Monday 14 June 2010

Kerberos & SSH at CERN

Quick blog posting to save me having to explain to people what's needed:

1) RTFM: http://linux.web.cern.ch/linux/docs/kerberos-access.shtml -- thats where most of the good debugging tips are

2) to get it working between say your ubuntu laptop and cern hosts you'll need to append
allow_weak_crypto = true
to /etc/krb5.conf [libdefaults] section. (see bug)

3) make life easy and put a few things in your ~/.ssh/config

host *
        Protocol 2
        VerifyHostKeyDNS yes
        VisualHostKey yes
        GSSAPIAuthentication yes
        PreferredAuthentications gssapi-with-mic,publickey

host lxplus
        hostname lxplus.cern.ch
        ForwardAgent yes
        GSSAPIDelegateCredentials yes
        GSSAPITrustDNS yes

(despite what the man page says there are NO SPACES between the options in PreferredAuthentications (see SSH bug 1702)
at
Labels: , , ,

No comments:

Post a Comment

Feeling Pumped!

Having just had a day without power, and then going round the site to check everything came back online correctly (including services such a...

  • swisscom VDSL & dyndns
    Those of you who follow my twitter stream will have noticed that I managed to 'lose' my home machine today. It was online and activ...
  • Nasa TV on PS3
    Since there's no european satellite stream of Nasa TV it means you have to watch a streamed version over here. Also I'd like to w...
  • Don't count your chickens...
    We have a cheapo Chinese incubator for hatching eggs. According to popular Internet postings, the calibration of the 'temperature settin...