Bastion Host (remote access with ssh)
The bastion host is a computer on the network that mitigates the security risks of allowing external connections by providing a single entrance point from the internet to the internal network for remote access.
The bastion host for all members of the department is called citadel.ch.cam.ac.uk.
Getting an Account on the Bastion Host
Any user with an Active Directory account may use citadel, using the usual Admitto password. No intervention by Computer Officers is required.
Help
Examples: UNIX and ssh
Login to citadel:
ssh CRSID@citadel.ch.cam.ac.uk
replacing CRSID
with your Cambridge user ID.
Login to citadel with X11 forwarding:
linux: ssh -X CRSID@citadel.ch.cam.ac.uk mac: ssh -Y CRSID@citadel.ch.cam.ac.uk
copy files to citadel:
scp file CRSID@citadel.ch.cam.ac.uk:/home/CRSID/
copy files from citadel:
scp CRSID@citadel.ch.cam.ac.uk:/home/CRSID/file ./
Change your password:
passwd
Copying files from your home computer to a file-server in Chemistry
- copy the files to citadel then from citadel to the file-server
- for those wanting to learn more/the lazy/the technically minded: use an ssh tunnel so you just do one copy
Futher details about ssh/winscp for copying files via ssh.
Host Fingerprint
ssh servers are identified via a fingerprint. This is a unique identifier associated with the server that allows you to verify that the server you are connecting to really is the server you think it is. For example, if you are using an internet connection from outside the University, it is theoretically possible for the owner of the internet connection to silently intercept your network traffic and instead redirect it to a malicious server.
You can optionally configure your SSH client to trust all host fingerprints on our managed servers and workstations by trusting our ssh certification authority. Or, you can manually verify the host fingerprint as follows.
Because citadel supports multiple types of ssh host key algorithm, it has multiple fingerprints - one for each type of algorithm. The fingerprint reported by your ssh client should be one of the following SHA256 fingerprints
RSA |
SHA256:v2OOZd820Zfbs95C/xGE+3TmkzYN1TyuAN1f1wN2JnE |
ECDSA |
SHA256:1B6Le9yEPQNIJ7KgTv0A9fPgDGueuYVmscdo35kOr9w |
ED25519 |
SHA256:4Gb6qYeM3b72swRQ2V1uDx5tPVrvxfAsi6J2iA13mi0 |
or one of the following MD5 fingerprints
RSA |
c7:97:8b:72:ed:b6:49:d6:86:63:e5:f0:93:4b:3c:d8 |
ECDSA |
eb:7c:f2:2f:75:49:2d:cd:5b:be:40:5e:dc:cf:21:82 |
ED25519 |
47:74:a4:d1:8e:28:54:c1:cc:2d:78:af:02:35:7a:07 |
depending on the algorithm your client uses.
If your ssh client reports a fingerprint that is not listed in the table above when connecting to citadel.ch.cam.ac.uk, or if you see a warning message similar to the one shown below ("WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED"), you should not enter your username/password, and you should instead disconnect immediately and inform support@ch.cam.ac.uk .
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is 4c:ef:fe:05:78:8a:a3:fc:b4:e3:1c:f7:11:70:9c:00. Please contact your system administrator. Add correct host key in /home/fjc55/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/fjc55/.ssh/known_hosts:1136 remove with: ssh-keygen -f "/home/fjc55/.ssh/known_hosts" -R apps ECDSA host key for apps has changed and you have requested strict checking. Host key verification failed.
Randomart form of fingerprints
As an optional alternative for verifying fingerprints, some ssh clients support a Randomart representation of the fingerprint; the following examples are for the so-called Drunken Bishop implmentation used in OpenSSH clients (and possibly also by other clients). These are ASCII-art representations of the fingerprint, and the idea is that one can compare ASCII-art at a glance and see if the fingerprint matches or not. For example, with many clients you can see the Randomart representation when you connect by running:
ssh fjc55@citadel.ch.cam.ac.uk -o VisualHostKey=yes +---[RSA 1024]----+ | | | | | | | . . | | S o + . | | . + % . | | . o X E | | o =.= + | | .+.. | +-----------------+ +---[ECDSA 256]---+ | | | | | . .+.| | E . oo+*| | S +.o==| | . .oo.+| | . . .. .| | o. o . | | o+.o. | +-----------------+ +--[ED25519 256]--+ | *ooooo | | E *..+. | | + + +oo | | o o o.o . | | o oS.. | | . .. | | . | | | | | +-----------------+