Using an MCS Linux remote-access server

An introductory guide to using MCS Linux remote-access servers.

This section is about accessing MCS Linux remote access servers. These allow you to access the DS-Filestore and to run MCS Linux applications remotely from a suitably-configured computer from anywhere on the Internet.

Using SSH

The remote access servers can be accessed from any computer with a Secure Shell (SSH) client that supports version 2 of the protocol, e.g. OpenSSH on Unix systems such as Linux or Mac OS X, or PuTTY on Windows systems.

There are three remote-login services available:

• linux.ds.cam.ac.uk provides remote-login services to anyone with a UIS Desktop Services account.
• linux.phy.ds.cam.ac.uk is a dedicated cluster provided exclusively to users in the Physics department.
• linux.cl.ds.cam.ac.uk is a dedicated cluster provided exclusively to users in the Computer Laboratory.

In each case, you should log in using your UIS username (your CRSid) and your UIS password.  For example, from a Linux or Mac command-line, you would type ssh crsid@linux.ds.cam.ac.uk and follow the on-screen prompts.

Server SSH keys

SSH connections are intended to be secure against eavesdropping and impersonation.  To ensure this, you need to check that the public key advertised by any server you connect to is authentic.  The first time you connect to an SSH server, you will be prompted to verify that the key being offered is correct.  It is important that you check this key carefully.

If your computer supports the automatic verification of SSHFP DNS records using DNSSEC-bis, then this check will be performed for you automatically when connecting to MCS Linux remote login servers.

SSH keys aren't printed directly; they can be quite long.  Instead, a representative key fingerprint will be shown to you by your SSH client for you to check.  Older clients will show you an MD5 fingerprint; newer systems should show you a SHA256 one, which is technically better.

The MCS Linux remote-login servers have keys with the following fingerprints:

If you try to connect to any MCS Linux machine and are presented with a fingerprint not listed above, then your connection is not secure and you must immediately disconnect.

Most SSH clients will remember that you have accepted a key as authentic after being told, so you should only need to check any particular server's key fingerprint once.

It will be necessary from time to time to replace the above keys — for example, to take advantage of improvements in modern cryptography.  Barring an emergency, any such change will be advertised well in advance via the UIS News service and the MCS Message of the Day.

Using X over SSH

If your computer is running an X server, and your SSH client supports it, then you can also run graphical, as well as console, applications remotely.

• from a Windows system, using an X server, for example ExCeed or Cygwin (see below)
• from a Unix (including MacOS X) system with a local X server running, use ssh -Y linux.ds.cam.ac.uk. 
  (If using -Y fails, then try using -X instead.)

Using graphical applications remotely will require significant bandwidth, so a fast broadband or CUDN connection will be required for effective use. Any program which requires physical access will clearly not work remotely — so no USB devices are available — and applications will not be able to play sounds.

Notes on using ExCeed and Cygwin

• ExCeed. Recent versions of ExCeed have SSH support as a separate module; for older versions you will need to use ExCeed with PuTTY to provide the SSH connection.
• Cygwin. This includes both OpenSSH and an X server. To install it go to http://cygwin.com/ and select the Install Cygwin link in the left hand menu.
  • In the package installation screen make sure to select openssh from Net and xorg-x11-base from X11.
  • After install open the "Cygwin Shell" and type startx.
    An xterm will pop up; type ssh -Y linux.ds.cam.ac.uk to establish your connection.

Physics and Computer Laboratory students

The dedicated Physics (linux.phy.ds.cam.ac.uk) and Computer Laboratory (linux.cl.ds.cam.ac.uk) remote-login servers only permit users in their respective departments to log in. If you cannot log in to one of these machines, but you can connect to one of the public servers (linux.ds.cam.ac.uk), then it is probably because you haven't been granted the requisite access rights.

If you think that you should be able to connect to one of the departmental servers, then your course coordinator is the person to contact. If you have access to a departmental server, then you should do your coursework on that server by preference, rather than use one of the public machines.

Known Issues

These are issues that are known to specifically affect remote-access servers running MCS Linux.  You may also wish to consult the list of known issues that affect all MCS Linux machines, desktops and servers both.

Logging in using a personal public/private key is not supported

The remote-login server that you are connecting to has no special privileges; it needs to know your password before it can provide access to your DS-Filestore home directory on your behalf.  If you try to connect to a remote-login server with a mechanism other than your password, such as with a public/private keypair, then it may fail.  As a consequence, the use of SSH public-key authentication cannot be supported.

Loading all python3 modules will cause a crash.

The python3 command help('modules') will load all modules available on the local system. This include the pyatspi2 module, which crashes the python3 interpreter if it can't connect to a running desktop bus (DBus) session owner by the user—which is the default for remote SSH sessions.

To avoid this problem, first start a DBus daemon manually using the dbus-launch command, prior to starting the python3 interpreter.