More detailed info
For external access, only our login servers will be accessible at all and they will only allow logins using public keys stored in CS SSH Public Key Management. One exception is the Git server, which is also accessible from remote - but is using key management from within GitLab.
For access within UmU, it's more relaxed:
- You can use the same keys as for external access
- You can login directly to a specific host, not only through the limited list of login servers / jump hosts.
- You can login using your password
Home directories on different types of computers
For login servers, processes running as you will have access to your home directory no matter how you managed to login - whether it's with a password or with passwordless ssh keys. This is because we are quite confident that the machine has not been replaced by an impostor.
For student lab computers, to gain access to your home directory - you need to
have a valid Kerberos ticket due to the machines being less trusted
(since they are in a public space and could in theory have been replaced). This
will happen automatically if you login at the screen+keyboard using password,
or if you login remotely using password. Another option is to run kinit. If
you have a valid Kerberos ticket and ssh to another computer - you will bring
that ticket to the new system (using it both for login and access to home
directory).
Public Key management
When you upload a key to CS SSH Public Key Management, the key will be valid for 1 year - like on our GitLab instance. A notification will be sent when it is about to expire, then you can easily login and renew it. This is to avoid stale/lost keys being active indefinitely.
When we activated this new system, we imported all existing keys from ~/.ssh/authorized_keys but with a limited lifetime. Login and renew the ones you want to keep using.
Access from different places
| From where | Type | Password | Kerberos | Public Keys Option 1 (CS SSH Public Key Management) |
Public Keys Option 2 ( ~/.ssh/authorized_keys) |
|---|---|---|---|---|---|
| Home | Login servers | No | No | YES | No |
| Home | Student labs | No | No | No | No |
| CS servers/labs | Login servers | YES | YES | YES | No |
| CS servers/labs | Student labs | YES | YES | No | No |
| Laptop (eduroam) | Login servers | YES | No | YES | No |
| Laptop (eduroam) | Student labs | YES | No | No | No |
Public Keys Option 1 is our CS SSH Public Key Management, used by machines directly managed by CS IT.
Public Keys Option 2 is the native ssh way, of storing keys in ~/.ssh/authorized_keys. This is where it goes if you use ssh-copy-id.
I want to login to multiple student lab machines and run things
Either:
Start from one of the student lab machines (Linux), where logging in at the keyboard+screen will give you a Kerberos ticket that will both allow you to login passwordless to the other machines and also use that one to gain access to your home directory there.
Login to one of the login servers, run
kinitto make sure you have a valid Kerberos ticket, then ssh onwards to the lab machines.
If you were to use an ssh key to login to the student lab machines, then you would not have access to your files - which is probably less useful.
Access summary
Most likely: Upload your key and then login to the login servers (salt/peppar/itchy/scratchy).
If you need to access multiple student lab machines - either start from the computer labs (then you'll have a valid Kerberos ticket) or login to the login servers and run kinit to get a Kerberos ticket.
Specific applications
VSCode
Nothing special needed, just works.
FileZilla
- Go to Site Manager
- Add new site
- Protocol: SFTP
- Host: salt.cs.umu.se (or peppar.cs.umu.se / itchy.cs.umu.se / scratchy.cs.umu.se)
- Port: 22
- Logon Type: Key file
- User: YOURCSUSER
- Key File:
- Linux: Probably
/home/YOURNAME/.ssh/id_ed25519 - macOS: Probably
/Users/YOURNAME/.ssh/id_ed25519 - Windows: Probably
C:\Users\YOURNAME\.ssh\id_ed25519
- Linux: Probably
Other application that fail to work
Contact us at support@cs.umu.se and we'll see if we can figure something out.