Monday, 14 June 2010

Kerberos & SSH at CERN

Quick blog posting to save me having to explain to people what's needed:

1) RTFM: http://linux.web.cern.ch/linux/docs/kerberos-access.shtml -- thats where most of the good debugging tips are

2) to get it working between say your ubuntu laptop and cern hosts you'll need to append
allow_weak_crypto = true
to /etc/krb5.conf [libdefaults] section. (see bug)

3) make life easy and put a few things in your ~/.ssh/config

host *
        Protocol 2
        VerifyHostKeyDNS yes
        VisualHostKey yes
        GSSAPIAuthentication yes
        PreferredAuthentications gssapi-with-mic,publickey

host lxplus
        hostname lxplus.cern.ch
        ForwardAgent yes
        GSSAPIDelegateCredentials yes
        GSSAPITrustDNS yes

(despite what the man page says there are NO SPACES between the options in PreferredAuthentications (see SSH bug 1702)
at
Labels: , , ,

No comments:

Post a Comment

Word of mouth Skye History

Many years ago we lived in the Old Manse in Waternish, Skye. If you look on the maps, you'll spot that unlike nearly all the other house...

  • swisscom VDSL & dyndns
    Those of you who follow my twitter stream will have noticed that I managed to 'lose' my home machine today. It was online and activ...
  • Word of mouth Skye History
    Many years ago we lived in the Old Manse in Waternish, Skye. If you look on the maps, you'll spot that unlike nearly all the other house...
  • Nasa TV on PS3
    Since there's no european satellite stream of Nasa TV it means you have to watch a streamed version over here. Also I'd like to w...