More detailed info (employee version)

For external access, only our login servers will be accessible at all and they will only allow logins using public keys stored in CS SSH Public Key Management. One exception is the Git server, which is also accessible from remote - but is using key management from within GitLab.

For access within UmU, it's more relaxed:

• You can use the same keys as for external access
• You can login directly to a specific host, not only through the limited list of login servers / jump hosts.
• You can login using your password

Home directories on different types of computers

For login servers, processes running as you will have access to your home directory no matter how you managed to login - whether it's with a password or with passwordless ssh keys. This is because we are quite confident that the machine has not been replaced by an impostor.

For student lab computers, to gain access to your home directory - you need to have a valid Kerberos ticket due to the machines being less trusted (since they are in a public space and could in theory have been replaced). This will happen automatically if you login at the screen+keyboard using password, or if you login remotely using password. Another option is to run kinit. If you have a valid Kerberos ticket and ssh to another computer - you will bring that ticket to the new system (using it both for login and access to home directory).

Public Key management

When you upload a key to CS SSH Public Key Management, the key will be valid for 1 year - like on our GitLab instance. A notification will be sent when it is about to expire, then you can easily login and renew it. This is to avoid stale/lost keys being active indefinitely.

When we activated this new system, we imported all existing keys from ~/.ssh/authorized_keys but with a limited lifetime. Login and renew the ones you want to keep using.

Access from different places

Public Keys Option 1 is our CS SSH Public Key Management, used by machines directly managed by CS IT.

Public Keys Option 2 is the native ssh way, of storing keys in ~/.ssh/authorized_keys. This is where it goes if you use ssh-copy-id.

[1] A handful of machines plus the machines in amanuensis lab

[2] "Some" above means that it can be enabled on request, contact us at support@cs.umu.se.

[3] "via jump host" means that you have used the proposed config at the top of the base instructions page, making a connection via one of the login servers automatically.

Access summary / VPN

Most likely: Upload your key and then login to the login servers (salt/peppar/itchy/scratchy).

If you need to access multiple student lab machines - either start from the computer labs (then you'll have a valid Kerberos ticket) or login to the login servers and run kinit to get a Kerberos ticket.

All employees can have access to the VPN (Virtual Private Network), which routes all traffic from your computer through an endpoint at UmU - making your computer appear to be "here".

Students can get VPN access too, contact us at support@cs.umu.se for more info.

Specific applications

VSCode

Nothing special needed, just works.

FileZilla

1. Go to Site Manager
2. Add new site
   1. Protocol: SFTP
   2. Host: salt.cs.umu.se (or peppar.cs.umu.se / itchy.cs.umu.se / scratchy.cs.umu.se)
   3. Port: 22
   4. Logon Type: Key file
   5. User: YOURCSUSER
   6. Key File:
      1. Linux: Probably /home/YOURNAME/.ssh/id_ed25519
      2. macOS: Probably /Users/YOURNAME/.ssh/id_ed25519
      3. Windows: Probably C:\Users\YOURNAME\.ssh\id_ed25519

Other application that fail to work

Contact us at support@cs.umu.se and we'll see if we can figure something out.