[Nevis-linux] SSH and Kerberos at FNAL

William Seligman seligman at nevis.columbia.edu
Mon Sep 29 13:08:53 EDT 2008


To anyone who uses ssh to access the Kerberized systems at FNAL:

For some years now, we've used a special version of ssh to access the Kerberized 
systems at Fermilab.  The complete directions are here:

<http://www.nevis.columbia.edu/software/kerberos.html>

But before you click on that link...

Thanks to Brian Rebel, I have learned that a special version of ssh may not be 
needed after all.  I have added the following options to /etc/ssh/ssh_config on 
all the systems on the Nevis Linux cluster:

   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes

When I do this, I find that after I do the usual "kinit seligman at FNAL.GOV", I 
can use the standard Fedora Linux ssh command to access FNAL systems 
(d0mino01.fnal.gov, at least).

If you are using a laptop, you can try adding the above statements to your 
~/.ssh/config file.   You can also test this without editing any files by 
putting the options on the ssh command line:

# ssh -o GSSAPIAuthentication=yes \
       -o GSSAPIDelegateCredentials=yes \
       <hostname>.fnal.gov

I suggest trying to use "regular" ssh with the above options and see if it works 
for you.  If so, it would be one less complication we'd have to worry about.

-- 
Bill Seligman             | Phone: (914) 591-2823
Nevis Labs, Columbia Univ | mailto://seligman@nevis.columbia.edu
PO Box 137                | http://www.nevis.columbia.edu/~seligman/
Irvington NY 10533 USA    | XDI: http://public.xdi.org/=william.seligman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3277 bytes
Desc: S/MIME Cryptographic Signature
Url : http://listserv.nevis.columbia.edu/pipermail/nevis-linux/attachments/20080929/c4f4d921/attachment.bin 


More information about the Nevis-linux mailing list