Student SSH server
The Computer Laboratory provides all our students with access to a general-purpose Linux (Ubuntu) server, accessible via SSH at cl-student-ssh.cl.cam.ac.uk, for purposes connected with your course (whether that's supervision work, projects, ticks, coding, networking experimentation or anything else) and more generally other reasonable uses that are permitted on the University network according to the policies of the ISC, the CUDN and Janet. Everyone eligible for access (CST and ACS students, and all other members of the department) automatically has an account; there is no need to sign up - just log in and start using it.
This service is intended to replace the erstwhile MCS Remote Linux service which was withdrawn by UIS in January 2023.
cl-student-ssh is not suitable for resource-intensive data processing, machine learning, or similar; you should be careful not to do anything that may impede other people's use of the shared server. If you need a lot of computational resource for reasons connected to your course, contact sys-admin@cl.cam.ac.uk or the relevant lecturer.
A 2GB disk quota is provided by default; more space is available on request.
We are generally happy to install software packages on the server for you as needed, within reason, particularly if they are packaged in Ubuntu. Contact sys-admin@cl.cam.ac.uk with any requests, questions or feedback. As this is a new service, we're interested in considering any ways in which it can be changed to improve its usefulness.
Other servers
You may be told to use another server similar to cl-student-ssh for particular courses, named for example cl-teaching-foo. The instructions below may apply to that server as well - simply substitute the name of the server you've been told to use in place of "cl-student-ssh" in anything that follows.
How to connect
You will need a SSH client. On Windows, we suggest PuTTY if you just plan to log in using a password or SSH key, or use the ssh command on the Windows Command Prompt which on recent versions of Windows also supports Kerberos; see below. (All currently supported versions of Windows 10 and newer include a copy of OpenSSH.) Alternatively you can use the Windows Subsystem for Linux (WSL), but if you use WSL version 2 for SSH, note this DNS bug and the workaround.
Your username is your CRSid, i.e. the part of your University email address before (not including) the "@cam.ac.uk".
You must not ever allow anybody else to log in as you, or provide anybody else with a means of running commands or code on this server (as is the case for all computers connected to the University network).
There are three main ways to authenticate.
Password authentication
You can simply log in using your "Blue" (University Active Directory) password. For most people this is the same as your University account password. It is the same password that you use to log into Exchange Online email.
Once you've successfully logged in using a password, we suggest setting up a better way to log in.
SSH keys
You can add your SSH public key to ~/.ssh/authorized_keys in order to log in without a password.
You can generate a SSH key pair using ssh-keygen, or PuTTYgen on Windows. Keep the private key private; only copy the public key onto cl-student-ssh. We strongly suggest that you set a strong passphrase on your private key, and also set a "from" clause in authorized_keys to restrict use of your key to (for example) *.cam.ac.uk; see the authorized_keys manual page.
If you ever think that your private key may have been obtained by another person, contact sys-admin@cl.cam.ac.uk immediately and if possible remove the key from ~/.ssh/authorized_keys.
DigitalOcean has more information on SSH keys.
Kerberos
You can log into cl-student-ssh using a Kerberos ticket (also referred to as GSSAPI). This is a secure means of authenticating without providing your password to the system you're connecting to; instead you use a ticket.
For most people this is a niche method, but is fully supported and may be useful in some cases - particularly if you are connecting several times over the course of a day, or you also use other services in the Blue Active Directory that also use Kerberos authentication.
NB: cl-student-ssh uses the domain BLUE.CAM.AC.UK for Kerberos, so that you can log in using your University account. Most other departmental systems use a different Kerberos domain, DC.CL.CAM.AC.UK, and require a Computer Lab account. These accounts and domains are not interchangeable; make sure you get a Kerberos ticket in the correct domain for the system you are trying to connect to, and if trying to access other Computer Lab systems, note the different instructions for SSH access to those.
Kerberos from Linux, Mac or Windows Subsystem for Linux
In order to get a Kerberos ticket from a UNIX client (Linux, Mac or WSL on Windows), run
kinit crsid@BLUE.CAM.AC.UK
Insert your CRSid (e.g. spqr2) in place of "crsid". Your CRSid should be specified in lowercase, but BLUE.CAM.AC.UK should be uppercase.
You will be prompted for your Blue password (usually the same as your University account password; see above). Once you have done so, you will have a Kerberos ticket (strictly, a ticket-granting ticket or TGT) that you can use to authenticate to cl-student-ssh.cl.cam.ac.uk and other systems that support Kerberos, for example using:
ssh -K crsid@cl-student-ssh.cl.cam.ac.uk
By default, your ticket will expire after 8 hours and can be renewed (for example using krenew) without entering a password again for up to 24 hours. It may be possible to request a ticket that can be renewed for up to a week using
kinit crsid@BLUE.CAM.AC.UK -l 7d
Kerberos from Windows
Windows can be configured to automatically get a Kerberos ticket for you when you need one, by setting up a credential within Credential Manager. Either open Credential Manager, click Windows Credentials then Add a Windows credential as follows:
Internet or network address: cl-student-ssh.cl.cam.ac.uk
User name: crsid@BLUE.CAM.AC.UK
Or use the cmdkey command:
cmdkey /add:cl-student-ssh.cl.cam.ac.uk /user:crsid@BLUE.CAM.AC.UK /pass
In either case, insert your CRSid (e.g. spqr2) in place of "crsid". Your CRSid should be specified in lowercase, but BLUE.CAM.AC.UK should be uppercase.
You will be prompted for your Blue password (usually the same as your University account password; see above). NB: Windows will store an encrypted copy of your password on the computer you are using, so don't do this on a computer that you do not own or trust (and you may need to repeat these instructions after changing your password). Once you have done so, Windows will use your password to obtain Kerberos tickets automatically when you authenticate to cl-student-ssh, for example using:
ssh -K crsid@cl-student-ssh.cl.cam.ac.uk
on the Windows Command Prompt.
Related services
Members of the University may also get a similar SSH account, and various other computing facilities such as web hosting and email lists, for free from the Student-Run Computing Facility (SRCF). This is a volunteer-run service provided by a student society (get in touch with them if you are interested in helping to run it!). The department does not accept any responsibility for the availability or security of the SRCF; in particular we suggest that you should not rely solely upon it for your coursework.
