SSH Setup for ASC and Unity (Complete Beginner-Friendly Guide)

Introduction

High-performance computing (HPC) clusters like ASC and Unity at OSU are accessed using a tool called SSH (Secure Shell). SSH lets you log in to remote computers securely and run commands as if you were sitting at that machine.

Because OSU clusters are protected behind institutional firewalls, you cannot log in directly. Instead, you must:

connect first to a jump host (a secure gateway machine), then
from there connect to Unity or specific compute nodes you’ve been allocated.

SSH can automatically perform these multi-step hops for you — and skip extra Duo prompts along the way — but only if your setup is correct.

This guide walks through everything you need:

✔ Understanding SSH keys at a high level (see SSH Keys for the deep dive) ✔ Why clusters use jump hosts ✔ How to generate a secure key pair ✔ How to upload your key to OSU systems ✔ How to configure SSH so you can just type:

ssh unity

✔ How to set up connection multiplexing so Duo prompts you only once ✔ Troubleshooting and common mistakes

It is designed for students and postdocs with zero prior HPC experience.

1. What Is SSH, and Why Do We Use It?

SSH = Secure Shell. It is a tool that:

encrypts your connection
verifies your identity
lets you run commands on remote computers

Almost everything you do on HPC systems — submitting jobs, loading modules, managing files — starts with SSH.

Why SSH keys instead of passwords?

Using passwords is:

slow
easy to mistype
insecure
often disabled for HPC environments

SSH keys are:

more secure
faster (no password prompts)
mandatory for multi-hop connections
compatible with VS Code Remote-SSH

An SSH key pair consists of:

private key → stays on your laptop
public key → copied to remote machines

Think of it as a lock and key: You install the lock (public key) on the cluster, you keep the key (private key) on your computer.

For everything you ever wanted to know about generating keys, permissions, the SSH agent, and rotation — see the SSH Keys page.

2. Why Do We Need a Jump Host?

Most OSU HPC nodes cannot be reached from outside campus or VPN.

So you must log in through:

Your Laptop → ASC Jump Host → Unity Login Node → Compute Nodes

The jump host (jump.asc.ohio-state.edu, port 2200) is the only door that opens from the outside world. Once you’re through it, you can reach Unity and the compute nodes behind it.

SSH can be configured to do this automatically using ProxyJump, so ssh unity will silently chain through the jump host for you.

The jump host also enforces Duo multi-factor authentication (MFA). Every fresh connection to it triggers a push to your phone. This is where most setup pain comes from — and what SSH connection multiplexing (Section 5) solves.

3. Step-by-Step: Create Your SSH Key Pair (on your laptop)

Run this on your Mac, not on any cluster:

ssh-keygen -t ed25519 -C "yourname@osu.edu" -f ~/.ssh/buckai_key

Choose no passphrase unless you prefer extra security.

You now have:

~/.ssh/buckai_key       ← private key (keep safe!)
~/.ssh/buckai_key.pub   ← public key (send to clusters)

See SSH Keys for what each file is, why permissions matter, and how to load the private key into your SSH agent.

4. Install Your Public Key on OSU Systems

4.1 Install on ASC Jump Host

ssh-copy-id -i ~/.ssh/buckai_key.pub yourname.##@jump.asc.ohio-state.edu -p 2200

You will enter your OSU password once here.

5. Create Your Local SSH Configuration File

This file tells SSH:

how to connect
which key to use
how to automatically hop through the jump host
how to reuse a single authenticated connection so you don’t get a flood of Duo prompts

5.1 Prepare `~/.ssh/` and create a sockets directory

The sockets directory is where SSH will store small files used to share one authenticated connection across many sessions. Without it, you can’t get the “one Duo tap, everything else is free” experience.

mkdir -p ~/.ssh
chmod 700 ~/.ssh
mkdir -p ~/.ssh/sockets
chmod 700 ~/.ssh/sockets
touch ~/.ssh/config
chmod 600 ~/.ssh/config

Permissions matter — SSH silently ignores the config file if it is world-readable.

