The bastion host barbican.ch.cam.ac.uk requires ssh keys and an MFA token to log in.
Registering your ssh public key
The server will check for any ssh public keys you have on the University Gitlab instance hosted at https://gitlab.developers.cam.ac.uk . You must make sure you have at least one key available there before logging in to barbican.ch.cam.ac.uk for the first time. If you have never logged in to the University Gitlab instance, go to https://gitlab.developers.cam.ac.uk/users/sign_in and click Sign in with University Account.
You can manage your public keys on the University Gitlab instance at https://gitlab.developers.cam.ac.uk/-/user_settings/ssh_keys .
Enrolling in MFA
Once you have a public key registered (see above), ssh to barbican.ch.cam.ac.uk. You will be prompted for a Verification token. At this point you should automatically receive an email from support@ch.cam.ac.uk with a QR code that you can scan in any TOTP app. The email will be sent to your address recorded in the Department's administration database.
Once enrolled, enter the token from your MFA app at the Verification token prompt. You may need to start another ssh connection attempt if the earlier one has timed out. Once you have authenticated with an MFA token, you should not need to re-enter a token for 7 days for connections made from the same IP address.
Resetting MFA tokens
If you need to reset your MFA token for the bastion service, please email support@ch.cam.ac.uk
Changing your ssh public keys
You can manage your public keys on the University Gitlab instance at https://gitlab.developers.cam.ac.uk/-/user_settings/ssh_keys .
Once you have enrrolled in MFA and logged in, you can manually manage your ~/.ssh/authorized_keys file as normal if you wish (e.g. by running ssh-copy-id). Note that your University Gitlab public keys will only be used if no matching key is found in your ~/.ssh/authorized_keys on barbican.
If you need to reset your authorized keys on barbican and revert to those on the University Gitlab service, please email support@ch.cam.ac.uk
Host Fingerprint
ssh servers are identified via a fingerprint. This is a unique identifier associated with the server that allows you to verify that the server you are connecting to really is the server you think it is. For example, if you are using an internet connection from outside the University, it is theoretically possible for the owner of the internet connection to silently intercept your network traffic and instead redirect it to a malicious server.
You can optionally configure your SSH client to trust all host fingerprints on our managed servers and workstations by trusting our ssh certification authority. Or, you can manually verify the host fingerprint as follows.
Because barbican supports multiple types of ssh host key algorithm, it has multiple fingerprints - one for each type of algorithm. The fingerprint reported by your ssh client should be one of the following SHA256 fingerprints
RSA |
SHA256:f3ovPt9J1yjFaLeS77kwFwi0nsTRuNzIRDaq1XX9zCA |
ECDSA |
SHA256:RkH/WF0D3PzxoJ3bD1ULxZ6fvAlx4oipUEjLbXNjho0 |
ED25519 |
SHA256:k+f4EFMWosTrsxD3UoSQ4V9Ed1FmMGWGf9U2BVb+gvc |
or one of the following MD5 fingerprints
RSA |
79:b3:45:d8:9a:57:67:59:70:7e:22:2e:54:2b:f2:d3 |
ECDSA |
2e:ef:3e:f0:12:c6:ad:3c:be:c8:2e:d8:f9:ee:e6:b4 |
ED25519 |
61:a7:43:39:7b:e0:66:2d:67:10:d9:2f:2c:41:e9:12 |
depending on the algorithm your client uses.
If your ssh client reports a fingerprint that is not listed in the table above when connecting to barbican.ch.cam.ac.uk, or if you see a warning message similar to the one shown below ("WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED"), you should not enter your credentials, and you should instead disconnect immediately and inform support@ch.cam.ac.uk .
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is 4c:ef:fe:05:78:8a:a3:fc:b4:e3:1c:f7:11:70:9c:00. Please contact your system administrator. Add correct host key in /home/fjc55/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/fjc55/.ssh/known_hosts:1136 remove with: ssh-keygen -f "/home/fjc55/.ssh/known_hosts" -R barbican.ch.cam.ac.uk ECDSA host key for apps has changed and you have requested strict checking. Host key verification failed.
Randomart form of fingerprints
As an optional alternative for verifying fingerprints, some ssh clients support a Randomart representation of the fingerprint; the following examples are for the so-called Drunken Bishop implmentation used in OpenSSH clients (and possibly also by other clients). These are ASCII-art representations of the fingerprint, and the idea is that one can compare ASCII-art at a glance and see if the fingerprint matches or not. For example, with many clients you can see the Randomart representation when you connect by running:
ssh fjc55@barbican.ch.cam.ac.uk -o VisualHostKey=yes +---[RSA 3072]----+ | .*o. .. | | *o=E.. .| | o+*+ . +.| | o o=o.+ +| | . S o + = | | . . + +.| | . B +.o| | o+B.oo| | .o.*Bo.| +----[SHA256]-----+ +---[ECDSA 256]---+ | .o ..*o.| | . o +.*o| | o + = . .o+oB| | + E * +.oo=+| | o S = + =+o| | . . o . oooo| | . . ..+| | . o.| | | +----[SHA256]-----+ +--[ED25519 256]--+ | o=.o+ o =*Xo=| | ...oo.o o.B o+| | . .o. o . .+| | ..o..+ .. o| | +.oS . . o..| | . + .B . o | | . +o . E| | . o | | . | +----[SHA256]-----+