fe:05:78:8a:a3:fc:b4:e3:1c:f7:11:70:9c:00.
Please contact your system administrator.
Add correct host key in /home/fjc55/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/fjc55/.ssh/known_hosts:1136
remove with: ssh-keygen -f "/home/fjc55/.ssh/known_hosts" -R apps
ECDSA host key for apps has changed and you have requested strict checking.
Host key verification failed.

Randomart form of fingerprints

As an optional alternative for verifying fingerprints, some ssh clients support a Randomart representation of the fingerprint; the following examples are for the so-called Drunken Bishop implmentation used in OpenSSH clients (and possibly also by other clients). These are ASCII-art representations of the fingerprint, and the idea is that one can compare ASCII-art at a glance and see if the fingerprint matches or not. For example, with many clients you can see the Randomart representation when you connect by running:

ssh fjc55@citadel.ch.cam.ac.uk -o VisualHostKey=yes

+---[RSA 1024]----+
|                 |
|                 |
|                 |
|         .   .   |
|        S o + .  |
|         . + % . |
|        . o X E  |
|         o =.= + |
|           .+..  |
+-----------------+

+---[ECDSA 256]---+
|                 |
|                 |
|          .   .+.|
|         E . oo+*|
|        S   +.o==|
|         .  .oo.+|
|        .  . .. .|
|       o. o    . |
|        o+.o.    |
+-----------------+

+--[ED25519 256]--+
|       *ooooo    |
|      E *..+.    |
|     + + +oo     |
|    o o o.o .    |
|     o oS..      |
|      . ..       |
|       .         |
|                 |
|                 |
+-----------------+

 

 

System status 

System monitoring page

Can't find what you're looking for?

Then you might find our A-Z site index useful. Or, you can search the site using the box at the top of the page, or by clicking here.