skip to content
 

The bastion host barbican.ch.cam.ac.uk requires ssh keys and an MFA token to log in.

Registering your ssh public key

The server will check for any ssh public keys you have on the University Gitlab instance hosted at https://gitlab.developers.cam.ac.uk . You must make sure you have at least one key available there before logging in to barbican.ch.cam.ac.uk for the first time. If you have never logged in to the University Gitlab instance, go to https://gitlab.developers.cam.ac.uk/users/sign_in and click Sign in with University Account.

You can manage your public keys on the University Gitlab instance at https://gitlab.developers.cam.ac.uk/-/user_settings/ssh_keys .

Enrolling in MFA

Once you have a public key registered (see above), ssh to barbican.ch.cam.ac.uk. You will be prompted for a Verification token. At this point you should automatically receive an email from support@ch.cam.ac.uk with a QR code that you can scan in any TOTP app. The email will be sent to your address recorded in the Department's administration database.

Once enrolled, enter the token from your MFA app at the Verification token prompt. You may need to start another ssh connection attempt if the earlier one has timed out. Once you have authenticated with an MFA token, you should not need to re-enter a token for 7 days for connections made from the same IP address.

Resetting MFA tokens

If you need to reset your MFA token for the bastion service, please email support@ch.cam.ac.uk

Changing your ssh public keys

You can manage your public keys on the University Gitlab instance at https://gitlab.developers.cam.ac.uk/-/user_settings/ssh_keys .

Once you have enrrolled in MFA and logged in, you can manually manage your ~/.ssh/authorized_keys file as normal if you wish (e.g. by running ssh-copy-id). Note that your University Gitlab public keys will only be used if no matching key is found in your ~/.ssh/authorized_keys on barbican.

If you need to reset your authorized keys on barbican and revert to those on the University Gitlab service, please email support@ch.cam.ac.uk

 

Host Fingerprint

ssh servers are identified via a fingerprint. This is a unique identifier associated with the server that allows you to verify that the server you are connecting to really is the server you think it is. For example, if you are using an internet connection from outside the University, it is theoretically possible for the owner of the internet connection to silently intercept your network traffic and instead redirect it to a malicious server.

You can optionally configure your SSH client to trust all host fingerprints on our managed servers and workstations by trusting our ssh certification authority. Or, you can manually verify the host fingerprint as follows.

Because barbican supports multiple types of ssh host key algorithm, it has multiple fingerprints - one for each type of algorithm. The fingerprint reported by your ssh client should be one of the following SHA256 fingerprints

RSA
SHA256:f3ovPt9J1yjFaLeS77kwFwi0nsTRuNzIRDaq1XX9zCA
ECDSA
SHA256:RkH/WF0D3PzxoJ3bD1ULxZ6fvAlx4oipUEjLbXNjho0
ED25519
SHA256:k+f4EFMWosTrsxD3UoSQ4V9Ed1FmMGWGf9U2BVb+gvc

or one of the following MD5 fingerprints

RSA
79:b3:45:d8:9a:57:67:59:70:7e:22:2e:54:2b:f2:d3
ECDSA
2e:ef:3e:f0:12:c6:ad:3c:be:c8:2e:d8:f9:ee:e6:b4
ED25519
61:a7:43:39:7b:e0:66:2d:67:10:d9:2f:2c:41:e9:12

depending on the algorithm your client uses.

If your ssh client reports a fingerprint that is not listed in the table above when connecting to barbican.ch.cam.ac.uk, or if you see a warning message similar to the one shown below ("WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED"), you should not enter your credentials, and you should instead disconnect immediately and inform support@ch.cam.ac.uk .

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
4c:ef:fe:05:78:8a:a3:fc:b4:e3:1c:f7:11:70:9c:00.
Please contact your system administrator.
Add correct host key in /home/fjc55/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/fjc55/.ssh/known_hosts:1136
remove with: ssh-keygen -f "/home/fjc55/.ssh/known_hosts" -R barbican.ch.cam.ac.uk
ECDSA host key for apps has changed and you have requested strict checking.
Host key verification failed.

Randomart form of fingerprints

As an optional alternative for verifying fingerprints, some ssh clients support a Randomart representation of the fingerprint; the following examples are for the so-called Drunken Bishop implmentation used in OpenSSH clients (and possibly also by other clients). These are ASCII-art representations of the fingerprint, and the idea is that one can compare ASCII-art at a glance and see if the fingerprint matches or not. For example, with many clients you can see the Randomart representation when you connect by running:

ssh fjc55@barbican.ch.cam.ac.uk -o VisualHostKey=yes

+---[RSA 3072]----+
|         .*o. .. |
|         *o=E.. .|
|        o+*+ . +.|
|       o o=o.+  +|
|      . S o + =  |
|         . . + +.|
|          . B +.o|
|           o+B.oo|
|          .o.*Bo.|
+----[SHA256]-----+

+---[ECDSA 256]---+
|       .o   ..*o.|
|     .   o   +.*o|
|    o + = . .o+oB|
|     + E * +.oo=+|
|      o S = + =+o|
|     . . o . oooo|
|      . .     ..+|
|       .       o.|
|                 |
+----[SHA256]-----+

+--[ED25519 256]--+
|    o=.o+ o =*Xo=|
|   ...oo.o o.B o+|
|    . .o. o  . .+|
|    ..o..+   .. o|
|     +.oS . . o..|
|    . + .B   . o |
|     . +o .     E|
|      .  o       |
|          .      |
+----[SHA256]-----+

 

System status 

System monitoring page

Can't find what you're looking for?

Then you might find our A-Z site index useful. Or, you can search the site using the box at the top of the page, or by clicking here.