5.2 Open the config

nano ~/.ssh/config

5.3 Add the full template

Paste the following (replace yourname.## with your OSU username, e.g. smith.123):

### Global defaults: apply to ALL hosts
Host *
    # Connection multiplexing: authenticate once, reuse the connection
    ControlMaster auto
    ControlPath ~/.ssh/sockets/%r@%h:%p
    ControlPersist 10m

    # Keepalives: prevent firewalls/NAT from dropping idle connections
    ServerAliveInterval 30
    ServerAliveCountMax 4
    TCPKeepAlive yes

    # Prefer your SSH agent + macOS Keychain (so keys stay loaded across sessions)
    AddKeysToAgent yes
    UseKeychain yes

### ASC Jumphost (requires Duo MFA)
Host ascjumphost
    HostName jump.asc.ohio-state.edu
    User yourname.##
    Port 2200
    IdentityFile ~/.ssh/buckai_key
    IdentitiesOnly yes

### Unity Login Node (via jump host)
Host unity
    HostName unity.asc.ohio-state.edu
    User yourname.##
    IdentityFile ~/.ssh/buckai_key
    IdentitiesOnly yes
    ProxyJump ascjumphost
    # Older HPC SSH daemons may need these for key-based auth to work:
    HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa

Now typing:

ssh unity

automatically performs:

Laptop → Jump Host → Unity

with one Duo prompt and zero password typing.

6. Understanding the Magic Settings

These three settings — multiplexing, keepalives, and the +ssh-rsa lines — are what make the config above robust. They’re worth understanding rather than copying blindly.

6.1 Connection multiplexing (the Duo painkiller)

ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h:%p
ControlPersist 10m

Together these tell SSH:

The first SSH connection to a host authenticates normally (Duo and all) and creates a Unix socket at ~/.ssh/sockets/...
Any subsequent SSH connections to the same host reuse that socket and skip authentication entirely
The master connection stays alive for 10 minutes after the last session closes, so quick reconnects don’t re-prompt for Duo

This is critical for VS Code Remote-SSH, which opens multiple parallel connections during connect — without multiplexing, each one triggers a separate Duo prompt and they race each other to timeout.

6.2 Keepalives — the counterintuitive part

ServerAliveInterval 30
ServerAliveCountMax 4

The intuition “bigger numbers = stays alive longer” is backwards.

ServerAliveInterval 30 means: every 30 seconds of idleness, the SSH client sends a small “are you there?” probe.
ServerAliveCountMax 4 means: if 4 consecutive probes get no response, give up and disconnect.

So this tolerates up to 2 minutes (4 × 30s) of server silence. The probes themselves are what keep the connection alive — they prevent firewalls and NAT devices from forgetting your connection during idle periods.

A larger ServerAliveInterval is less protective, not more, because middleboxes have more time to forget you between probes.

If you want maximum durability, keep ServerAliveInterval small (15–30s) and crank ServerAliveCountMax up (e.g. to 120) to tolerate long server silences.

6.3 Why the `+ssh-rsa` lines?

Modern OpenSSH (9.0+) disabled the ssh-rsa signature algorithm by default for security reasons, but many HPC clusters still use server keys that rely on it. Without these lines you may see errors like:

no matching host key type found. Their offer: ssh-rsa

The + prefix means “add to the default list” rather than “replace it,” so modern algorithms still take priority — ssh-rsa is just available as a fallback. Keep these lines on cluster connections until your sysadmin confirms server keys have been rotated.

7. Testing Your Setup

Open Terminal.app and run:

ssh unity

You should:

Get one Duo prompt → approve it on your phone
Land on the Unity login node prompt:

✅ [yourname.##@unity ~]$

Then without disconnecting the first session, open a new Terminal tab and run ssh unity again. The second connection should land instantly with no Duo prompt. That’s multiplexing working correctly.

If the second connection still prompts for Duo:

Check that ~/.ssh/sockets/ exists and is writable (ls -ld ~/.ssh/sockets)
Run ssh -v unity for verbose output and look for ControlMaster / mux messages
Some HPC sites disable connection sharing for audit reasons; if so, you’ll keep getting Duo prompts and the workflow on the VS Code Remote-SSH page will be more painful

8. Direct Shortcuts to Compute Nodes

Students often log into specific compute nodes for debugging interactive jobs.

Each compute node gets its own Host block that uses unity as a ProxyJump:

### Template for a compute node. On Unity, real node hostnames follow
### the pattern `uXXX` — a `u` followed by a number, like u101, u250,
### u500, etc. (full FQDN: u101.asc.ohio-state.edu). Replace `mynode`
### below with the actual node hostname you have access to.
Host mynode
    HostName mynode.asc.ohio-state.edu
    User yourname.##
    IdentityFile ~/.ssh/buckai_key
    IdentitiesOnly yes
    HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa
    ProxyJump unity

The ProxyJump unity chains through the Unity definition you already wrote (which itself chains through ascjumphost). So a single ssh mynode does three hops behind the scenes — and thanks to multiplexing, only the first hop triggers Duo.

Repeat for any other nodes you have access to. Usage:

ssh mynode

Multi-hop multiplexing in practice

With three levels of hops (laptop → ascjumphost → unity → mynode), the multiplexing in the global Host * block helps each hop independently:

First time: Duo prompt at ascjumphost, key auth at unity, key auth at mynode
Subsequent ssh mynode, ssh anothernode, etc. within 10 minutes: zero prompts — the ascjumphost socket is reused, the unity socket is reused, only the final hop’s key auth happens

This is what makes a half-dozen named compute-node aliases practical.

9. Common Pitfalls

❌ “Permission denied (publickey)”

Likely causes:

Wrong IdentityFile path in SSH config
Key not added to SSH agent — see SSH Keys
Key permissions wrong — fix:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/buckai_key
chmod 644 ~/.ssh/buckai_key.pub

Public key not in cluster’s ~/.ssh/authorized_keys (rerun ssh-copy-id)
IdentitiesOnly yes missing — your agent may be offering a different key first that gets rejected

❌ “Could not resolve hostname unity”

The config file name must be exactly:

~/.ssh/config

(no extension, no typos).

❌ Jump host asks for password every time

You forgot to copy the public key:

ssh-copy-id -i ~/.ssh/buckai_key.pub yourname.##@jump.asc.ohio-state.edu -p 2200

❌ “Bad owner or permissions”

Folder and file permissions must be strict:

chmod 700 ~/.ssh ~/.ssh/sockets
chmod 600 ~/.ssh/config ~/.ssh/buckai_key

❌ Duo prompts on every connection (multiplexing not working)

Make sure ~/.ssh/sockets/ exists and is writable
Different Host aliases pointing to the same machine each get their own socket — pick one canonical alias and stick with it
ControlPersist 10m is the cooldown — if it’s been more than 10 minutes since you last used the connection, you’ll see Duo again. Bump it (e.g. ControlPersist 1h) if you prefer

❌ SSH hangs on connect

A stale socket file from an uncleanly-killed previous session. Fix:

rm ~/.ssh/sockets/*

then reconnect.

❌ “no matching host key type found. Their offer: ssh-rsa”

Add these lines to the affected Host block:

HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

❌ Wrong username case

ASC usernames are case-sensitive in some contexts. If in doubt, use exactly what appears on your ASC account page.

❌ VS Code cannot connect

Make sure your config includes:

IdentityFile ~/.ssh/buckai_key
IdentitiesOnly yes

Then see the VS Code Remote-SSH page for the rest of the setup.

10. Summary

With this setup you now have:

✔ secure SSH access
✔ automated multi-hop login through the ASC jump host
✔ passwordless authentication using your SSH key
✔ connection multiplexing so you only Duo-tap once per ~10-minute window
✔ shortcuts to specific compute nodes
✔ a config ready for VS Code Remote-SSH

This is the foundation for everything else in the handbook. Next up: VS Code Remote-SSH + AI Coding Assistants.